Improve check_web_enrollment function to identify ESC8 on HTTP/HTTPS

[dhn]

The current check_web_enrollment function checks the CA against ESC8 exclusively on TCP port 80. If the web enrollment endpoint operates on TCP port 443 instead, the find command could overlook this potentially vulnerable endpoint.

[...]
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[+] Trying to resolve 'FOOBAR-CA01.local' at '10.13.37.50'
[*] Trying to get CA configuration for 'FOOBAR-CA' via CSRA
[...]
[+] Resolved 'FOOBAR-CA01.local'' from cache: 10.13.37.50
[+] Connecting to 10.13.37.50:80
[+] Resolved 'FOOBAR-CA01.local'' from cache: 10.13.37.50
[+] Connecting to 10.13.37.50:443
[...]

The patch employs the Python requests module over socket. As requests is already included in the dependencies, there is no additional overhead. Moreover, using this module streamlines the code, particularly with respect to handling TLS.

[enj5oy]

@dhn If Web Enrollment is present on port 443, it indicates that HTTPS is being used. Therefore, attempting to relay from HTTPS to LDAP would be unsuccessful, correct?

[JacobEbben]

@enj5oy HTTPS alone does not prevent a relay to web enrollment. It is Extended Protection for Authentication (EPA) that prevents NTLM relaying by binding the NTLM authentication to a TLS channel. EPA requires the use of HTTPS. I am not aware of current tooling that supports an NTLM relay to a HTTPS web enrollment instance though.