certipy: error: unrecognized arguments

[robertstrom]

Hello,

I have cloned the repo using the command

git clone https://github.com/ly4k/Certipy.git

I then cd'd into the Certipy directory and ran the command

sudo python3 /path/to/Certipy/setup.py install

I am trying to execute the basic certipy find command and I am getting an error regarding unrecognized commands

The command that I am executing is:

certipy find "fqdn/user_samaccountname:password@domain_controller_fqdn_or_IPAddress"

After running the command I am getting the error message

Certipy v4.0.0 - by Oliver Lyak (ly4k)

usage: certipy [-v] [-h] {account,auth,ca,cert,find,forge,ptt,relay,req,shadow,template} ...
certipy: error: unrecognized arguments: fqdn/user_samaccountname:password@domain_controller_fqdn_or_IPAddress

I have been to the blog post and read through it but no luck- https://research.ifcr.dk/certipy-2-0-bloodhound-new-escalations-shadow-credentials-golden-certificates-and-more-34d1c26f0dc6

All documentation that I am seeing is on version 2. Could this be a version 4 issue?

Thanks!

[ly4k]

Hello @robertstrom This way of specify the target string (username, domain, password, and target host) has been changed in version 4. Now username and domain should be specified in -username user@domain, password in -password and target in -target (if required). :) It's explained in the blog post on version 4, and you can also see some examples in the README. Let me know if you have more issues or questions

[robertstrom]

@ly4k - many thanks!! I did take a look at the README but mostly to get installed since I saw the link to the blog which I saw was giving a number of examples so I relied on it for the more detailed instructions. My bad for sure, but I would suggest that you note something near the link to the blog post that it still has valuable information but that the syntax / authentication has changed. Just a thought / suggestion ...

So I have gotten a lot farther and believe that I may have some issues. I have now tested this in two of our domains and have gotten the same results.

+-$ certipy find -u PGPxxxx@blah.blah.domain.local -dc-ip 10.x.x.x -vulnerable -debug
Certipy v4.0.0 - by Oliver Lyak (ly4k)

Password:
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.x.x.x:636 - ssl
[+] Default path: DC=blah,DC=blah,DC=domain,DC=local
[+] Configuration path: CN=Configuration,DC=blah,DC=domain,DC=local
[-] Got error: error receiving data: The read operation timed out
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 89, in receiving
    data = self.connection.socket.recv(self.socket_size)
  File "/usr/lib/python3.10/ssl.py", line 1259, in recv
    return self.read(buflen)
  File "/usr/lib/python3.10/ssl.py", line 1132, in read
    return self._sslobj.read(len)
TimeoutError: The read operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/Certipy-4.0.0-py3.10.egg/certipy/entry.py", line 60, in main
    actions[options.action](options)
  File "/usr/local/lib/python3.10/dist-packages/Certipy-4.0.0-py3.10.egg/certipy/commands/parsers/find.py", line 12, in entry
    find.entry(options)
  File "/usr/local/lib/python3.10/dist-packages/Certipy-4.0.0-py3.10.egg/certipy/commands/find.py", line 1142, in entry
    find.find()
  File "/usr/local/lib/python3.10/dist-packages/Certipy-4.0.0-py3.10.egg/certipy/commands/find.py", line 168, in find
    sids = connection.get_user_sids(self.target.username)
  File "/usr/local/lib/python3.10/dist-packages/Certipy-4.0.0-py3.10.egg/certipy/lib/ldap.py", line 373, in get_user_sids
    groups = self.search(
  File "/usr/local/lib/python3.10/dist-packages/Certipy-4.0.0-py3.10.egg/certipy/lib/ldap.py", line 254, in search
    entries = list(
  File "/usr/lib/python3/dist-packages/ldap3/extend/standard/PagedSearch.py", line 56, in paged_search_generator
    result = connection.search(search_base,
  File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 853, in search
    response = self.post_send_search(self.send('searchRequest', request, controls))
  File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 178, in post_send_search
    responses, result = self.get_response(message_id)
  File "/usr/lib/python3/dist-packages/ldap3/strategy/base.py", line 355, in get_response
    responses = self._get_response(message_id, timeout)
  File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 196, in _get_response
    responses = self.receiving()
  File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 99, in receiving
    raise communication_exception_factory(LDAPSocketReceiveError, type(e)(str(e)))(self.connection.last_error)
ldap3.core.exceptions.LDAPSocketReceiveError: error receiving data: The read operation timed out

[robertstrom]

@ly4k - It appears to definitely be an issue with version 4. I was able to install version 2.09 on another instance of Kali and pretty much get it working. I was able to retrieve the information using find, but the request is failing

└─$ certipy req "blah.blah.domain.local/user:$CREDS@DC.blah.blah.domain.local" -ca 'CAServer.blah.blah.local' -template 'TemplateName' -alt 'user_domain_admin@blah.blah.domain.local' -dynamic-endpoint -debug
Certipy v2.0.9 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'DC.blah.blah.domain.local' at '10.x.x.x'
[*] Requesting certificate
[+] Trying to resolve dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE'
[+] Failed to resolve dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE'
[-] Failed to get dynamic TCP endpoint for CertSvc
[+] Trying to connect to endpoint: ncacn_np:10.x.x.x[\pipe\cert]
[!] Failed to connect to endpoint ncacn_np:10.x.x.x[\pipe\cert]: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
[-] Got error: 'NoneType' object has no attribute 'request'
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/Certipy-2.0.9-py3.10.egg/certipy/entry.py", line 83, in main
    actions[options.action](options)
  File "/usr/local/lib/python3.10/dist-packages/Certipy-2.0.9-py3.10.egg/certipy/request.py", line 326, in entry
    request.request()
  File "/usr/local/lib/python3.10/dist-packages/Certipy-2.0.9-py3.10.egg/certipy/request.py", line 252, in request
    response = self.dce.request(request)
AttributeError: 'NoneType' object has no attribute 'request'

[ly4k]

Hello @robertstrom The problem you're experiencing with 4.0 is that the user's membership query takes too long to execute, so I'll have to come up with a better way of finding nested group memberships. Thanks for reporting this. And the problem with 2.0.9, (and the same you'll have in 4.0), is probably that the target parameter is incorrect. When you request the certificate, you have to specify the host name or IP of the CA server, and not the domain controller. I'll look into the LDAP issue. Thanks again!

[robertstrom]

@ly4k - Thanks much for the response / info! I have been able to take that info and make v2.0.9 work as expected. Thanks so much for the tool!! It is making it possible for us to discover any issues, fix and test. Very much appreciate the work that you have done on this. I'll keep checking back for any update on v4 so that I can test it again.

[ly4k]

Hello @robertstrom It seems that while this method of retrieving nested group memberships is not the fastes, it's the most efficient one when it comes to stealth and low bandwidth. All the logic is handled at the server, and the client just waits too long for the response in your case. As such, I've added a receive timeout which is a factor 10 of the -timeout parameter that is used in other cases. Furthermore, I've handled the error now so you can continue but without having any nested group memberships found. Fixed in 4b54ceb and 7f4f225 Thank you for reporting!

[robertstrom]

@ly4k Sorry, I am not a GitHub expert at pulling different versions, etc. Am I going to be able to get this version update for testing or do I need to wait for you to publish the full update? If I can get and test I would appreciate some guidance in what commands I would use to do so. Thanks very much!