Skip to content

A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.

License

Notifications You must be signed in to change notification settings

TrimarcJake/Locksmith

Repository files navigation

 _       _____  _______ _     _ _______ _______ _____ _______ _     _
 |      |     | |       |____/  |______ |  |  |   |      |    |_____|
 |_____ |_____| |_____  |    \_ ______| |  |  | __|__    |    |     |
     .--.                  .--.                  .--.
    /.-. '----------.     /.-. '----------.     /.-. '----------.
    \'-' .---'-''-'-'     \'-' .--'--''-'-'     \'-' .--'--'-''-'
     '--'                  '--'                  '--'

A tiny small tool built to find and fix common misconfigurations in Active Directory Certificate Services.

GitHub release GitHub top language PowerShell Gallery Platform Support GitHub contributors PRs Welcome GitHub Actions Workflow Status PowerShell Gallery Downloads Tweet

Contents

  1. Installation
  2. Run Locksmith
    1. Mode 0
    2. Mode 1
    3. Mode 2
    4. Mode 3
    5. Mode 4
    6. Scans

Installation

Prerequisites

  1. Locksmith (both script and module versions) must be run on a domain joined system.
  2. Locksmith (module version only) needs the ActiveDirectory and ServerManager PowerShell modules installed.

Module

Install module from the PowerShell Gallery (preferred):

  1. Open a PowerShell prompt and run Install-Module -Name Locksmith -Scope CurrentUser

Install module manually from GitHub:

  1. Download the latest module version: https://github.com/TrimarcJake/Locksmith/releases/latest/download/Locksmith.zip
  2. Extract the downloaded zip file
  3. Open a PowerShell prompt to the location of the extracted file and run Import-Module .\Locksmith.psd1

Script

Download the standalone script (classic) without module:

  1. Download the latest script version: https://github.com/TrimarcJake/Locksmith/releases/latest/download/Invoke-Locksmith.zip
  2. Open a PowerShell prompt to the location of the downloaded file and run .\Invoke-Locksmith.ps1

Run Locksmith

Mode 0: Identify Issues, Output to Console (Default)

Running Invoke-Locksmith.ps1 with no parameters or with -Mode 0 will scan the current Active Directory forest and output all discovered AD CS issues to the console in Table format.

# Module Syntax
Invoke-Locksmith
# Script Syntax
.\Invoke-Locksmith.ps1

Example Output for Mode 0: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode0.md

Mode 1:  Identify Issues and Fixes, Output to Console

This mode scans the current forest and outputs all discovered AD CS issues and possible fixes to the console in List format.

# Module Syntax
Invoke-Locksmith -Mode 1
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 1

Example Output for Mode 1: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode1.md

Mode 2:  Identify Issues, Output to CSV

Locksmith Mode 2 scans the current forest and outputs all discovered AD CS issues to ADCSIssues.CSV in the present working directory.

# Module Syntax
Invoke-Locksmith -Mode 2
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 2

Example Output for Mode 2: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode2.md

Mode 3:  Identify Issues and Fixes, Output to CSV

In Mode 3, Locksmith scans the current forest and outputs all discovered AD CS issues and example fixes to ADCSRemediation.CSV in the present working directory.

# Module Syntax
Invoke-Locksmith -Mode 3
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 3

Example Output for Mode 3: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode3.md

Mode 4:  Fix All Issues

Mode 4 is the "easy button." Running Locksmith in Mode 4 will identify all misconfigurations and offer to fix each issue. If there is any possible operational impact, Locksmith will warn you.

# Module Syntax
Invoke-Locksmith -Mode 4
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 4

Example Output for Mode 4: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode4.md

Scans:  Select Which Scans to Run

Use the -Scans parameter to choose which vulnerabilities to scan for. Acceptable values include All, Auditing, ESC1, ESC2, ESC3, ESC4, ESC5, ESC6, ESC8, or PromptMe. The PromptMe option presents an interactive list allowing you to select scans.

# Run all scans
Invoke-Locksmith -Scan All
# Prompt the user for a list of scans to select
Invoke-Locksmith.ps1 -Scans PromptMe
# Scan for ESC1 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1
# Scan for ESC1, ESC2, and ESC8 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1,ESC2,ESC8