Skip to content

fix: ensure ADCS ESC1/ESC3 exploitation is reliably marked and improve SMB relay port handling#286

Merged
l50 merged 2 commits into
feat/more-attack-covfrom
feat/dreadgoad-relay-port-cleanup
May 13, 2026
Merged

fix: ensure ADCS ESC1/ESC3 exploitation is reliably marked and improve SMB relay port handling#286
l50 merged 2 commits into
feat/more-attack-covfrom
feat/dreadgoad-relay-port-cleanup

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented May 13, 2026
edited
Loading

Key Changes:

  • Fix ADCS ESC1 and ESC3 deterministic exploit flows to always mark vulnerabilities as exploited in the scoreboard
  • Add explicit port 445 availability check and actionable error if relay bind fails, improving reliability and diagnostics
  • Introduce configurable bind check timeout to coercion run options and tests
  • Add async tests to verify port availability check logic

Added:

  • Explicit call to mark_exploited in deterministic ADCS ESC1 and ESC3 chains to ensure scoreboard updates even when the standard exploit token is not emitted
  • bind_check field to RunOptions in coercion logic, allowing configurable wait for port 445 to become free before spawning relay
  • wait_for_port_free async function to poll for port availability with clear error reporting if occupied
  • Async tests to validate wait_for_port_free returns Ok when port is free and Err when port is held

Changed:

  • Updated coercion logic to use wait_for_port_free before launching ntlmrelayx, surfacing clear diagnostics if port 445 is busy after cleanup
  • Adjusted test options to skip port 445 availability check, ensuring faster and more reliable test runs
  • Enhanced documentation and error messages for better operator feedback on relay startup failures

@l50
feat: add port 445 availability check before relay bind with configur…
99f062e 
…able timeout

**Added:**

- Added `bind_check` option to `RunOptions` to control wait time for port 445 to become free before spawning ntlmrelayx
- Implemented `wait_for_port_free` async function to poll port availability with detailed error reporting
- Introduced tests for `wait_for_port_free` covering both free and held port scenarios

**Changed:**

- Updated relay startup logic to use the new port availability check, providing actionable error output if port 445 remains occupied
- Modified test setup to disable port check by default for faster, unaffected test runs
@l50 l50 changed the base branch from main to feat/more-attack-cov May 13, 2026 00:00
@l50 l50 changed the title feat: add automation for full attack surface coverage and state tracking feat: add explicit port 445 free check before ntlmrelayx relay bind May 13, 2026
@l50
fix: ensure exploited tokens are credited for deterministic ESC1 and …
2a3f5db 
…ESC3 chains

**Added:**

- Explicitly call `mark_exploited` in deterministic ESC1 and ESC3 chains to credit exploited tokens when standard result processing is bypassed
- Add warning logs for failures when marking ESC1 or ESC3 as exploited after chain success
@l50 l50 changed the title feat: add explicit port 445 free check before ntlmrelayx relay bind fix: ensure ADCS ESC1/ESC3 exploitation is reliably marked and improve SMB relay port handling May 13, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented May 13, 2026

Codecov Report

❌ Patch coverage is 49.25373% with 34 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (feat/more-attack-cov@9de852d). Learn more about missing BASE report.

Files with missing lines Patch % Lines
ares-tools/src/coercion.rs 60.00% 22 Missing ⚠️
...i/src/orchestrator/automation/adcs_exploitation.rs 0.00% 12 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@                   Coverage Diff                   @@
##             feat/more-attack-cov     #286   +/-   ##
=======================================================
  Coverage                        ?   76.29%           
=======================================================
  Files                           ?      433           
  Lines                           ?   113877           
  Branches                        ?        0           
=======================================================
  Hits                            ?    86877           
  Misses                          ?    27000           
  Partials                        ?        0
Files with missing lines Coverage Δ
...i/src/orchestrator/automation/adcs_exploitation.rs 54.90% <0.00%> (ø)
ares-tools/src/coercion.rs 84.00% <60.00%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@l50 l50 merged commit 9b2bd9a into feat/more-attack-cov May 13, 2026
12 checks passed
@l50 l50 deleted the feat/dreadgoad-relay-port-cleanup branch May 13, 2026 00:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l50