ghostpack / certify Goto Github PK
View Code? Open in Web Editor NEWActive Directory certificate abuse.
License: Other
Active Directory certificate abuse.
License: Other
Hi,
I am new to blue teaming activities. I am trying to use certify to work on abusing ADCS service in my lab.
I am using a server for performing all attacks. I am logged into that PC using standard user and trying to gain access to user with local admin rights and then perform other enumeration
I have used whisker and rubeus to get TGT of local admin and used winrs to connect to CMD using that admin on the same server
Now when I am trying to run certify commands like certify cas, find, pkiobjects etc but getting the errors
Same is happening with other tools like Sharpshares etc.
Can someone suggest
Hi
I tried to complie the program using visual studio 2017 , and i got this error :
CSC : error CS1617: Invalid option '9.0' for /langversion; must be ISO-1, ISO-2, Default or an integer in range 1 to 6.
Hi. Thank you very much for your effort that went into all this research!
I am trying to abuse ESC6 from a non domain-joined machine. I am aware of the tools Certi and PKINITTools for Linux but at least Certi is not fully working at the moment. The other alternative is to use Certify on a non domain-joined Windows box but for that to work Certify must be Kerberos aware. I can use Rubues to request a TGT and pass that into RAM. When that is done I can execute for example the command "certutil -config "server2.adlab.local\adlab-SERVER2-CA" -getreg "policy\EditFlags"" meaning that command can be run outside of a domain and that Certutil is Kerberos aware. Using Certify after requesting and passing a TGT using Rubeus results only in various crashes of Certify. For example:
PS C:\temp> .\certify.exe request /ca:server2.adlab.local\adlab-SERVER2-CA /template:User /altname:administrator
[] Action: Request a Certificates
[] Current user context : CLIENT2\localadmin1
[!] Unhandled Certify exception:
System.NullReferenceException: Object reference not set to an instance of an object.
at Certify.Cert.GetCurrentUserDN()
at Certify.Cert.CreateCertRequestMessage(String templateName, Boolean machineContext, String subjectName, String altName)
at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, Boolean install)
at Certify.Commands.Request.Execute(Dictionary2 arguments) at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary
2 arguments)
at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)
I have also tried the flags "/machine" and/or "/ca:[ADCS server IP]" but Certify still crashes.
.\Certify.exe request /ca:LBABEPW114.REDACTED.com\REDACTED-Enterprise-Root-CA01 /template:REDACTEDCA01 /altname:REDACTEDUSER /domain:REDACTED.com /ldapserver:LBABEPW121.REDACTED.com
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : REDACTEDDOMAIN\REDACTEDUSER
[!] Unhandled Certify exception:
System.InvalidCastException: Unable to cast object of type 'System.DirectoryServices.AccountManagement.GroupPrincipal' to type 'System.DirectoryServices.AccountManagement.UserPrincipal'.
at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
at System.DirectoryServices.AccountManagement.UserPrincipal.get_Current()
at Certify.Cert.GetCurrentUserDN()
at Certify.Cert.CreateCertRequestMessage(String templateName, Boolean machineContext, String subjectName, String altName, String sidExtension)
at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, String sidExtension, Boolean install)
at Certify.Commands.Request.Execute(Dictionary 2 arguments)
at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary 2 arguments)
at Certify.Program.MainExecute(String commandName, Dictionary 2 parsedArgs)
Certify completed in 00:00:00.1875661```
I have no idea where this is coming from. I tried with different Certify versions but keep getting this error.
env:
CS : server 2012
Client : server 2012
When I apply for a template, the following error occurs.
error description:
/ | | | ()/ |
| | ___ _ | | | | _ _
| | / _ \ '_| | | | | | |
| || __/ | | || | | | || |
____|| _||| _, |
/ |
|./
v1.1.0
[*] Action: Request a Certificates
[] Current user context : TEST\wangqiang
[] No subject name specified, using current context as subject.
[] Template : ESC1
[] Subject : CN=Wang Qiang, OU=company, DC=test, DC=com
[*] AltName : cadmin
[!] Unhandled Certify exception:
System.InvalidCastException: Unable to cast COM object of type 'CERTENROLLLib.CX509PrivateKeyClass' to interface type 'CERTENROLLLib.IX509PrivateKey2'. This operation failed because the QueryInterface call on the COM component for the interface with IID '{728AB362-217D-11DA-B2A4-000E7BBB2B09}' failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE)).
at System.StubHelpers.StubHelpers.GetCOMIPFromRCW(Object objSrc, IntPtr pCPCMD, IntPtr& ppTarget, Boolean& pfNeedsRelease)
at CERTENROLLLib.CX509PrivateKeyClass.set_Length(Int32 pValue)
at Certify.Cert.CreatePrivateKey(Boolean machineContext)
at Certify.Cert.CreateCertRequestMessage(String templateName, Boolean machineContext, String subjectName, String altName, String sidExtension)
at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, String sidExtension, Boolean install)
at Certify.Commands.Request.Execute(Dictionary2 arguments) at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary
2 arguments)
at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)
Certify completed in 00:00:00.2333173
I am seeing this error recently when I run it in my lab domain. There are 3 CAs currently and when running certify.exe from a domain joined machine I get the following error as it is looping through CAs
UserSpecifiedSAN : Could not connect to the HKLM hive - The network path was not found.
I am sure I am doing something wrong here, but I cant figure out what
If i run
.\Certify.exe find
from meterpreter (execute -i -f ...) or from meterpreter shell, i got this error.
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=essos,DC=local'
[!] Unhandled Certify exception:
System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at Certify.Lib.LdapOperations.GetEnterpriseCAs(String caName)
at Certify.Commands.Find.FindTemplates(Boolean outputJSON)
at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)
Certify completed in 00:00:00.0272533
It is good then i run by RDP or WinRM, but how to fix this problem?
GOAD, Microsoft Windows Server 2016 Standard Evaluation
Hi, Probably you already aware about problems related to running certify in non domain machine. Even if I tried different test cases (runas, netonly, ptt, cmd over pth) each time I got exception and I was not able to request certificate. Could you please recommend me what can I do for this in case if you don't plan any code updates for this issue?
Thanks
Not sure if I'm missing something obvious, as I'm not familiar with .NET, but getting the following error when building.
1>C:\Users\User\Desktop\Certify-main\Certify\Lib\Cert.cs(4,7,4,17): error CS0246: The type or namespace name 'CERTCLILib' could not be found (are you missing a using directive or an assembly reference?)
Seems to be issues handling CA-NAME with spaces included. The graves accent nor quotations resolve the issue
First of all, thanks for your excellent research work.
I'm trying to reproduce it using a Windows Server 2012 R2 with no patches installed either automatically or manually.
I installed AD CS using all default options offered by the setup wizard.
When I invoke the Python script from https://github.com/topotam/PetitPotam and cooperate it with ntlmrelayx
from https://github.com/ExAndroidDev/impacket/tree/ntlmrelayx-adcs-attack , it just kept telling me HTTP 401 Unauthorized.
Since it's totally all default situation, I have no idea what's wrong with it to reproduce.
More information might be useful for debugging:
/certsrv
will ask for human user credential, then it works as intended. But in this situation, machine account NTLM authentication seems not to work.ntlmrelayx
with responder
, I could successfully get a response and hash captured notice from responder
, which means, at least, NTLM Relay part, works fine.Thanks for your help in advance.
Hello,
Let me start off stating that I am far from a Visual Studio expert but I have successfully built projects before, including Rubeus.
I have installed Visual Studio 2019 Community Edition and I have downloaded the project, opened the project, and then selected "Release" (as opposed to "Debug") and then selected Build and I am getting the error below (as well as several others - see screenshot).
Severity Code Description Project File Line Suppression State
Error This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is ..\packages\dnMerge.0.5.15\build\dnMerge.targets. Certify C:\Users\rstrom\source\repos\Certify-main\Certify\Certify.csproj 129
Hopefully this is either something really stupid that I am not doing correctly or something easy to fix. Really looking to get this built so that I can do testing and the necessary validation of fixes.
Thanks much!
When I compile certify.exe my computer alerts that there is a virus and the file is immediately deleted. I am hesitant to disable anti virus but is that the only option?
Hi,
by following https://github.com/GhostPack/Certify#sidenote-running-certify-through-powershell and without any AV active, when I try to execute the Main() program it returns:
$ [Certify.Program]::Main("find /vulnerable".Split())
Unable to find type [Certify.Program].
At line:1 char:1
+ [Certify.Program]::Main("find /vulnerable".Split())
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Certify.Program:TypeName) [], RuntimeException
+ FullyQualifiedErrorId : TypeNotFound
The assembly seems loaded correctly in memory since I can tab through the attributes/methods etc but the "Program" does not seem to be callable.
Any hints on why this happens?
Tested on Win10 19042
Awesome project! Hope following issue can be fixed:
Similar with #13 , it seems that the user context cannot be changed which always be current user
(no relevant parameters supplied), lead that we can't request certificate by obtained ntlm hash or tgt.
Tested on a domain-joined machine, I've tried pth by mimikatz
& createnetonly by rubeus
, neither did they working.
However runas /netonly /user:domain\user cmd
can do certify request
successfully (assuming I've obtained the plain text passwd of victim).
Please check this, thanks a lot.
The information below is from a CTF, so none of it is sensitive, but i recently noticed that using
certify.exe find /vulnerable
Does not work, it says "no vulnerable certificates templates found!"
But if I try with the incorrect spelling
certify.exe find /vulnarable
It finds vulnerable templates without issue, it's a bit confusing because vulnarable is not correct spelling of the word, but for now using find /abusable also works
Evil-WinRM PS C:\Users\Raven\AppData\Local\Temp> ./certify.exe find /vulnerable
/ | | | ()/ |
| | ___ _ | | | | _ _
| | / _ \ '_| | | | | | |
| || __/ | | || | | | || |
____|| _||| _, |
/ |
|./
v1.1.0
[] Action: Find certificate templates
[] Using the search base 'CN=Configuration,DC=manager,DC=htb'
[*] Listing info about the Enterprise CA 'manager-DC01-CA'
Enterprise CA Name : manager-DC01-CA
DNS Hostname : dc01.manager.htb
FullName : dc01.manager.htb\manager-DC01-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=manager-DC01-CA, DC=manager, DC=htb
Cert Thumbprint : ACE850A2892B1614526F7F2151EE76E752415023
Cert Serial : 5150CE6EC048749448C7390A52F264BB
Cert Start Date : 7/27/2023 3:21:05 AM
Cert End Date : 7/27/2122 3:31:04 AM
Cert Chain : CN=manager-DC01-CA,DC=manager,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Deny ManageCA, Read MANAGER\Operator S-1-5-21-4078382237-1492182817-2568127209-1119
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Allow ManageCA, Enroll MANAGER\Raven S-1-5-21-4078382237-1492182817-2568127209-1116
Allow Enroll MANAGER\Operator S-1-5-21-4078382237-1492182817-2568127209-1119
Enrollment Agent Restrictions : None
[+] No Vulnerable Certificates Templates found!
Certify completed in 00:00:07.0877306
Evil-WinRM PS C:\Users\Raven\AppData\Local\Temp> ./certify.exe
find /vulnarable
/ | | | ()/ |
| | ___ _ | | | | _ _
| | / _ \ '_| | | | | | |
| || __/ | | || | | | || |
____|| _||| _, |
/ |
|./
v1.1.0
[] Action: Find certificate templates
[] Using the search base 'CN=Configuration,DC=manager,DC=htb'
[*] Listing info about the Enterprise CA 'manager-DC01-CA'
Enterprise CA Name : manager-DC01-CA
DNS Hostname : dc01.manager.htb
FullName : dc01.manager.htb\manager-DC01-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=manager-DC01-CA, DC=manager, DC=htb
Cert Thumbprint : ACE850A2892B1614526F7F2151EE76E752415023
Cert Serial : 5150CE6EC048749448C7390A52F264BB
Cert Start Date : 7/27/2023 3:21:05 AM
Cert End Date : 7/27/2122 3:31:04 AM
Cert Chain : CN=manager-DC01-CA,DC=manager,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Deny ManageCA, Read MANAGER\Operator S-1-5-21-4078382237-1492182817-2568127209-1119
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Allow ManageCA, Enroll MANAGER\Raven S-1-5-21-4078382237-1492182817-2568127209-1116
Allow Enroll MANAGER\Operator S-1-5-21-4078382237-1492182817-2568127209-1119
Enrollment Agent Restrictions : None
[*] Available Certificates Templates :
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : User
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : EFS
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Encrypting File System
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : Administrator
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Microsoft Trust List Signing, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : EFSRecovery
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : File Recovery
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : Machine
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Computers S-1-5-21-4078382237-1492182817-2568127209-515
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : DomainController
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Controllers S-1-5-21-4078382237-1492182817-2568127209-516
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : WebServer
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : SubCA
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : <null>
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : DomainControllerAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, Server Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Controllers S-1-5-21-4078382237-1492182817-2568127209-516
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : DirectoryEmailReplication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Directory Service Email Replication
mspki-certificate-application-policy : Directory Service Email Replication
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Controllers S-1-5-21-4078382237-1492182817-2568127209-516
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : KerberosAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DOMAIN_DNS, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Controllers S-1-5-21-4078382237-1492182817-2568127209-516
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Certify completed in 00:00:08.1763365
Evil-WinRM PS C:\Users\Raven\AppData\Local\Temp>
Hi,
I was trying out some requests and an exception is returned during execution.
Compiled on Windows Server 2022 with VS2019.
.\Certify.exe find /vulnerable
or .\Certify.exe find /clientauth
works fine.
The error comes when I try the following command: .\Certify.exe request /ca:REDACTED /template:REDACTED /altname:DOMAIN\REDACTED
[*] Action: Request a Certificates
[!] Unhandled Certify exception:
System.IO.FileNotFoundException: Could not load file or assembly 'Interop.CERTENROLLLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The system cannot find the file specified.
File name: 'Interop.CERTENROLLLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'
at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, Boolean install)
at Certify.Commands.Request.Execute(Dictionary`2 arguments)
at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)
WRN: Assembly binding logging is turned OFF.
To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1.
Note: There is some performance penalty associated with assembly bind failure logging.
To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].
No cert is returned after the exception.
The script is executed directly on a AD CS, with admin rights.
Edit: This exception also occurs when using the download
function.
See #8 (comment)
Getting this error while running:
certify.exe request /ca:CASERVER.thisisalongdomainlol.com\Issuing-External-CA /template:VulnTemplate /altname:Administrator
My Subject name according to certify is:
CN=TEST2\, Contos, OU=Test Accounts, OU=Users, OU=Live, OU=ABC, DC=thisisalongdomainlol, DC=com
Any ideas on how to deal with this error? Sounds like a legitimate issue for which you have to permit longer than 64 character subject names on the ADCS server according to this: https://www.open-a-socket.com/2014/07/24/the-request-subject-name-is-invalid-or-too-long/
Below is the full output with redacted info, this pentest is about to end but it might help the next person if this gets answered.
[*] Current user context : thisisalongdomainlol\Contos
[*] No subject name specified, using current context as subject.
[*] Template : VulnTemplate
[*] Subject : CN=TEST2\, Contos, OU=Test Accounts, OU=Users, OU=Live, OU=ABC, DC=thisisalongdomainlol, DC=com
[*] AltName : administrator
[*] Certificate Authority : CASERVER.thisisalongdomainlol.com\Issuing-External-CA
[!] CA Response : The submission failed: Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)
[!] Last status : 0x80094001
[*] Request ID : 0
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
abcde
-----END RSA PRIVATE KEY-----
[X] Error downloading certificate: CCertRequest::RetrievePending: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:08.5331567
Hopefully there is something that can be done rather than running a command on the AD CS server :/
As discussed on BH slack:
Compiled Certify on Win10 2004 with VS2019.
Executed via Cobalt Strike's execute-assembly on Windows Server 2012R2.
Certify.exe find /vulnerable
appeared to work fine.
Certify.exe request /ca:**REDACTED** /template:**REDACTED** /altname:**REDACTED*
threw the following exception:
System.InvalidCastException: Unable to cast COM object of type 'CERTENROLLLib.CX509PrivateKeyClass' to interface type 'CERTENROLLLib.IX509PrivateKey2'. This operation failed because the QueryInterface call on the COM component for the interface with IID '{728AB362-217D-11DA-B2A4-000E7BBB2B09}' failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE)).
at System.StubHelpers.StubHelpers.GetCOMIPFromRCW(Object objSrc, IntPtr pCPCMD, IntPtr& ppTarget, Boolean& pfNeedsRelease)
at CERTENROLLLib.CX509PrivateKeyClass.set_Length(Int32 pValue)
at Certify.Cert.CreatePrivateKey(Boolean machineContext)
at Certify.Cert.CreateCertRequestMessage(String templateName, Boolean machineContext, String subjectName, String altName)
at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, Boolean install)
at Certify.Commands.Request.Execute(Dictionary`2 arguments)
at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)
After some trial and error I found that by changing CreatePrivateKey() to return a CX509PrivateKey instead of IX509PrivateKey (and compiling it on Server2012) I could get Certify to request a cert and receive a valid-looking pem-formatted cert back from the CA.
Unfortunately, when trying to actually use the cert with Rubeus.exe asktgt
I was getting KDC_ERR_CLIENT_NOT_TRUSTED
. On further examination of the pem-formatted cert that certify gave me back (with openssl x509 -in cert.pem -text
I noticed that the SAN field wasn't as expected, and was instead showing this:
X509v3 Subject Alternative Name:
othername:<unsupported>
Let me know if there's any other details I can provide to help troubleshoot and I'll do my best.
Running v1.1.0 on Win10 21H2 :
Certify.exe find /vulnerable
results in the following error message:
[!] Unhandled Certify exception:
System.ArgumentNullException: Value cannot be null.
Parameter name: source
at System.Linq.Enumerable.Contains[TSource](IEnumerable`1 source, TSource value, IEqualityComparer`1 comparer)
at Certify.Commands.Find.IsCertificateTemplateVulnerable(CertificateTemplate template, List`1 currentUserSids)
at Certify.Commands.Find.<>c__DisplayClass19_0.<ShowVulnerableTemplates>b__0(CertificateTemplate t)
at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Certify.Commands.Find.ShowVulnerableTemplates(IEnumerable`1 templates, IEnumerable`1 cas, List`1 currentUserSids)
at Certify.Commands.Find.FindTemplates(Boolean outputJSON)
at Certify.Commands.Find.Execute(Dictionary`2 arguments)
at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)
```
Running version 1.0.0 is successful.
Does this tool have command of 'asktgt'?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.