This script will find ADCS Web Enrollment portal vulnerable to ESC8 by simply fuzzing on the network

esc8fuzzer.py

from ipaddress import ip_network, summarize_address_range, ip_address
import logging
import socket
import ssl
import threading
from queue import Queue
import argparse

class Worker(threading.Thread):
    def __init__(self, queue):
        super().__init__()
        self.queue = queue

    def run(self):
        while 1:
            ipaddress = self.queue.get()
            if check_web_enrollment(ipaddress):
                print("[{}] {}VULNERABLE TO ESC8 ON HTTP{}".format(ipaddress, '\033[92m', '\033[0m'))
            if check_web_enrollment_https(ipaddress):
                print("[{}] {}VULNERABLE TO ESC8 ON HTTPS{}".format(ipaddress, '\033[92m', '\033[0m'))
            self.queue.task_done()

def check_web_enrollment(ipaddress) -> bool:
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(5)

        logging.debug("Connecting to %s:80" % ipaddress)
        sock.connect((ipaddress, 80))
        sock.sendall(
            "\r\n".join(
                ["HEAD /certsrv/ HTTP/1.1", "Host: %s" % ipaddress, "\r\n"]
            ).encode()
        )
        resp = sock.recv(256)
        sock.close()
        head = resp.split(b"\r\n")[0].decode()

        return " 404 " not in head
    except ConnectionRefusedError:
        return False
    except socket.timeout:
        return False
    except Exception as e:
        if debug:
            logging.warning(
                "Got error while trying to check for web enrollment: %s" % e
            )

    return False

def check_web_enrollment_https(ipaddress) -> bool:
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(5)

        logging.debug("Connecting to %s:443" % ipaddress)
        sock.connect((ipaddress, 443))
        context = ssl.create_default_context()
        sock = ssl.wrap_socket(sock, ca_certs=None)
        sock.send(
            f"HEAD /certsrv/ HTTP/1.1\r\nHost: {ipaddress}\r\n\r\n".encode()
        )
        resp = sock.recv(256)
        sock.close()
        head = resp.split(b"\r\n")[0].decode()

        return " 404 " not in head
    except ConnectionRefusedError:
        return False
    except socket.timeout:
        return False
    except Exception as e:
        if debug:
            logging.warning(
                "Got error while trying to check for web enrollment on HTTPS: %s" % e
            )

    return False

def parse_targets(target):
    if "-" in target:
        targets = target.split("-")
        if len(targets) != 2:
            logging.error("%s is not a valid target" % target)
            return None
        ipaddrs = list()
        for subnets in summarize_address_range(ip_address(targets[0]),ip_address(targets[1])):
            ipaddrs += list(str(ip) for ip in subnets)
        return ipaddrs
    else:
        try :
            t = ip_network(target)
            return list(str(ip) for ip in t)
        except Exception:
            logging.error("%s is not a valid target" % target)
            return None

parser = argparse.ArgumentParser(description='Find ADCS Web Enrollment endpoint that are vulnerable to ESC8 by fuzzing', add_help=True)

parser.add_argument(
        "target",
        action="store",
        help="ip address, ip1-ip2 or ip/cidr",
    )

parser.add_argument('-t','--threads', action='store', type=int, default=50, metavar="threads", help='Max threads')
parser.add_argument("-d", "--debug", action="store_true", help="Just showing you errors")

options = parser.parse_args()
queue = Queue(options.threads+10)
addresses = parse_targets(options.target)

debug = options.debug

for _ in range(options.threads):
    thread = Worker(queue)
    thread.daemon = True
    thread.start()

for address in addresses:
    queue.put(address)

queue.join()