Comments (7)
ly4k
commented on July 28, 2024
1
Hello @robertstrom The problem you're experiencing with 4.0 is that the user's membership query takes too long to execute, so I'll have to come up with a better way of finding nested group memberships. Thanks for reporting this. And the problem with 2.0.9, (and the same you'll have in 4.0), is probably that the target parameter is incorrect. When you request the certificate, you have to specify the host name or IP of the CA server, and not the domain controller. I'll look into the LDAP issue. Thanks again!
from certipy.
ly4k
commented on July 28, 2024
Hello @robertstrom This way of specify the target string (username, domain, password, and target host) has been changed in version 4. Now username and domain should be specified in -username user@domain, password in -password and target in -target (if required). :) It's explained in the blog post on version 4, and you can also see some examples in the README. Let me know if you have more issues or questions
from certipy.
robertstrom
commented on July 28, 2024
@ly4k - many thanks!! I did take a look at the README but mostly to get installed since I saw the link to the blog which I saw was giving a number of examples so I relied on it for the more detailed instructions. My bad for sure, but I would suggest that you note something near the link to the blog post that it still has valuable information but that the syntax / authentication has changed. Just a thought / suggestion ...
So I have gotten a lot farther and believe that I may have some issues. I have now tested this in two of our domains and have gotten the same results.
+-$ certipy find -u [email protected] -dc-ip 10.x.x.x -vulnerable -debug
Certipy v4.0.0 - by Oliver Lyak (ly4k)
Password:
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.x.x.x:636 - ssl
[+] Default path: DC=blah,DC=blah,DC=domain,DC=local
[+] Configuration path: CN=Configuration,DC=blah,DC=domain,DC=local
[-] Got error: error receiving data: The read operation timed out
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 89, in receiving
data = self.connection.socket.recv(self.socket_size)
File "/usr/lib/python3.10/ssl.py", line 1259, in recv
return self.read(buflen)
File "/usr/lib/python3.10/ssl.py", line 1132, in read
return self._sslobj.read(len)
TimeoutError: The read operation timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/Certipy-4.0.0-py3.10.egg/certipy/entry.py", line 60, in main
actions[options.action](options)
File "/usr/local/lib/python3.10/dist-packages/Certipy-4.0.0-py3.10.egg/certipy/commands/parsers/find.py", line 12, in entry
find.entry(options)
File "/usr/local/lib/python3.10/dist-packages/Certipy-4.0.0-py3.10.egg/certipy/commands/find.py", line 1142, in entry
find.find()
File "/usr/local/lib/python3.10/dist-packages/Certipy-4.0.0-py3.10.egg/certipy/commands/find.py", line 168, in find
sids = connection.get_user_sids(self.target.username)
File "/usr/local/lib/python3.10/dist-packages/Certipy-4.0.0-py3.10.egg/certipy/lib/ldap.py", line 373, in get_user_sids
groups = self.search(
File "/usr/local/lib/python3.10/dist-packages/Certipy-4.0.0-py3.10.egg/certipy/lib/ldap.py", line 254, in search
entries = list(
File "/usr/lib/python3/dist-packages/ldap3/extend/standard/PagedSearch.py", line 56, in paged_search_generator
result = connection.search(search_base,
File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 853, in search
response = self.post_send_search(self.send('searchRequest', request, controls))
File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 178, in post_send_search
responses, result = self.get_response(message_id)
File "/usr/lib/python3/dist-packages/ldap3/strategy/base.py", line 355, in get_response
responses = self._get_response(message_id, timeout)
File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 196, in _get_response
responses = self.receiving()
File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 99, in receiving
raise communication_exception_factory(LDAPSocketReceiveError, type(e)(str(e)))(self.connection.last_error)
ldap3.core.exceptions.LDAPSocketReceiveError: error receiving data: The read operation timed out
from certipy.
robertstrom
commented on July 28, 2024
@ly4k - It appears to definitely be an issue with version 4. I was able to install version 2.09 on another instance of Kali and pretty much get it working. I was able to retrieve the information using find, but the request is failing
└─$ certipy req "blah.blah.domain.local/user:[email protected]" -ca 'CAServer.blah.blah.local' -template 'TemplateName' -alt '[email protected]' -dynamic-endpoint -debug
Certipy v2.0.9 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'DC.blah.blah.domain.local' at '10.x.x.x'
[*] Requesting certificate
[+] Trying to resolve dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE'
[+] Failed to resolve dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE'
[-] Failed to get dynamic TCP endpoint for CertSvc
[+] Trying to connect to endpoint: ncacn_np:10.x.x.x[\pipe\cert]
[!] Failed to connect to endpoint ncacn_np:10.x.x.x[\pipe\cert]: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
[-] Got error: 'NoneType' object has no attribute 'request'
Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/Certipy-2.0.9-py3.10.egg/certipy/entry.py", line 83, in main
actions[options.action](options)
File "/usr/local/lib/python3.10/dist-packages/Certipy-2.0.9-py3.10.egg/certipy/request.py", line 326, in entry
request.request()
File "/usr/local/lib/python3.10/dist-packages/Certipy-2.0.9-py3.10.egg/certipy/request.py", line 252, in request
response = self.dce.request(request)
AttributeError: 'NoneType' object has no attribute 'request'
from certipy.
robertstrom
commented on July 28, 2024
@ly4k - Thanks much for the response / info! I have been able to take that info and make v2.0.9 work as expected. Thanks so much for the tool!! It is making it possible for us to discover any issues, fix and test. Very much appreciate the work that you have done on this. I'll keep checking back for any update on v4 so that I can test it again.
from certipy.
ly4k
commented on July 28, 2024
Hello @robertstrom It seems that while this method of retrieving nested group memberships is not the fastes, it's the most efficient one when it comes to stealth and low bandwidth. All the logic is handled at the server, and the client just waits too long for the response in your case. As such, I've added a receive timeout which is a factor 10 of the -timeout parameter that is used in other cases. Furthermore, I've handled the error now so you can continue but without having any nested group memberships found. Fixed in 4b54ceb and 7f4f225 Thank you for reporting!
from certipy.
robertstrom
commented on July 28, 2024
@ly4k Sorry, I am not a GitHub expert at pulling different versions, etc. Am I going to be able to get this version update for testing or do I need to wait for you to publish the full update? If I can get and test I would appreciate some guidance in what commands I would use to do so. Thanks very much!
from certipy.
Related Issues (20)
- digestmod issue HOT 6
- certipy: error: unrecognized arguments: ESC7 HOT 6
- [Errno 104] Connection reset by peer HOT 4
- ESC4 > ESC1 to CERTSRV_E_UNSUPPORTED_CERT_TYPE HOT 5
- Am I doing this ESC3 abuse wrong?
- The requested certificate template is not supported by this CA. HOT 5
- ESC4 Restore Old Configuration Not Working HOT 1
- LDAP3 not getting detected with Certipy HOT 4
- Errors when running v4.7 HOT 6
- Changing LDAP/LDAPS port in find HOT 8
- Domain Computers Can Enroll HOT 1
- Help determining if ESC8 vulnerability is false positive? HOT 3
- KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type) [Need Urgent Help] HOT 1
- auth error 1.2.840.10046.2.1 HOT 1
- pip install requires
- KB5014754 - SID Extension Policy Module HOT 1
- How to create a single one-file budled executable for Certipy ?
- Template Names can contain / 's in the name, breaking the ability to save to disk
- Golden Certificate - Unsupported Algorithm - SHA1
- No module named 'pkg_resources' HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certipy.