-
Notifications
You must be signed in to change notification settings - Fork 318
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Another command syntax question re "ESC1 - SAN impersonation" attack #20
Comments
Hello Brian To use Kerberos authentication, you have to specify the FQDN of the CA in the target, and not the IP. You can specify the IP in the -target-ip parameter if DNS is an issue. Also, you don't have to use Kerberos, you can just specify the hash or password. Can you please provide the debug output for more troubleshooting? Best regards |
Thanks! OK so I changed the request to have the FQDN of the CA as the target. Specifically:
My debug says:
Thanks, |
Hello Brian |
A new version of Certipy has been released. Please try with the new |
Hi again,
I raised this issue and it was determined the certificate service was not running on my CA.
On a second CA in the same environment, Certipy identified it as being vulnerable to ESC1 - SAN impersonation attack. Specifically, Domain Computers can enroll. I used Powermad to create a "ghost" computer object. Then I used
GetTGT
from Impacket and issuedexport KRB5CCNAME=ghost-machine.cache.
. I also verified withrpcdump
thatcertsrv.exe
is running.Now I'm trying to run with Certipy is as follows:
When I do, I basically get the same output as issue 19 with a long traceback that ends in:
Again, the difference this time around is I believe the certificate services are running so I'm not sure why my attempts are not successful. Could you please help?
Thanks,
Brian
The text was updated successfully, but these errors were encountered: