Last updated at Fri, 25 Apr 2025 20:06:46 GMT

AD CS workflow improvement with new PKCS12 features

Given the increasing popularity of AD CS misconfiguration exploitation in recent years, Metasploit has been consistently improving its capabilities in this area. This week’s release introduces a new certs command to the msfconsole, enabling users to manage PKCS12 certificates stored in the database, similar to the klist command. The certs command provides functionalities such as listing, searching, activating, deactivating, exporting, and deleting certificates.

  • Available options:
msf6 auxiliary(scanner/smb/smb_login) > certs --help
List Pkcs12 certificate bundles in the database
Usage: certs [options] [username[@domain_upn_format]]


OPTIONS:

    -a, --activate    Activates *all* matching pkcs12 entries
    -A, --deactivate  Deactivates *all* matching pkcs12 entries
    -d, --delete      Delete *all* matching pkcs12 entries
    -e, --export      The file path where to export the matching pkcs12 entry
    -h, --help        Help banner
    -i, --index       Pkcs12 entry ID(s) to search for, e.g. `-i 1` or `-i 1,2,3` or `-i 1 -i 2 -i 3`
    -v, --verbose     Verbose output
  • Example output
msf6 auxiliary(admin/dcerpc/icpr_cert) > certs
Pkcs12
======
id  username       realm         subject    issuer                                              ADCS CA                   ADCS Template  status
--  --------       -----         -------    ------                                              -------                   -------------  ------
1   administrator  mydomi.local  /CN=muser  /DC=local/DC=pro/DC=ad/CN=mssrv-dc-mydomi.local-CA  mssrv-dc-mydomi.local-CA  ESC1           active

Additionally, it automates PKCS12 authentication via the pkinit protocol when the kerberos option is set for authentication and no Kerberos tickets are found in the cache. This automation allows the framework to transparently utilize stored certificates to acquire Kerberos tickets, streamlining the authentication process for modules supporting Kerberos and Schannel protocols. Any modules that support these authentication protocols can benefit from this, as long as a suitable certificate is present in the database.

Here is an example with the scanner/winrm/winrm_cmd module. This shows how the Kerberos tickets are automatically retrieved using a PKCS12 stored in the database (see the output of the certs command above):

msf6 auxiliary(admin/dcerpc/icpr_cert) > klist
Kerberos Cache
==============
No tickets

msf6 auxiliary(scanner/winrm/winrm_cmd) > run verbose=true RHOSTS=10.100.32.94 Winrm::Auth=kerberos Winrm::Rhostname=mspro-dc username=administrator domain=mydomi.local DomainControllerRhost=10.100.32.94 cmd=whoami
[*] Using stored certificate for administrator@mydomi.local
[+] 10.100.32.94:88 - Received a valid TGT-Response
[*] 10.100.32.94:5985     - TGT MIT Credential Cache ticket saved to /home/n00tmeg/.msf4/loot/20241218141549_default_10.100.32.94_mit.kerberos.cca_125955.bin
[+] 10.100.32.94:88 - Received a valid TGS-Response
[*] 10.100.32.94:5985     - TGS MIT Credential Cache ticket saved to /home/n00tmeg/.msf4/loot/20241218141549_default_10.100.32.94_mit.kerberos.cca_751667.bin
[+] 10.100.32.94:88 - Received a valid delegation TGS-Response
[+] 10.100.32.94:88 - Received AP-REQ. Extracting session key...
ad\administrator
[+] Results saved to /home/n00tmeg/.msf4/loot/20241218141553_default_10.100.32.94_winrm.cmd_result_401191.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

New module content (1)

BentoML's runner server RCE

Authors: SeaWind and Takahiro Yokoyama
Type: Exploit
Pull request: #20046 contributed by Takahiro-Yoko
Path: linux/http/bentoml_runner_server_rce_cve_2025_32375
AttackerKB reference: CVE-2025-32375

Description: This adds an exploit module for an insecure deserialization in BentoML's runner server which leads to unauthenticated RCE. Versions prior to 1.4.8 but after 1.0.0a1 are affected.

Enhanced modules (2)

Modules which have either been enhanced, or renamed:

  • #20044 from jheysel-r7 - Adds a target to the service_permissions module supporting CVE-2025-21293, allowing a lower privileged user to add a DLL entry to HKLM\System\CurrentControlSet\Services\Dnscache\ and coerce execution of the DLL as system.
  • #20052 from bcoles - Moves the module exploits/dialup/multi/login/manyargs to exploits/solaris/dialup/manyargs.

Enhancements and features (11)

  • #19760 from cdelafuente-r7 - This introduces a new certs command that allows users to manage and display PKCS12 certificates stored in the credentials database, with options for searching, exporting, activating, and deleting certificates. It also enables automatic PKCS12-based Kerberos (and Schannel) authentication through PKINIT when no Kerberos ticket is cached, streamlining TGT acquisition using existing certificates. This enhances both usability and flexibility when working with certificate-based authentication workflows.
  • #20028 from jheysel-r7 - This change modifies existing pgAdmin modules by replacing some functionalities with new library for pgAdmin.
  • #20049 from bcoles - Improves the check method metadata for modules/exploits/mainframe/ftp/ftp_jcl_creds.
  • #20052 from bcoles - Moves the module exploits/dialup/multi/login/manyargs to exploits/solaris/dialup/manyargs.
  • #20057 from bcoles - Improves the code quality of the example modules included in Metasploit.
  • #20059 from bcoles - Improves the code quality of multiple payload modules.
  • #20065 from bcoles - Improves the metadata and code quality for the exploits/hpux/lpd/cleanup_exec module.
  • #20066 from bcoles - Enhances the code quality of multiple payloads/singles modules, and fixes nested method definitions in 6 pingback modules.
  • #20068 from bcoles - Improves the exploits/solaris/sunrpc/sadmind_adm_build_path and exploits/solaris/sunrpc/sadmind_exec modules to have check methods, improved metadata, and code quality.
  • #20069 from sjanusz-r7 - Allow overwriting reported module name within the report_vuln API.
  • #20077 from adfoster-r7 - Update haraka module to work with newer Python 3.12 and above.

Bugs fixed (3)

  • #20051 from bcoles - Fixes out of date metadata for the exploits/dialup/multi/login/manyargs module, and fixes a logic bug code when handling bad characters.
  • #20063 from bcoles - Updates Ruby pingback payloads to correctly close the opened socket after use.
  • #20064 from bcoles - Fixes IPv6 support in the cmd/unix/reverse_php_ssl payload.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro