Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can Certify be made Kerberos aware? #7

Open
jsdhasfeds opened this issue Sep 24, 2021 · 1 comment
Open

Can Certify be made Kerberos aware? #7

jsdhasfeds opened this issue Sep 24, 2021 · 1 comment

Comments

@jsdhasfeds
Copy link

jsdhasfeds commented Sep 24, 2021
edited
Loading

Hi. Thank you very much for your effort that went into all this research!

I am trying to abuse ESC6 from a non domain-joined machine. I am aware of the tools Certi and PKINITTools for Linux but at least Certi is not fully working at the moment. The other alternative is to use Certify on a non domain-joined Windows box but for that to work Certify must be Kerberos aware. I can use Rubues to request a TGT and pass that into RAM. When that is done I can execute for example the command "certutil -config "server2.adlab.local\adlab-SERVER2-CA" -getreg "policy\EditFlags"" meaning that command can be run outside of a domain and that Certutil is Kerberos aware. Using Certify after requesting and passing a TGT using Rubeus results only in various crashes of Certify. For example:

PS C:\temp> .\certify.exe request /ca:server2.adlab.local\adlab-SERVER2-CA /template:User /altname:administrator

[] Action: Request a Certificates
[] Current user context : CLIENT2\localadmin1
[!] Unhandled Certify exception:

System.NullReferenceException: Object reference not set to an instance of an object.
at Certify.Cert.GetCurrentUserDN()
at Certify.Cert.CreateCertRequestMessage(String templateName, Boolean machineContext, String subjectName, String altName)
at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, Boolean install)
at Certify.Commands.Request.Execute(Dictionary2 arguments) at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments)
at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)

I have also tried the flags "/machine" and/or "/ca:[ADCS server IP]" but Certify still crashes.
@jsdhasfeds jsdhasfeds changed the title Can Certify be made Keberos aware? Can Certify be made Kerberos aware? Sep 24, 2021
@VbScrub
Copy link

VbScrub commented Dec 11, 2021

This crashes because Certify assumes it will get a distinguished name from the current user, but if you're on a non domain machine then it won't. So then you get a null reference exception when it tries to use the Replace function on a null string here:

        // gets the current distinguished name of the current user context
        private static string GetCurrentUserDN()
        {
            return UserPrincipal.Current.DistinguishedName.Replace(",", ", ");
        }

You should be able to work around this by supplying a subject name yourself so that it doesn't have to try get the user's distinguished name. Although personally I run into other errors after that when trying to do it from a non domain machine

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@VbScrub @jsdhasfeds