search

GhostPack / Certify

Active Directory certificate abuse.
Other
1.5k stars 206 forks source link

Can Certify be made Kerberos aware? #7

Open jsdhasfeds opened 3 years ago

jsdhasfeds commented 3 years ago

Hi. Thank you very much for your effort that went into all this research!

I am trying to abuse ESC6 from a non domain-joined machine. I am aware of the tools Certi and PKINITTools for Linux but at least Certi is not fully working at the moment. The other alternative is to use Certify on a non domain-joined Windows box but for that to work Certify must be Kerberos aware. I can use Rubues to request a TGT and pass that into RAM. When that is done I can execute for example the command "certutil -config "server2.adlab.local\adlab-SERVER2-CA" -getreg "policy\EditFlags"" meaning that command can be run outside of a domain and that Certutil is Kerberos aware. Using Certify after requesting and passing a TGT using Rubeus results only in various crashes of Certify. For example:

PS C:\temp> .\certify.exe request /ca:server2.adlab.local\adlab-SERVER2-CA /template:User /altname:administrator

[] Action: Request a Certificates [] Current user context : CLIENT2\localadmin1 [!] Unhandled Certify exception:

System.NullReferenceException: Object reference not set to an instance of an object. at Certify.Cert.GetCurrentUserDN() at Certify.Cert.CreateCertRequestMessage(String templateName, Boolean machineContext, String subjectName, String altName) at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, Boolean install) at Certify.Commands.Request.Execute(Dictionary2 arguments) at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments) at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)

I have also tried the flags "/machine" and/or "/ca:[ADCS server IP]" but Certify still crashes.

VbScrub commented 2 years ago

This crashes because Certify assumes it will get a distinguished name from the current user, but if you're on a non domain machine then it won't. So then you get a null reference exception when it tries to use the Replace function on a null string here:

        // gets the current distinguished name of the current user context
        private static string GetCurrentUserDN()
        {
            return UserPrincipal.Current.DistinguishedName.Replace(",", ", ");
        }

You should be able to work around this by supplying a subject name yourself so that it doesn't have to try get the user's distinguished name. Although personally I run into other errors after that when trying to do it from a non domain machine