Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added option to Enumerate Templates via HTTP Relaying to /certsrv/certreqxt.asp Endpoint #143

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Added option to Enumerate Templates via HTTP Relaying to /certsrv/certreqxt.asp Endpoint #143

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9f76e38
Added the ability to enumerate templates at a basic level via HTTP relay
Apr 21, 2023
b8f606d
Added bs4 as a requirement
Apr 21, 2023
ea700c9
Fixed an issue with not stopping properly on template enumeration.
Apr 22, 2023
ae82a41
Merge pull request #1 from jhicks-r7/dev
jhicks-r7 Apr 22, 2023
ec6760b
Delete adude.pfx
jhicks-r7 Apr 24, 2023
45c5358
Changed template enumeration option to enum-templates to align with o…
May 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions certipy/commands/parsers/relay.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,11 @@ def add_subparser(subparsers: argparse._SubParsersAction) -> Tuple[str, Callable
action="store_true",
help="Don't skip previously attacked users. Use with -forever",
)
group.add_argument(
"-enum-templates",
action="store_true",
help="Relay to /certsrv/certrqxt.asp and parse available certificate templates"
)

group = subparser.add_argument_group("connection options")
group.add_argument(
Expand Down
26 changes: 24 additions & 2 deletions certipy/commands/relay.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,23 @@ def _run(self):
% repr(self.client.user)
)
return

if self.adcs_relay.enum_templates:
from bs4 import BeautifulSoup
self.client.request("GET", "/certsrv/certrqxt.asp")
response = self.client.getresponse()
content = response.read()
soup = BeautifulSoup(content, 'html.parser')
select_tag = soup.find('select', {'name': 'lbCertTemplate', 'id':'lbCertTemplateID'})
if select_tag:
option_tags = select_tag.find_all('option')
print("Templates Found for %s:" % repr(self.client.user))
for option in option_tags:
value = option['value']
split_value = value.split(';')
if len(split_value) > 1:
print(split_value[1])
return self.finish_run()

request_id = self.adcs_relay.request_id
if request_id:
Expand Down Expand Up @@ -382,6 +399,7 @@ def __init__(
forever=False,
no_skip=False,
timeout=5,
enum_templates=False,
debug=False,
**kwargs
):
Expand All @@ -398,12 +416,16 @@ def __init__(
self.verbose = debug
self.interface = interface
self.port = port
self.enum_templates = enum_templates
self.kwargs = kwargs

self.attacked_targets = []
self.attack_lock = Lock()

target = "http://%s/certsrv/certfnsh.asp" % ca

if self.enum_templates:
target = "http://%s/certsrv/certrqxt.asp" % ca
else:
target = "http://%s/certsrv/certfnsh.asp" % ca
logging.info("Targeting %s" % target)

target = TargetsProcessor(
Expand Down
1 change: 1 addition & 0 deletions setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
"requests_ntlm",
'winacl; platform_system=="Windows"',
'wmi; platform_system=="Windows"',
'bs4',
],
packages=[
"certipy",
Expand Down