Add Updates to LDAP ESC Vulnerable Cert Finder

[jheysel-r7]

This adds a number of enhancements and fixes to the ldap_esc_vulenrable_cert_finder. Pro required the keys target_users as as well as can_enroll to be passed along in the @certificate_details hash to allow for automatic exploitation of ECS9 etc. This also splits the two ESC16 variants into two separate techniques (ESC16_1 and ESC16_2) which makes it easier to auto exploit in Pro.

Microsoft recently patched weak certificate binding enforcement so a version check has been added to the cert finder such that it doesn't report false positives when the domain controller has the September 2025 security patch installed.

Lastly when requesting some certificate templates it was noticed that the ms-app-policies were no longer being displayed in the output as they used to be, it seems like there might have been a change in the ASN1 certificate definition:

Testing

Application Policies / EKUs

• Verify the Certificate Application Policies / Extended Key Usages always get printed when present

Original Behavior :

[+] 172.16.199.200:445 - The requested certificate was issued.
[*] 172.16.199.200:445 - Certificate Policies:
[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.4 (Secure Email)
[*] 172.16.199.200:445 -   * 1.3.6.1.4.1.311.10.3.4 (Encrypting File System)
[*] 172.16.199.200:445 - Certificate UPN: Administrator@kerberos.issue

Prior to this change:

[+] 172.16.199.200:445 - The requested certificate was issued.
[*] 172.16.199.200:445 - Certificate Policies:
[*] 172.16.199.200:445 - Certificate UPN: Administrator@kerberos.issue

After this change:

[+] 172.16.199.200:445 - The requested certificate was issued.
[*] 172.16.199.200:445 - Certificate Policies:
[*] 172.16.199.200:445 -   * msEFS
[*] 172.16.199.200:445 -   * emailProtection
[*] 172.16.199.200:445 -   * clientAuth
[*] 172.16.199.200:445 - Certificate UPN: Administrator@kerberos.issue

Version Check

• Verify when running with an Administrative user the domain_controller_version_check gets run

 Request can specify a subjectAltName (msPKI-Certificate-Name-Flag) and EKUs can be altered (msPKI-Template-Schema-Version)
[*]   Certificate Template Write-Enabled SIDs:
[*]   Certificate Template Enrollment SIDs:
[*]     * S-1-5-21-2324486357-3075865580-3606784161-512 (Domain Admins)
[*]     * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[*]     * S-1-5-11 (Authenticated Users)
[+]   Issuing CA: kerberos-DC2-CA (dc2.kerberos.issue)
[*]     Enrollment SIDs:
[*]       * S-1-5-11 (Authenticated Users)
[*]       * S-1-5-21-2324486357-3075865580-3606784161-519 (Enterprise Admins)
[+] Template: Workstation
[*]   Distinguished Name: CN=Workstation,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
[*]   Manager Approval: Disabled
[*]   Required Signatures: 0
[+]   Vulnerable to: ESC16_2
[*]   Permissions: READ
[*]   Notes: ESC16_2: Template appears to be vulnerable (most templates do)
[*]   Certificate Template Write-Enabled SIDs:

ESC16_1 and ESC16_2

• Verify ESC16_1 and ESC16_2 get reported separately and accurately when they apply to the certificate template.

Details on how to configure each template as well as the can be found domain controller and certificate authority can be found here:

https://github.com/rapid7/metasploit-framework/blob/1c4e3d59eeeb07b3716c5459b34a5ebc98bcd9ca/documentation/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.md#setting-up-a-esc16-vulnerable-certificate-template

Module runs as expected

• Verify the module still runs as expected and all vulnerable templates get reported as the should.

[cdelafuente-r7]

Thank you @jheysel-r7 for these updates. I just left a few comments, otherwise, it looks good to me.

[dledda-r7]

Hey @jheysel-r7 I've left minor comments that are not a blocker, more question. Also i noticed you may want to rebase the PR because i've seen some merge conflicts