Exposed Internal PKI Infrastructure Detection nuclei template

exposed-pki-infrastructure.yaml

id: exposed-pki-infrastructure
info:
  name: Exposed Internal PKI Infrastructure Detection
  author: nullenc0de
  severity: critical
  description: Detects exposed internal PKI infrastructure including CRL distribution points and OCSP responders
  tags: pki,exposure,misconfig

requests:
  - method: GET
    path:
      - "{{BaseURL}}/certsrv/"
      - "{{BaseURL}}/pki/"
      - "{{BaseURL}}/crl/"
      - "{{BaseURL}}/.well-known/pki-validation/"
      - "{{BaseURL}}/ocsp/"
      - "{{BaseURL}}/CertEnroll/"
      - "{{BaseURL}}/CertSrv/"

    matchers-condition: or
    matchers:
      - type: word
        words:
          - "Microsoft-IIS/10.0"
          - "certsrv"
          - "Certificate Services"
          - "Microsoft CA"
          - "Certificate Authority"
          - "CRL Distribution Point"
          - "OCSP Responder"
        condition: or

      - type: status
        status:
          - 200
          - 401
          - 403

      - type: regex
        regex:
          - "CN=[A-Za-z0-9-]+-CA"
          - "\.crl$"
          - "\.cer$"
          - "\.p7b$"

    extractors:
      - type: regex
        name: certificate_details
        regex:
          - "CN=[A-Za-z0-9-]+-CA"
          - "O=[A-Za-z0-9 ]+"
          - "OU=[A-Za-z0-9 ]+"

    Stop-If-Match: true

http:
  - max-redirects: 2
  - follow-redirects: true
  - tls-verification: false

id: exposed-pki-infrastructure

info:
name: Exposed Internal PKI Infrastructure Detection
author: nullenc0de
severity: critical
description: Detects exposed internal PKI infrastructure including CRL distribution points and OCSP responders
tags: pki,exposure,misconfig

http:

• method: GET
  path:

  • "{{BaseURL}}/certsrv/"
    matchers-condition: and
    matchers:
  • type: word
    words:
    • "Certificate Services"
    • "Microsoft-IIS"
      condition: and
  • type: status
    status:
    • 200
    • 401
  • type: regex
    regex:
    • "(?i)certsrv"
    • "(?i)Certificate Authority"

• method: GET
  path:

  • "{{BaseURL}}/pki/"
    matchers-condition: and
    matchers:
  • type: word
    words:
    • "PKI"
    • "Certificate Services"
      condition: and
  • type: status
    status:
    • 200
    • 403
  • type: regex
    regex:
    • "(?i)Certificate Authority"

• method: GET
  path:

  • "{{BaseURL}}/crl/"
    matchers-condition: and
    matchers:
  • type: word
    words:
    • "CRL Distribution Point"
    • "Microsoft-IIS"
      condition: and
  • type: status
    status:
    • 200
  • type: regex
    regex:
    • "\.crl$"

• method: GET
  path:

  • "{{BaseURL}}/.well-known/pki-validation/"
    matchers-condition: and
    matchers:
  • type: word
    words:
    • "pki-validation"
    • "Certificate Services"
      condition: and
  • type: status
    status:
    • 200
  • type: regex
    regex:
    • "(?i)pki-validation"

• method: GET
  path:

  • "{{BaseURL}}/ocsp/"
    matchers-condition: and
    matchers:
  • type: word
    words:
    • "OCSP Responder"
    • "Microsoft-IIS"
      condition: and
  • type: status
    status:
    • 200
  • type: regex
    regex:
    • "(?i)OCSP"

• method: GET
  path:

  • "{{BaseURL}}/CertEnroll/"
    matchers-condition: and
    matchers:
  • type: word
    words:
    • "CertEnroll"
    • "Certificate Services"
      condition: and
  • type: status
    status:
    • 200
  • type: regex
    regex:
    • "(?i)CertEnroll"

• method: GET
  path:

  • "{{BaseURL}}/CertSrv/"
    matchers-condition: and
    matchers:
  • type: word
    words:
    • "Certificate Services"
    • "Microsoft-IIS"
      condition: and
  • type: status
    status:
    • 200
  • type: regex
    regex:
    • "(?i)CertSrv"

  extractors:

  • type: regex
    name: certificate_details
    part: body
    group: 0
    regex:
    • "CN=[A-Za-z0-9-]+-CA"
    • "O=[A-Za-z0-9 ]+"
    • "OU=[A-Za-z0-9 ]+"