A focused tool for auditing Active Directory Certificate Services to identify ESC4 (template security modification) vulnerabilities.
- Overview
- Features
- Installation
- Usage
- Examples
- Technical Details
- Security Considerations
- Contributing
- License
- References
ESC4 Scanner is a security research tool designed to audit Active Directory Certificate Services environments for ESC4 misconfigurations. It was built from my previous esc1_scanner research tool, re-focused on template security. It enumerates certification authorities, certificate templates, and parses security descriptors to identify templates where low-privileged principals can edit sensitive template security settings.
ESC4 is a template misconfiguration in AD CS where a low-privileged principal can modify sensitive template security settings. Per SpecterOps βCertified Pre-Ownedβ, a template is vulnerable when a low-priv principal is the Owner or has any of: Full Control (GenericAll-equivalent), WriteOwner, WriteDacl, WriteProperty.
- Username/Password: Standard domain authentication
- NTLM Hash: Pass-the-Hash support for security research
- Interactive Password: Secure password prompting
- Certificate Authorities: CA discovery and template offerings (LDAP-only)
- Certificate Templates: Detailed template security analysis (LDAP-only)
- Security Descriptors: Binary parsing of Windows security descriptors
- User/Group SIDs: SID resolution and group membership analysis
- Full Enumeration: Detailed output
- Filtered Results: Enabled-only or vulnerable-only
- Always-on ACE Details: ACE rights always printed (no --verbose)
- Color-Coded Output: Easy-to-read terminal output with color coding
- ESC4 Conditions: Owner is low-privileged, or ACE grants GenericAll (bitset), WriteOwner, WriteDacl, or WriteProperty to a low-privileged principal
- Permission Analysis: DACL analysis with rights breakdown per ACE
- Risk Output: Clear identification of vulnerable templates
Note: ESC4 focuses on template security (owner/DACL). CA permissions are not enumerated.
- Python 3.8+
- Active Directory Environment (for testing)
- Network Access to Domain Controllers
-
Clone the repository
git clone https://github.com/vilacham/esc4_scanner.git cd esc4_scanner -
Create a virtual environment
python -m venv venv # On Windows venv\Scripts\activate # On Linux/macOS source venv/bin/activate
-
Install dependencies
pip install -r requirements.txt
# Basic enumeration
python esc4_scanner.py -u [email protected] -p password
# With specific CA
python esc4_scanner.py -u [email protected] -p password -c "CA-NAME"
# With specific template
python esc4_scanner.py -u [email protected] -p password -t "Template-Name"
# Pass-the-Hash authentication
python esc4_scanner.py -u [email protected] -n NTLM_HASH# Only show enabled templates
python esc4_scanner.py -u [email protected] -p password --enabled
# Only show vulnerable templates
python esc4_scanner.py -u [email protected] -p password --vulnerable
# Specify domain controller IP
python esc4_scanner.py -u [email protected] -p password --dc_ip 192.168.1.10
# Interactive password prompt
python esc4_scanner.py -u [email protected] -P| Argument | Description | Required |
|---|---|---|
-u, --user |
User in format [email protected] | Yes |
-p, --password |
Password for authentication | No* |
-P |
Interactive password prompt | No* |
-n, --ntlm |
NTLM hash for Pass-the-Hash | No* |
-c, --ca |
Specific CA name to target | No |
-t, --template |
Specific template name to target | No |
--dc_ip |
Domain controller IP address | No |
--enabled |
Show only enabled templates | No |
--vulnerable |
Show only vulnerable templates | No |
*One authentication method is required
python esc4_scanner.py -u [email protected] -p MyPassword123Output:
[*] Resolving contoso.com...
[+] Resolved contoso.com to 192.168.1.10
[*] Establishing LDAP connection as john.doe...
[+] Successfully established LDAP connection
[+] Found 1 certification authority:
Contoso-CA
[+] Found 15 certificate templates:
User
Machine
DomainController
...
[+] Enumeration output:
Certification Authorities:
1
CA Name -> Contoso-CA
CA DNS -> ca.contoso.com
Certificate Templates:
1
Template Name -> User
Vulnerable to ESC4 (low-privileged SID principal can edit template)
CAs -> Contoso-CA
Security Descriptor Audit:
Owner -> contoso\Domain Users (S-1-5-21-...)
Owner is a low-privileged principal (ESC4 trigger)
Group -> contoso\Domain Users (S-1-5-21-...)
DACL audit:
ACL Revision -> 4 (Supports basic, compound and object ACE types)
ACE Count -> 3
ACE 1:
SID -> contoso\jane.doe (S-1-5-21-...)
Type -> ACCESS_ALLOWED_ACE (Grants access to a resource)
Access Mask -> 0x00080000
WO WRITE_OWNER: The right to modify the owner of the object in its security descriptor (users can take ownership)
ACE grants WRITE_OWNER to low privileged principal (ESC4 trigger)
The tool follows a modular architecture:
- Authentication Layer: LDAP3 library for Active Directory connectivity
- Enumeration Engine: Comprehensive AD object discovery
- Security Parser: Binary parsing of Windows security descriptors
- Vulnerability Analyzer: ESC4 condition validation
- Output Formatter: Color-coded terminal output
The tool performs deep analysis of Windows security descriptors:
- Binary Parsing: Direct parsing of security descriptor bytes
- SID Resolution: Conversion of binary SIDs to readable format
- DACL Analysis: Access Control Entry (ACE) interpretation
- Permission Mapping: Translation of access masks to human-readable rights
This tool is designed for security research and authorized penetration testing. Users must:
- Obtain Proper Authorization: Only use on systems you own or have explicit permission to test
- Follow Responsible Disclosure: Report vulnerabilities to system owners
- Respect Privacy: Do not access or disclose sensitive information
- Comply with Laws: Ensure usage complies with local and international laws
- Network Access Required: Requires connectivity to Domain Controllers
- Authentication Required: Valid domain credentials needed
- Windows-Specific: Designed for Active Directory environments
- Research Tool: Not intended for production security monitoring
- Template and DACL enumeration: Performed via LDAP (
ldap3) only. Operations are read-only queries against AD objects/attributes and, in typical environments, have a low likelihood of triggering EDR/network alerts. - CA permissions enumeration: Performed via Impacket over DCERPC/
RRP(Remote Registry) on\\\\PIPE\\winreg. These RPC interactions are commonly monitored and may trigger alerts. Remote Registry might not be enabled in some environments. The scanner handles failures gracefully and proceeds without CA permissions. - Classification behavior: Templates are flagged as "potentially vulnerable" based on template-centric checks plus DACL analysis. CA enrollment permissions are recorded when available but are not required for the flag; confirm CA enroll rights on the CA to validate exploitation.
We welcome contributions from the security research community!
- Fork the repository
- Create a feature branch:
git checkout -b feature/amazing-feature - Make your changes: Follow the coding standards
- Test your changes: Ensure all tests pass
- Submit a pull request: Include detailed description of changes
- Code Style: Follow PEP 8 standards
- Documentation: Add docstrings for new functions
- Testing: Include tests for new features
- Security: Review security implications of changes
We encourage collaboration on Active Directory security research:
- Share Findings: Submit research papers and presentations
- Improve Detection: Help enhance vulnerability detection algorithms
- Expand Coverage: Add support for additional AD security scenarios
This project is licensed under the MIT License - see the LICENSE file for details.
- Certified Pre-Owned: Abusing Active Directory Certificate Services
- MS-ADTS: Active Directory Technical Specification
- MS-DTYP: Windows Data Types
Disclaimer: This tool is for educational and authorized security research purposes only. Users are responsible for ensuring compliance with applicable laws and obtaining proper authorization before use.