From fefc3cb73cf386a6ff5a3334b2767492c9297298 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Fri, 16 Feb 2024 16:53:07 -0500
Subject: [PATCH] Show names for issuance policy OIDs

---
 .../admin/ldap/ad_cs_cert_template.rb         | 43 +++++++++++++++++--
 1 file changed, 40 insertions(+), 3 deletions(-)

diff --git a/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb b/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb
index 37e82c4ea5..9c475b7216 100644
--- a/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb
+++ b/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb
@@ -121,7 +121,7 @@ class MetasploitModule < Msf::Auxiliary
 
   def get_certificate_template
     obj = ldap_get(
-      "(&(cn=#{datastore['CERT_TEMPLATE']})(objectClass=pkicertificatetemplate))",
+      "(&(cn=#{datastore['CERT_TEMPLATE']})(objectClass=pKICertificateTemplate))",
       base: "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,#{@base_dn}",
       controls: [ms_security_descriptor_control(DACL_SECURITY_INFORMATION)]
     )
@@ -149,6 +149,35 @@ class MetasploitModule < Msf::Auxiliary
     Rex::Proto::MsDtyp::MsDtypSid.read(obj['objectsid'].first)
   end
 
+  def get_pki_oids
+    return @pki_oids if @pki_oids.present?
+
+    raw_objs = @ldap.search(
+      base: "CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,#{@base_dn}",
+      filter: '(objectClass=msPKI-Enterprise-OID)'
+    )
+    validate_query_result!(@ldap.get_operation_result.table)
+    return nil unless raw_objs
+
+    @pki_oids = []
+    raw_objs.each do |raw_obj|
+      obj = {}
+      raw_obj.attribute_names.each do |attr|
+        obj[attr.to_s] = raw_obj[attr].map(&:to_s)
+      end
+
+      @pki_oids << obj
+    end
+    @pki_oids
+  end
+
+  def get_pki_oid_displayname(oid)
+    oid_obj = get_pki_oids.find { |o| o['mspki-cert-template-oid'].first == oid }
+    return nil unless oid_obj && oid_obj['displayname'].present?
+
+    oid_obj['displayname'].first
+  end
+
   def dump_to_json(template)
     json = {}
 
@@ -403,11 +432,19 @@ class MetasploitModule < Msf::Auxiliary
 
     if obj['mspki-certificate-policy'].present?
       if obj['mspki-certificate-policy'].length == 1
-        print_status("  msPKI-Certificate-Policy: #{obj['mspki-certificate-policy'].first}")
+        if (oid_name = get_pki_oid_displayname(obj['mspki-certificate-policy'].first)).present?
+          print_status("  msPKI-Certificate-Policy: #{obj['mspki-certificate-policy'].first} (#{oid_name})")
+        else
+          print_status("  msPKI-Certificate-Policy: #{obj['mspki-certificate-policy'].first}")
+        end
       else
         print_status('  msPKI-Certificate-Policy:')
         obj['mspki-certificate-policy'].each do |value|
-          print_status("    * #{value}")
+          if (oid_name = get_pki_oid_displayname(value)).present?
+            print_status("    * #{value} (#{oid_name})")
+          else
+            print_status("    * #{value}")
+          end
         end
       end
     end