search

ly4k / Certipy

Tool for Active Directory Certificate Services enumeration and abuse
MIT License
2.34k stars 318 forks source link

Add DCOM support for req command #201

Open qtc-de opened 7 months ago

qtc-de commented 7 months ago

In the last few months, we encountered more and more ADCS instances that neither supported web enrollment, nor exposed the CertSvc via plain RPC. The output of certipy req looks like this in that case:

[+] Trying to resolve 'XYZ.ABC' at '...'
[+] Trying to resolve 'ABC' at '...'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:...[\pipe\cert]
[!] Failed to connect to endpoint ncacn_np:...[\pipe\cert]: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
[+] Trying to resolve dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE'
[+] Failed to resolve dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE'
[-] Failed to get dynamic TCP endpoint for CertSvc
[-] Got error: 'NoneType' object has no attribute 'request'

Still, the ADCS was full functional and native Windows tooling like mmc was capable of obtaining certificates. At this point we noticed that mmc does not rely on plain RPC, but DCOM for obtaining the certificate. The corresponding DCOM interface ICertRequestD is described in this microsoft spec.

And indeed adjusting certipy to use DCOM instead of plain RPC allowed us to obtain certificates again. This MR adds this functionality and allows users to specify the -dcom switch with the req action.

The error handling was copied from the RPC related certipy code and may not fit 100% for COM. However, this is something that probably pops up in user issues and can be investigated then :upside_down_face:

shaaati commented 7 months ago

I see that this "only" affects files dealing with the "req" command. Would this also be useful for the "relay" command or is this not applicable due to DCOM hardening?

cmjlove1 commented 7 months ago

I see that this "only" affects files dealing with the "req" command. Would this also be useful for the "relay" command or is this not applicable due to DCOM hardening?

It appears that when relaying, it is necessary to use web enrollment for certificate issuance instead of other methods.

shaaati commented 7 months ago

It appears that when relaying, it is necessary to use web enrollment for certificate issuance instead of other methods.

That is not correct. See for example the description of ESC11 in this repository. Relay is also possible against RPC if certain configuration is present (that is, IF_ENFORCEENCRYPTICERTREQUEST is not set).

This is why I was wondering if DCOM could also be used as a relay target. Maybe this also depends on specific configuration settings and would be too much for this pull request, but instead should be a dedicated ESC number on its own. Unfortunately, I don't know much about DCOM and therefore can't evaluate the possibility myself.

cmjlove1 commented 7 months ago

It appears that when relaying, it is necessary to use web enrollment for certificate issuance instead of other methods.

That is not correct. See for example the description of ESC11 in this repository. Relay is also possible against RPC if certain configuration is present (that is, IF_ENFORCEENCRYPTICERTREQUEST is not set).

This is why I was wondering if DCOM could also be used as a relay target. Maybe this also depends on specific configuration settings and would be too much for this pull request, but instead should be a dedicated ESC number on its own. Unfortunately, I don't know much about DCOM and therefore can't evaluate the possibility myself.

Oh, indeed, that's my mistake. I didn't take ESC11 into consideration, only focused on ESC8