Errors when running v4.7

[robertstrom]

I have tried running several certipy-ad find commands to try to determine whether any of our ADCS configurations are vulnerable and have been experiencing errors while running the tool.

Here is one of the commands that I have run

certipy-ad find -dc-ip <dc_ip> -u <user_id> -p $PASS -enabled -debug

The output results are contained in the attached certipy_4.7_error.txt file.

Most of the checks seem to run and I am not sure what, if any, impact these errors are having on the functionality of the tool checks.

I am running certipy on Kali

PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
VERSION_ID="2023.4"
VERSION="2023.4"
VERSION_CODENAME=kali-rolling
ID=kali

NOTE: This Kali has been upgraded from pervious versions and has had previous versions of certipy installed (not sure if that could be contributing to the problem so I figured that I would mention it).

VERY cool tool / thanks very much for all of your work on this!

certipy_4.7_error.txt

[ly4k]

Please upgrade to the latest version. This error should've been fixed in the latest one.

[robertstrom]

I believe that I have removed all previous traces of any previous versions of certipy and installed the current version and things appear to be mostly working. When running the command without the -vulnerable argument things appear to work and I do get a resulting text, json, and zip file with results.

When I run the command with the -vulnerable argument I get similar errors as shown below

This is running the command without the -vulnerable argument

This is the tail end of the results without the -vulnerable argument showing the results files created and it shows the basic error when running the command with the -vulnerable argument

This is a screenshot of the debug error when running the command with the -vulnerable argument

Here is the text of the error message

[*] Finding certificate templates
[-] Got error: unable to send message, socket is not open
Traceback (most recent call last):
  File "/home/rstrom/.local/lib/python3.11/site-packages/certipy/entry.py", line 60, in main
    actions[options.action](options)
  File "/home/rstrom/.local/lib/python3.11/site-packages/certipy/commands/parsers/find.py", line 12, in entry
    find.entry(options)
  File "/home/rstrom/.local/lib/python3.11/site-packages/certipy/commands/find.py", line 1179, in entry
    find.find()
  File "/home/rstrom/.local/lib/python3.11/site-packages/certipy/commands/find.py", line 185, in find
    templates = self.get_certificate_templates()
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/rstrom/.local/lib/python3.11/site-packages/certipy/commands/find.py", line 721, in get_certificate_templates
    templates = self.connection.search(
                ^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/rstrom/.local/lib/python3.11/site-packages/certipy/lib/ldap.py", line 273, in search
    entries = list(
              ^^^^^
  File "/usr/lib/python3/dist-packages/ldap3/extend/standard/PagedSearch.py", line 56, in paged_search_generator
    result = connection.search(search_base,
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 853, in search
    response = self.post_send_search(self.send('searchRequest', request, controls))
                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/ldap3/strategy/base.py", line 336, in send
    raise LDAPSocketOpenError(self.connection.last_error)
ldap3.core.exceptions.LDAPSocketOpenError: unable to send message, socket is not open

[ly4k]

Strange. Can you try with -scheme ldap

[robertstrom]

Here are the things that I tried and the results

This command works without error and produces results files

/home/rstrom/.local/bin/certipy find -dc-ip <dc_ip> -u <user_id> -p $PASS -scheme ldap

This command errors

/home/rstrom/.local/bin/certipy find -dc-ip <dc_ip> -u <user_id> -p $PASS -scheme ldap - vulnerable

This is the same command as above with debug added

/home/rstrom/.local/bin/certipy find -dc-ip <dc_ip> -u <user_id> -p $PASS -scheme ldap -vulnerable -debug

Here is the complete debug message

[*] Finding certificate templates
[-] Got error: unable to send message, socket is not open
Traceback (most recent call last):
  File "/home/rstrom/.local/lib/python3.11/site-packages/certipy/entry.py", line 60, in main
    actions[options.action](options)
  File "/home/rstrom/.local/lib/python3.11/site-packages/certipy/commands/parsers/find.py", line 12, in entry
    find.entry(options)
  File "/home/rstrom/.local/lib/python3.11/site-packages/certipy/commands/find.py", line 1179, in entry
    find.find()
  File "/home/rstrom/.local/lib/python3.11/site-packages/certipy/commands/find.py", line 185, in find
    templates = self.get_certificate_templates()
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/rstrom/.local/lib/python3.11/site-packages/certipy/commands/find.py", line 721, in get_certificate_templates
    templates = self.connection.search(
                ^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/rstrom/.local/lib/python3.11/site-packages/certipy/lib/ldap.py", line 273, in search
    entries = list(
              ^^^^^
  File "/usr/lib/python3/dist-packages/ldap3/extend/standard/PagedSearch.py", line 56, in paged_search_generator
    result = connection.search(search_base,
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 853, in search
    response = self.post_send_search(self.send('searchRequest', request, controls))
                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/ldap3/strategy/base.py", line 336, in send
    raise LDAPSocketOpenError(self.connection.last_error)
ldap3.core.exceptions.LDAPSocketOpenError: unable to send message, socket is not open

[AnubisSec]

In case you haven't figure this out yet, I think the issue you are facing (similar to what i faced) is that the timeout isn't set long enough to resolve all the SIDs.

If you do -timeout 30, you should be good