Unable to find named pipes/endpoints about certipy HOT 3 CLOSED

Hello. First of all, you should make sure that the certificate requests are targeted the CA server and not the domain controller, which might explain the "STSTATUS_OBJECT_NAME_NOT_FOUND". Secondly, it sounds like this is a standalone CA server and not an enterprise CA server, which might explain the "ERR_CLIENT_NOT_TRUSTED". Can you verify or did you resolve the issues?

from certipy.

Hi. Thanks for your reply. Unfortunately I can no longer check or test things since I do not have access to the mentioned infrastructure anymore. However, according to https://serverfault.com/questions/826444/difference-between-microsoft-adcs-standalone-ca-and-enterprise-ca only enterprise CA servers have templates and as I mentioned there were plenty of those. You can also see that the ESC8 attack worked against the same ADCS server.

It is of course obvious to you but I wonder if the web interface is used for all ESCX attacks as it is for the ESC8 attack? Or put in other words, does the ESC8 attack, which worked, require using named pipes? Also, I think it is possible to restrict access to named pipes using ACLs. Could that be a explanation?

from certipy.

Hello @jsdhasfedssad Sorry for the late reply. I still haven't figured out why this is the case. However, I have implemented web enrollment in the upcoming version of Certipy, such that if web enrollment is enabled (HTTP/HTTPS), then it's possible to abuse ESC1-ESC3 (certificate templates) through that in case RPC is not available.

from certipy.