Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/trimarcjake/locksmith
A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
https://github.com/trimarcjake/locksmith
active-directory active-directory-certificate-services ad-cs adcs pki powershell powershell-module powershell-script
Last synced: 5 days ago
JSON representation
A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
- Host: GitHub
- URL: https://github.com/trimarcjake/locksmith
- Owner: TrimarcJake
- License: other
- Created: 2022-04-28T01:37:32.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2024-04-18T20:00:10.000Z (6 months ago)
- Last Synced: 2024-04-18T21:23:18.539Z (6 months ago)
- Topics: active-directory, active-directory-certificate-services, ad-cs, adcs, pki, powershell, powershell-module, powershell-script
- Language: PowerShell
- Homepage: https://github.com/TrimarcJake/Locksmith
- Size: 782 KB
- Stars: 681
- Watchers: 13
- Forks: 65
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.MD
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Roadmap: ROADMAP.md
Awesome Lists containing this project
README
```
_ _____ _______ _ _ _______ _______ _____ _______ _ _
| | | | |____/ |______ | | | | | |_____|
|_____ |_____| |_____ | \_ ______| | | | __|__ | | |
.--. .--. .--.
/.-. '----------. /.-. '----------. /.-. '----------.
\'-' .---'-''-'-' \'-' .--'--''-'-' \'-' .--'--'-''-'
'--' '--' '--'
```
A ~~tiny~~ small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
[](https://github.com/trimarcjake/locksmith/graphs/contributors/)
[](http://makeapullrequest.com)
[](https://twitter.com/intent/tweet?text=Checkout+Locksmith+and+fix+common+misconfigurations+in+Active+Directory+Certificate+Services.&url=https://github.com/trimarcjake/locksmith&hashtags=ADCS,PKI,infosec,powershell)
# Contents
1. [Installation](#Installation)
2. [Run Locksmith](#RunLocksmith)
1. [Mode 0](#Mode0)
2. [Mode 1](#Mode1)
3. [Mode 2](#Mode2)
4. [Mode 3](#Mode3)
5. [Mode 4](#Mode4)
6. [Scans](#Scans)
# Installation
## Module
### Install module from the PowerShell Gallery (preferred):
1. Open a PowerShell prompt and run `Install-Module -Name Locksmith -Scope CurrentUser`
### Install module manually from GitHub:
1. Download the [latest module version](https://github.com/TrimarcJake/Locksmith/releases/latest) ( **Locksmith-v**\**.**\**.zip** )
2. Extract the downloaded zip file
3. Open a PowerShell prompt to the location of the extracted file and run `Import-Module Locksmith.psd1`
## Script
### Download the standalone script (classic) without module:
1. Download the latest script version: [https://github.com/TrimarcJake/Locksmith/releases/latest/download/Invoke-Locksmith.zip](https://github.com/TrimarcJake/Locksmith/releases/latest/download/Invoke-Locksmith.zip)
2. Extract the downloaded zip file
## Mode 0: Identify Issues, Output to Console (Default)
Running `Invoke-Locksmith.ps1` with no parameters or with `-Mode 0` will scan the current Active Directory forest and output all discovered AD CS issues to the console in **Table** format.
``` powershell
# Module Syntax
Invoke-Locksmith
```
``` powershell
# Script Syntax
.\Invoke-Locksmith.ps1
```
Example Output for Mode 0: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode0.md
## Mode 1: Identify Issues and Fixes, Output to Console
This mode scans the current forest and outputs all discovered AD CS issues and possible fixes to the console in **List** format.
``` powershell
# Module Syntax
Invoke-Locksmith -Mode 1
```
``` powershell
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 1
```
Example Output for Mode 1: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode1.md
## Mode 2: Identify Issues, Output to CSV
Locksmith Mode 2 scans the current forest and outputs all discovered AD CS issues to ADCSIssues.CSV in the present working directory.
``` powershell
# Module Syntax
Invoke-Locksmith -Mode 2
```
``` powershell
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 2
```
Example Output for Mode 2: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode2.md
## Mode 3: Identify Issues and Fixes, Output to CSV
In Mode 3, Locksmith scans the current forest and outputs all discovered AD CS issues and example fixes to ADCSRemediation.CSV in the present working directory.
``` powershell
# Module Syntax
Invoke-Locksmith -Mode 3
```
``` powershell
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 3
```
Example Output for Mode 3: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode3.md
## Mode 4: Fix All Issues
Mode 4 is the "easy button." Running Locksmith in Mode 4 will identify all misconfigurations and offer to fix each issue. If there is any possible operational impact, Locksmith will warn you.
``` powershell
# Module Syntax
Invoke-Locksmith -Mode 4
```
``` powershell
# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 4
```
Example Output for Mode 4: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode4.md
## Scans: Select Which Scans to Run
Use the `-Scans` parameter to choose which vulnerabilities to scan for. Acceptable values include `All`, `Auditing`, `ESC1`, `ESC2`, `ESC3`, `ESC4`, `ESC5`, `ESC6`, `ESC8`, or `PromptMe`. The `PromptMe` option presents an interactive list allowing you to select scans.
``` powershell
# Run all scans
Invoke-Locksmith -Scan All
```
``` powershell
# Prompt the user for a list of scans to select
Invoke-Locksmith.ps1 -Scans PromptMe
```
``` powershell
# Scan for ESC1 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1
```
``` powershell
# Scan for ESC1, ESC2, and ESC8 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1,ESC2,ESC8
```