Closed tmoney11 closed 2 years ago
Can you try to request the ESC1 with -alt 'otheruser@full.domain.com'
instead?
Did you ever figure this one out? It's still having this issue now.
Same for me as well. Also, in the latest version, there is no -alt flag, I guess
@ly4k would you please help with this?
Hello. The newest version contains the -upn
flag to specify a UPN. Please try to specify the UPN as user@domain
rather than just user
.
Best regards
There is no -alt
or -upn
or -dns
option for certipy auth
command.
Something like that.
➜ certipy auth -pfx dc_machine_account.pfx -dc-ip 10.0.0.1
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: dc_machine_account$@acme.local
[*] Trying to get TGT...
[-] Name mismatch between certificate and user 'dc_machine_account$'
[-] Verify that the username 'dc_machine_account$' matches the certificate DNS Host Name: dc_machine_account.acme.local
Same mismatch error with impacket directly:
➜ gettgtpkinit -cert-pfx $(pwd)/dc_machine_account.pfx -pfx-pass '' -dc-ip 10.0.0.1 'acme.local/dc_machine_account$' dc_machine_account.tgt
2024-04-15 15:46:29,807 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2024-04-15 15:46:29,867 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
Traceback (most recent call last):
File "/usr/share/pkinittools/gettgtpkinit.py", line 349, in <module>
main()
File "/usr/share/pkinittools/gettgtpkinit.py", line 345, in main
amain(args)
File "/usr/share/pkinittools/gettgtpkinit.py", line 315, in amain
res = sock.sendrecv(req)
^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/minikerberos/network/clientsocket.py", line 85, in sendrecv
raise KerberosError(krb_message)
minikerberos.protocol.errors.KerberosError: Error Name: KDC_ERR_CLIENT_NAME_MISMATCH Detail: "Error message not found! Err code: 75"
So I've got a few certs identified with ESC1 possible and I'm able to request certificate with
-alt otheruser
and output looks like this:However, when I run:
certipy auth -pfx otheruser.pfx -username 'otheruser' -domain 'full.domain.com' -dc-ip 192.168.1.100
I get:CA Server is 2016. I've tried multiple vulnerable certs as well as just running without the alt flag but no luck.