Comments (7)
ly4k
commented on September 24, 2024
Hello Brian
Can you please verify that you are using the Fully Qualified Domain Name (FQDN) in your 'target' parameter, i.e. DOMAIN.COM rather than just DOMAIN. Additionally, you can view the specific parameters to use by listing the ticket(s) in your credential cache with:
KRB5CCNAME=./regularuser.ccache klist
If your issue is not solved by this, you can use the NTLM hash or password of the account for requesting a ticket in the meantime while I look further into this issue.
Thanks for reporting this.
Oliver
from certipy.
7MinSec
commented on September 24, 2024
Thanks so much for the quick response! I’ll be back at the test in a few hours and can troubleshoot further at that time.
from certipy.
7MinSec
commented on September 24, 2024
Ok, so in doing the KRB5CCNAME=./regularuser.ccache klist, the output contained the Issued and Expired fields, along with a Principal field that contained:
krbtgt/[email protected]
Now when I rerun Certipy with the FQDN in the target parameter, the output is a little different (I've prefixed those lines with a few dashes so they stand out):
[+] Trying to resolve 'VULN-CA-SERVER' at 'IP-OF-DC'
[+] Connecting to SMB at 'VULN-CA-SERVER'
[+] Using Kerberos Cache: regularuser.ccache
----- [+] SPN CIFS/[email protected] not found in cache
[+] AnySPN is True, looking for another suitable SPN
----- [+] Returning cached credential for KRBTGT/[email protected]
----- [+] Using TGT from cache
----- [+] Trying to connect to KDC at IP.OF.DOMAIN.CONTROLLER
Then I get a big traceback with a ton of lines. Let me know if you need those. The very last line is:
impacket.smbconnection.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
from certipy.
7MinSec
commented on September 24, 2024
Not sure if this is helpful or not, but when I rerun the same command and leave out the -k -no-pass the output really blows up. All I get is:
[+] Trying to resolve 'VULN-CA-SERVER' at 'IP-OF-DC'
[+] Connecting to SMB at 'VULN-CA-SERVER
And then a huge traceback that also ends in the STATUS_OBJECT_NAME_NOT_FOUND error.
from certipy.
ly4k
commented on September 24, 2024
Alright, so your new output looks more correct. The error "STATUS_OBJECT_NAME_NOT_FOUND" means that the named pipe that Certipy tried to connect to was not found. Can you tell me more about the stack trace in regards to where in the code the error is thrown? It is most likely because the CA server you specified is not running the certificate service. By default, the certificate service creates a named pipe called "cert". You can try to use Impacket's "rpcdump" script and grep for "cert".
from certipy.
7MinSec
commented on September 24, 2024
I did the rpcdump and there was one match for the word cert:
Provider: certprop.dll
So maybe this isn't a valid attack path?
As far as more info on the traceback, right after the [+]Trying to connect to KDC at DOMAIN.COM I get:
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/impacket/smbconnection.py", line 556, in openFile
return self._SMBConnection.create(treeId, pathName, desiredAccess, shareMode, creationOption,
File "/usr/local/lib/python3.9/dist-packages/impacket/smb3.py", line 1227, in create
if ans.isValidAnswer(STATUS_SUCCESS):
File "/usr/local/lib/python3.9/dist-packages/impacket/smb3structs.py", line 458, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/certipy", line 33, in <module>
sys.exit(load_entry_point('Certipy==0.2', 'console_scripts', 'certipy')())
File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/entry.py", line 172, in main
File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/request.py", line 319, in request
File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/request.py", line 232, in run
File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/request.py", line 225, in connect
File "/usr/local/lib/python3.9/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 803, in connect
return self._transport.connect()
File "/usr/local/lib/python3.9/dist-packages/impacket/dcerpc/v5/transport.py", line 518, in connect
self.__handle = self.__smb_connection.openFile(self.__tid, self.__filename)
File "/usr/local/lib/python3.9/dist-packages/impacket/smbconnection.py", line 560, in openFile
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
from certipy.
ly4k
commented on September 24, 2024
Yes, unfortunately, it seems that the certificate service is not running on your CA server. I will try to do some better error handling for this case. Thanks for your report.
from certipy.
Related Issues (20)
- Errors when running v4.7 HOT 6
- Changing LDAP/LDAPS port in find HOT 8
- Domain Computers Can Enroll HOT 1
- Help determining if ESC8 vulnerability is false positive? HOT 5
- KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type) [Need Urgent Help] HOT 1
- auth error 1.2.840.10046.2.1 HOT 1
- pip install requires
- KB5014754 - SID Extension Policy Module HOT 1
- How to create a single one-file budled executable for Certipy ? HOT 2
- Template Names can contain / 's in the name, breaking the ability to save to disk
- Golden Certificate - Unsupported Algorithm - SHA1 HOT 1
- No module named 'pkg_resources' HOT 1
- Issues in -add-officer functionality on Windows OS HOT 5
- pip3 install certipy-ad
- Traceback
- Cryptographic API Misuse Vulnerability
- certipy is not working
- Tried to run certipy and security was alerted HOT 4
- Socket ssl wrapping error HOT 2
- Forge Function Fails To Overwrite SIDs Present in Template Certificate
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certipy.