New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Formatting question for "ESC1 - SAN Impersonation" attack #19
Comments
Hello Brian Can you please verify that you are using the Fully Qualified Domain Name (FQDN) in your 'target' parameter, i.e. DOMAIN.COM rather than just DOMAIN. Additionally, you can view the specific parameters to use by listing the ticket(s) in your credential cache with: KRB5CCNAME=./regularuser.ccache klist If your issue is not solved by this, you can use the NTLM hash or password of the account for requesting a ticket in the meantime while I look further into this issue. Thanks for reporting this. Oliver |
Thanks so much for the quick response! I’ll be back at the test in a few hours and can troubleshoot further at that time. |
Ok, so in doing the
Now when I rerun Certipy with the FQDN in the target parameter, the output is a little different (I've prefixed those lines with a few dashes so they stand out):
Then I get a big traceback with a ton of lines. Let me know if you need those. The very last line is:
|
Not sure if this is helpful or not, but when I rerun the same command and leave out the
And then a huge traceback that also ends in the |
Alright, so your new output looks more correct. The error "STATUS_OBJECT_NAME_NOT_FOUND" means that the named pipe that Certipy tried to connect to was not found. Can you tell me more about the stack trace in regards to where in the code the error is thrown? It is most likely because the CA server you specified is not running the certificate service. By default, the certificate service creates a named pipe called "cert". You can try to use Impacket's "rpcdump" script and grep for "cert". |
I did the rpcdump and there was one match for the word
So maybe this isn't a valid attack path? As far as more info on the traceback, right after the
|
Yes, unfortunately, it seems that the certificate service is not running on your CA server. I will try to do some better error handling for this case. Thanks for your report. |
Hello!
I've got an environment where I've run the Certipy enumeration and have a template vulnerable to ESC1. I've requested a TGT for my "standard" user using GetTGT from impacket. And then I've launched Certipy as follows:
When this runs, I get:
This is followed by a traceback and tons of python errors. Do I have a syntax error? I'm not sure what the expected output should look like.
Thanks,
Brian
The text was updated successfully, but these errors were encountered: