noraj
commented
2 months ago From what I understand in Mandiant - Active Directory Certificate Services: Modern Attack Paths, Mitigations, and Hardening - Section Compatibility Mode, page 11
- In the 2nd part, as we generated the certificate after the KB was installed, the SID in the certificate must correspond to the SID of the requested user, except that the SID is empty in the certificate we retrieved from
certipy relay.
The Continued Attack Vectors Post KB5014754 chapter is interesting too.
More details here: How to Add the objectSID Attribute to a Certificate Manually.
Since then, on up-to-date machines, typically trying to exploit ESC8 or ESC11, either I use
certipy relayto replay a DC (-template DomainController) or a normal server (-template Machine), I obtain the pfx, but I get a warningCertificate has no object SID. Then trying to use this pfx withcertipy authI get 2 errors:Name mismatch between certificate and user 'edited$'andVerify that the username 'edited$' matches the certificate DNS Host Name: EDITED.acme.local.Looking at the source code of certipy it's mapped to the error code
KDC_ERR_CLIENT_NAME_MISMATCH.https://github.com/ly4k/Certipy/blob/2780d5361121dd4ec79da3f64cfb1984c4f779c6/certipy/commands/auth.py#L366-L368
Which is also the same error code I get if I directly use
gettgtpkinitfrom impacket (cf. https://github.com/ly4k/Certipy/issues/34#issuecomment-2056908525).I tried forcing the SID with
-sidforcertipy relay, I saw it's embedded in the CSR, but still have the same issue with the resulting PFX.In the Microsoft KB they say that before this KB:
So as far as I understand it seems focus to prevent machine account being relayed to AD CS for various abuse.
Since it was enforced 5 months ago and certipy was last updated 7 months ago, I wanted to know if someone was successfully able to bypass this restriction since November 2023 using certipy to exploit ESC8 or ESC11 successfully?
I also noticed that the following call to
create_csr()was missingalt_sid=self.adcs_relay.sid, I don't know if it's intentional or not.https://github.com/ly4k/Certipy/blob/2780d5361121dd4ec79da3f64cfb1984c4f779c6/certipy/commands/relay.py#L556-L560
As AD CS is very complex, and I'm far for mastering it, I would appreciate any pointer.