You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
First of all, sorry about my last issue, I messed up my command line and I feel very dumb about that. This one, though, seems like it really is a Certipy issue worthy of consideration.
Certipy relay to RPC endpoints works just fine when I do not idiotically put the FQDN of the AD CS server into the -ca param and instead use the CA name as you pointed out:
However, PKINIT auth with the resulting PFX results in a Kerberos error:
This only happens with PKINIT auth; Schannel auth works perfectly:
I can also take the same PFX that Certipy obtained through the "relay" command and feed it to Rubeus, which successfully auths with PKINIT:
This seems to be an issue with the "auth" command rather than the "relay" command. The resulting certificate is valid, but Certipy's "auth" command appears to mishandle it in the PKINIT process for some reason. This also only seems to apply to certificates gained by RPC relay (ESC11); all other certificates seem to work just fine with the "auth" command. I've never had this issue with Certipy before.
I can also use Impacket's ntlmrelayx.py to obtain a certificate through RPC relay (using a forked version with the proper RPC endpoints) and the resulting PKCS#12 certificate works with Certipy, but only for LDAPS communications as seen above. It fails with the same error for PKINIT.
Feel free to smack me upside the head if I'm doing something else stupidly wrong; love everything you do on this project and others!
The text was updated successfully, but these errors were encountered:
First of all, sorry about my last issue, I messed up my command line and I feel very dumb about that. This one, though, seems like it really is a Certipy issue worthy of consideration.
Certipy relay to RPC endpoints works just fine when I do not idiotically put the FQDN of the AD CS server into the
-caparam and instead use the CA name as you pointed out:However, PKINIT auth with the resulting PFX results in a Kerberos error:
This only happens with PKINIT auth; Schannel auth works perfectly:
I can also take the same PFX that Certipy obtained through the "relay" command and feed it to Rubeus, which successfully auths with PKINIT:
This seems to be an issue with the "auth" command rather than the "relay" command. The resulting certificate is valid, but Certipy's "auth" command appears to mishandle it in the PKINIT process for some reason. This also only seems to apply to certificates gained by RPC relay (ESC11); all other certificates seem to work just fine with the "auth" command. I've never had this issue with Certipy before.
I can also use Impacket's ntlmrelayx.py to obtain a certificate through RPC relay (using a forked version with the proper RPC endpoints) and the resulting PKCS#12 certificate works with Certipy, but only for LDAPS communications as seen above. It fails with the same error for PKINIT.
Feel free to smack me upside the head if I'm doing something else stupidly wrong; love everything you do on this project and others!
The text was updated successfully, but these errors were encountered: