search

ly4k / Certipy

Tool for Active Directory Certificate Services enumeration and abuse
MIT License
2.23k stars 302 forks source link

[Errno 104] Connection reset by peer #187

Closed init5-SF closed 6 months ago

init5-SF commented 6 months ago

I am trying Certipy v4.8.2 against a windows server 2022 (21H2) DC, I am getting the below error:

└─# certipy find -u administrator@bank.local -p xxxx -dc-ip 192.168.194.150 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Authenticating to LDAP server
[+] Authenticating to LDAP server
[-] Got error: socket ssl wrapping error: [Errno 104] Connection reset by peer
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/certipy/lib/ldap.py", line 77, in connect
    self.connect(version=ssl.PROTOCOL_TLSv1_2)
  File "/usr/local/lib/python3.11/dist-packages/certipy/lib/ldap.py", line 136, in connect
    bind_result = ldap_conn.bind()
                  ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 589, in bind
    self.open(read_server_info=False)
  File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 57, in open
    BaseStrategy.open(self, reset_usage, read_server_info)
  File "/usr/lib/python3/dist-packages/ldap3/strategy/base.py", line 146, in open
    raise exception_history[0][0]
ldap3.core.exceptions.LDAPSocketOpenError: socket ssl wrapping error: [Errno 104] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/certipy/entry.py", line 60, in main
    actions[options.action](options)
  File "/usr/local/lib/python3.11/dist-packages/certipy/commands/parsers/find.py", line 12, in entry
    find.entry(options)
  File "/usr/local/lib/python3.11/dist-packages/certipy/commands/find.py", line 1179, in entry
    find.find()
  File "/usr/local/lib/python3.11/dist-packages/certipy/commands/find.py", line 165, in find
    connection = self.connection
                 ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certipy/commands/find.py", line 124, in connection
    self._connection.connect()
  File "/usr/local/lib/python3.11/dist-packages/certipy/lib/ldap.py", line 83, in connect
    self.connect(version=ssl.PROTOCOL_TLSv1)
  File "/usr/local/lib/python3.11/dist-packages/certipy/lib/ldap.py", line 136, in connect
    bind_result = ldap_conn.bind()
                  ^^^^^^^^^^^^^^^^

The server doesn't have a certificate and doesn't even have the CA role installed, it is JUST a domain controller. Is that what's causing the crash?

Thanks!

init5-SF commented 6 months ago

UPDATE

I created a selfsigned cert and installed it on the DC and now Certipy works without errors. Certipy just needs a little bit of error handling, other than that all is fine.

altjx commented 6 months ago

@init5-SF thanks for reporting your results. Based on that, it sounds like this response should say something more like "No certificate installed on the target." ?

init5-SF commented 5 months ago

hi @altjx Yes that's pretty much it, some sort of error handling 👍🏼

ly4k commented 5 months ago

The reason it fails is because the DC has not been issued a certificate for server authentication. Certipy will try LDAPS by default which requires the server to have a certificate for server authentication. If it doesn't, the server closes the connection. If you want to proceed without adding a certificate on the DC, then switch to plaintext LDAP with -scheme ldap.