A comprehensive tool for auditing Active Directory Certificate Services to identify ESC1 (Escalation of Privilege via Certificate Templates) vulnerabilities.
- Overview
- Research Background
- Features
- Installation
- Usage
- Examples
- Technical Details
- Security Considerations
- Contributing
- License
- References
ESC1 Scanner is a sophisticated security research tool designed to audit Active Directory Certificate Services environments for ESC1 vulnerabilities. The tool performs comprehensive enumeration of certificate authorities, templates, and security descriptors to identify misconfigurations that could lead to privilege escalation.
ESC1 (Escalation of Privilege via Certificate Templates) is a critical vulnerability in Active Directory Certificate Services where low-privileged users can escalate their privileges by requesting certificates with specific configurations. The vulnerability occurs when certificate templates are misconfigured to allow:
- No Manager Approval Required - Requests are not held for manual approval
- Subject Alternative Name (SAN) Allowed - Enrollees can specify SAN in CSR
- No Recovery Agent Signature Required - No additional signatures needed
- Authentication EKUs Present - Certificates can be used for authentication
- Low-Privileged Users Have Enrollment Rights - Non-admin users can enroll
This tool is the result of research titled "The SchrΓΆdinger's ESC1 Vulnerability", which investigates discrepancies in public tools when searching for ESC1 misconfigurations in Active Directory Certificate Services. The research explores how the same certificate template configuration can be classified simultaneously as vulnerable and non-vulnerable, depending on the tool used, mirroring SchrΓΆdinger's famous thought experiment where a cat exists in superposition until observed; during purple team exercises, conflicting results were observed in public tools' outputs used to assess ESC1 misconfigurations, and the misconfiguration appeared both exploitable and non-exploitable depending on the tool analyzing it.
- Username/Password: Standard domain authentication
- NTLM Hash: Pass-the-Hash support for security research
- Interactive Password: Secure password prompting
- Certificate Authorities: Full CA discovery and configuration analysis
- Certificate Templates: Detailed template security analysis (LDAP-only)
- Security Descriptors: Binary parsing of Windows security descriptors
- User Permissions: SID resolution and group membership analysis
- CA Permissions: Enrollment rights and administrative permissions (via Impacket/DCERPC RRP)
- Full Enumeration: Comprehensive security analysis with detailed output
- Filtered Results: Show only enabled templates or vulnerable templates
- Verbose Mode: Detailed Access Control Entry (ACE) information
- Color-Coded Output: Easy-to-read terminal output with color coding
- ESC1 Conditions: Automatic detection of all ESC1 vulnerability conditions
- Permission Analysis: Deep analysis of DACL and enrollment rights
- Template Validation: Comprehensive template security validation
- Risk Assessment: Clear identification of potentially vulnerable templates
Note: CA enrollment permissions are recorded when available, but they are not required to flag a template as "potentially vulnerable". Confirm CA enroll rights on the CA to validate exploitation.
- Python 3.8+
- Active Directory Environment (for testing)
- Network Access to Domain Controllers
-
Clone the repository
git clone https://github.com/yourusername/esc1_scanner.git cd esc1_scanner -
Create a virtual environment
python -m venv venv # On Windows venv\Scripts\activate # On Linux/macOS source venv/bin/activate
-
Install dependencies
pip install -r requirements.txt
# Basic enumeration
python esc1_scanner.py -u [email protected] -p password
# With specific CA
python esc1_scanner.py -u [email protected] -p password -c "CA-NAME"
# With specific template
python esc1_scanner.py -u [email protected] -p password -t "Template-Name"
# Pass-the-Hash authentication
python esc1_scanner.py -u [email protected] -n NTLM_HASH# Only show enabled templates
python esc1_scanner.py -u [email protected] -p password --enabled
# Only show vulnerable templates
python esc1_scanner.py -u [email protected] -p password --vulnerable
# Verbose output with detailed ACE information
python esc1_scanner.py -u [email protected] -p password --verbose
# Skip CA permissions enumeration via RPC (faster, less likely to trigger alerts)
python esc1_scanner.py -u [email protected] -p password --skip-ca-permissions-enum
# Specify domain controller IP
python esc1_scanner.py -u [email protected] -p password --dc_ip 192.168.1.10
# Interactive password prompt
python esc1_scanner.py -u [email protected] -P| Argument | Description | Required |
|---|---|---|
-u, --user |
User in format [email protected] | Yes |
-p, --password |
Password for authentication | No* |
-P |
Interactive password prompt | No* |
-n, --ntlm |
NTLM hash for Pass-the-Hash | No* |
-c, --ca |
Specific CA name to target | No |
-t, --template |
Specific template name to target | No |
--dc_ip |
Domain controller IP address | No |
--enabled |
Show only enabled templates | No |
--vulnerable |
Show only vulnerable templates | No |
--verbose |
Detailed ACE information | No |
--skip-ca-permissions-enum |
Skip CA permissions enumeration via RPC | No |
*One authentication method is required
python esc1_scanner.py -u [email protected] -p MyPassword123Output:
[*] Resolving contoso.com...
[+] Resolved contoso.com to 192.168.1.10
[*] Establishing LDAP connection as john.doe...
[+] Successfully established LDAP connection
[+] Found 1 certification authority:
Contoso-CA
[+] Found 15 certificate templates:
User
Machine
DomainController
...
[+] Enumeration output:
Certification Authorities:
1
CA Name -> Contoso-CA
CA DNS -> ca.contoso.com
CA Permissions
0x00000200 Enroll -> Authorized to request certificates from the CA
contoso\john.doe (S-1-5-21-...)
Certificate Templates:
1
Template Name -> User
CAs -> Contoso-CA
Enrollment Flags -> 0x00000020
AUTO_ENROLLMENT: Allow clients to perform autoenrollment for the specified template
Certificate Name Flags -> 0x00000001
ENROLLEE_SUPPLIES_SUBJECT: The subject name must be supplied by the enrollee
Signatures Required -> 0
Recovery agent signature is not required
Extended Key Usages:
1.3.6.1.5.5.7.3.2: Client Authentication
EKUs enable authentication
Security Descriptor Audit:
Owner -> contoso\Domain Admins (S-1-5-21-...)
Group -> contoso\Domain Users (S-1-5-21-...)
DACL audit:
ACL Revision -> 4 (Supports basic, compound and object ACE types)
ACE Count -> 3
ACE 1:
SID -> contoso\Authenticated Users (S-1-5-11)
Type -> ACCESS_ALLOWED_OBJECT_ACE (Grants access to a resource with an object type)
Access Mask -> 0x00000100
Object GUID -> 0e10c968-78fb-11d2-90d4-00c04f79dc55
ACE grants enrollment permissions to low privileged SID
python esc1_scanner.py -u [email protected] -p MyPassword123 --vulnerableOutput:
[+] Found 1 potentially vulnerable template:
UserTemplate
Potentially vulnerable to ESC1 (check CA permissions to confirm if low-priv users with enrollment permissions can request templates)
The tool follows a modular architecture:
- Authentication Layer: LDAP3 library for Active Directory connectivity
- Enumeration Engine: Comprehensive AD object discovery
- Security Parser: Binary parsing of Windows security descriptors
- Vulnerability Analyzer: ESC1 condition validation
- Output Formatter: Color-coded terminal output
The tool performs deep analysis of Windows security descriptors:
- Binary Parsing: Direct parsing of security descriptor bytes
- SID Resolution: Conversion of binary SIDs to readable format
- DACL Analysis: Access Control Entry (ACE) interpretation
- Permission Mapping: Translation of access masks to human-readable rights
This tool is designed for security research and authorized penetration testing. Users must:
- Obtain Proper Authorization: Only use on systems you own or have explicit permission to test
- Follow Responsible Disclosure: Report vulnerabilities to system owners
- Respect Privacy: Do not access or disclose sensitive information
- Comply with Laws: Ensure usage complies with local and international laws
- Network Access Required: Requires connectivity to Domain Controllers
- Authentication Required: Valid domain credentials needed
- Windows-Specific: Designed for Active Directory environments
- Research Tool: Not intended for production security monitoring
- Template and DACL enumeration: Performed via LDAP (
ldap3) only. Operations are read-only queries against AD objects/attributes and, in typical environments, have a low likelihood of triggering EDR/network alerts. - CA permissions enumeration: Performed via Impacket over DCERPC/
RRP(Remote Registry) on\\\\PIPE\\winreg. These RPC interactions are commonly monitored and may trigger alerts. Remote Registry might not be enabled in some environments. The scanner handles failures gracefully and proceeds without CA permissions. - Classification behavior: Templates are flagged as "potentially vulnerable" based on template-centric checks plus DACL analysis. CA enrollment permissions are recorded when available but are not required for the flag; confirm CA enroll rights on the CA to validate exploitation.
We welcome contributions from the security research community!
- Fork the repository
- Create a feature branch:
git checkout -b feature/amazing-feature - Make your changes: Follow the coding standards
- Test your changes: Ensure all tests pass
- Submit a pull request: Include detailed description of changes
- Code Style: Follow PEP 8 standards
- Documentation: Add docstrings for new functions
- Testing: Include tests for new features
- Security: Review security implications of changes
We encourage collaboration on Active Directory security research:
- Share Findings: Submit research papers and presentations
- Improve Detection: Help enhance vulnerability detection algorithms
- Expand Coverage: Add support for additional AD security scenarios
This project is licensed under the MIT License - see the LICENSE file for details.
- Certified Pre-Owned: Abusing Active Directory Certificate Services
- GitHub - GhostPack/Certify
- GitHub - GhostPack/PSPKIAudit
- GitHub - jakehildreth/Locksmith
- GitHub - ly4k/Certipy
- MS-ADTS: Active Directory Technical Specification
- MS-CRTD: Certificate Templates Structure
- MS-DTYP: Windows Data Types
- MS-WCCE: Windows Client Certificate Enrollment Protocol
Disclaimer: This tool is for educational and authorized security research purposes only. Users are responsible for ensuring compliance with applicable laws and obtaining proper authorization before use.