Esc6b finding entity panel (#312)

* init files

* lower case b

* change labels

* renamed to b

* also rename sub file

* remo0ve a

* remove extra the

packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/ADCSESC6b.tsx

@@ -0,0 +1,31 @@
+// Copyright 2024 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import General from './General';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
+import Opsec from './Opsec';
+import References from './References';
+
+const ADCSESC6b = {
+    general: General,
+    windowsAbuse: WindowsAbuse,
+    linuxAbuse: LinuxAbuse,
+    opsec: Opsec,
+    references: References,
+};
+
+export default ADCSESC6b;

packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/General.tsx

@@ -0,0 +1,44 @@
+// Copyright 2024 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { FC } from 'react';
+import { groupSpecialFormat } from '../utils';
+import { EdgeInfoProps } from '../index';
+import { Typography } from '@mui/material';
+
+const General: FC<EdgeInfoProps> = ({ sourceName, sourceType, targetName }) => {
+    return (
+        <>
+            <Typography variant='body2'>
+                {groupSpecialFormat(sourceType, sourceName)} the privileges to perform the ADCS ESC6 Scenario B attack
+                against the target domain.
+            </Typography>
+            <Typography variant='body2'>
+                The principal has permission to enroll on one or more certificate templates allowing for authentication.
+                They also have enrollment permission for an enterprise CA with the necessary templates published. This
+                enterprise CA is trusted for NT authentication in the forest, and chains up to a root CA for the forest.
+                The enterprise CA is configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag allowing enrollees to
+                specify a Subject Alternate Name (SAN) identifying another principal during certificate enrollment of
+                any published certificate template. This setup allow an attacker principal to obtain a malicious
+                certificate as another principal. There is an affected Domain Controller configured to allow weak
+                certificate mapping enforcement, which enables the attacker principal to authenticate with the malicious
+                certificate and thereby impersonating any AD forest user or computer without their credentials.
+            </Typography>
+        </>
+    );
+};
+
+export default General;

packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx

@@ -0,0 +1,48 @@
+// Copyright 2024 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { FC } from 'react';
+import { Box, Typography } from '@mui/material';
+
+const LinuxAbuse: FC = () => {
+    return (
+        <>
+            <Typography variant='body2'>An attacker may perform this attack in the following steps:</Typography>
+            <Typography variant='body2'>
+                <Box component='span' sx={{ fontWeight: 'bold' }}>
+                    Step 1:
+                </Box>{' '}
+                Use Certipy to request enrollment in the affected template, specifying the target enterprise CA and
+                target principal to impersonate:
+            </Typography>
+            <Typography component={'pre'}>
+                {
+                    'certipy req -u [email protected] -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC6 -upn [email protected]'
+                }
+            </Typography>
+            <Typography variant='body2'>
+                <Box component='span' sx={{ fontWeight: 'bold' }}>
+                    Step 2:
+                </Box>{' '}
+                Request a ticket granting ticket (TGT) from the domain, specifying the certificate created in Step 1 and
+                the IP of a domain controller:
+            </Typography>
+            <Typography component={'pre'}>{'certipy auth -pfx administrator.pfx -dc-ip 172.16.126.128'}</Typography>
+        </>
+    );
+};
+
+export default LinuxAbuse;

packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/Opsec.tsx

@@ -0,0 +1,31 @@
+// Copyright 2024 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { FC } from 'react';
+import { Typography } from '@mui/material';
+
+const Opsec: FC = () => {
+    return (
+        <Typography variant='body2'>
+            When the affected certificate authority issues the certificate to the attacker, it will retain a local copy
+            of that certificate in its issued certificates store. Defenders may analyze those issued certificates to
+            identify illegitimately issued certificates and identify the principal that requested the certificate, as
+            well as the target identity the attacker is attempting to impersonate.
+        </Typography>
+    );
+};
+
+export default Opsec;

packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/References.tsx

@@ -0,0 +1,47 @@
+// Copyright 2024 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { FC } from 'react';
+import { Link, Box } from '@mui/material';
+
+const References: FC = () => {
+    return (
+        <Box sx={{ overflowX: 'auto' }}>
+            <Link
+                target='_blank'
+                rel='noopener'
+                href='https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf'>
+                Certified Pre-Owned
+            </Link>
+            <br />
+            <Link
+                target='_blank'
+                rel='noopener'
+                href=' https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7'>
+                Certipy 4.0
+            </Link>
+            <br />
+            <Link
+                target='_blank'
+                rel='noopener'
+                href='https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation#editf_attributesubjectaltname2-esc6'>
+                Domain Escalation Edit Attributes
+            </Link>
+        </Box>
+    );
+};
+
+export default References;

packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx

@@ -0,0 +1,55 @@
+// Copyright 2024 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { FC } from 'react';
+import { Box, Typography } from '@mui/material';
+
+const WindowsAbuse: FC = () => {
+    return (
+        <>
+            <Typography variant='body2'>An attacker may perform this attack in the following steps:</Typography>
+            <Typography variant='body2'>
+                <Box component='span' sx={{ fontWeight: 'bold' }}>
+                    Step 1:
+                </Box>{' '}
+                Use Certify to request enrollment int he affected template, specifying the affected certification
+                authority and target principal to impersonate:
+            </Typography>
+            <Typography component={'pre'}>
+                {
+                    '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestroot\\ForestRootDA'
+                }
+            </Typography>
+            <Typography variant='body2'>
+                <Box component='span' sx={{ fontWeight: 'bold' }}>
+                    Step 2:
+                </Box>{' '}
+                Convert the emitted certificate to PFX format:
+            </Typography>
+            <Typography component={'pre'}>{'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'}</Typography>
+            <Typography variant='body2'>
+                <Box component='span' sx={{ fontWeight: 'bold' }}>
+                    Step 3:
+                </Box>{' '}
+                Use Certipy to connect to the domain controller via Schannel, specifying the PFX-formatted certificate
+                created in Step 2:
+            </Typography>
+            <Typography component={'pre'}>{'certipy auth -pfx .\\cert.pfx -dc-ip 10.4.0.4 -ldap-shell'}</Typography>
+        </>
+    );
+};
+
+export default WindowsAbuse;

packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx

@@ -107,6 +107,7 @@ import WritePKIEnrollmentFlag from './WritePKIEnrollmentFlag/WritePKIEnrollmentF
 import WritePKINameFlag from './WritePKINameFlag/WritePKINameFlag';
 import WriteSPN from './WriteSPN/WriteSPN';
 import ADCSESC1 from './ADCSESC1/ADCSESC1';
+import ADCSESC6b from './ADCSESC6b/ADCSESC6b';
 
 export type EdgeInfoProps = {
     edgeName?: string;
@@ -207,6 +208,7 @@ const EdgeInfoComponents = {
     GoldenCert: GoldenCert,
     ADCSESC1: ADCSESC1,
     ADCSESC3: ADCSESC3,
+    ADCSESC6b: ADCSESC6b,
     ManageCA: ManageCA,
     ManageCertificates: ManageCertificates,
     WritePKIEnrollmentFlag: WritePKIEnrollmentFlag,