search

ly4k / Certipy

Tool for Active Directory Certificate Services enumeration and abuse
MIT License
2.42k stars 331 forks source link

Support for relaying NTLM to ICPR (ESC11) #112

Closed jsdhasfedssad closed 1 year ago

jsdhasfedssad commented 1 year ago

Hi,

Again, thank you for this tool!

I recently stumbled upon this article about relaying NTLM to ICPR by Compass Security using a CA which has "IF_ENFORCEENCRYPTICERTREQUEST" disabled. They have dubbed it ESC11. They use a fork of Certipy for identification of vulnerable CAs and a fork of Impacket to abuse them. I can see that there is a PR (105) for the identification part but there isn't one for the abuse part. Would you consider supporting ESC11? Both the identification and abuse parts.

Thanks!

ly4k commented 1 year ago

Hello! PR 105 was merged into version 4.2.0. As for the abuse part, it can currently be abused with ntlmrelayx by Impacket. I will however have it in mind to implement that for Certipy as well at some point.

Thanks. Will keep the issue open for now