[Bug] Strange name resolution behaviorΒ #303
Description
π’ Certipy Version
5.0.3
π₯οΈ Operating System
kali 6.12.25-amd64
π₯ Command Used
certipy template -u '[email protected]' -p 'Password123!' -template ESC4 -timeout 60
certipy template -u '[email protected]' -p 'Password123!' -template ESC4 -timeout 60 -ns 10.129.241.158
certipy template -u '[email protected]' -p 'Password123!' -template ESC4 -timeout 60 -dc-ip 10.129.241.158
(10.129.241.158 is the DC and the CA, and all entries exist in hosts file)π§― Error Message / Unexpected Output
[+] Target name (-target) and DC host (-dc-host) not specified. Using domain 'LAB.LOCAL' as target name. This might fail for cross-realm operations
[+] Nameserver: None
[+] DC IP: None
[+] DC Host: 'LAB.LOCAL'
[+] Target IP: None
[+] Remote Name: 'LAB.LOCAL'
[+] Domain: 'LAB.LOCAL'
[+] Username: 'BLWASP'
[+] Trying to resolve 'LAB.LOCAL' at '192.168.91.2'
[!] DNS resolution failed: The DNS query name does not exist: LAB.LOCAL.
Traceback (most recent call last):
File "/root/.local/pipx/venvs/certipy-ad/lib/python3.13/site-packages/certipy/lib/target.py", line 442, in resolve
answers = self.resolver.resolve(hostname, tcp=self.use_tcp)
File "/root/.local/pipx/venvs/certipy-ad/lib/python3.13/site-packages/dns/resolver.py", line 1306, in resolve
(request, answer) = resolution.next_request()
~~~~~~~~~~~~~~~~~~~~~~~^^
File "/root/.local/pipx/venvs/certipy-ad/lib/python3.13/site-packages/dns/resolver.py", line 750, in next_request
raise NXDOMAIN(qnames=self.qnames_to_try, responses=self.nxdomain_responses)
dns.resolver.NXDOMAIN: The DNS query name does not exist: LAB.LOCAL.
[+] Resolved 'LAB.LOCAL' from cache: 10.129.241.158
π Relevant certipy find Output (abbreviated and redacted)
(the find/req commands work fine, only the template command errors out)
ββ# certipy find -u '[email protected]' -p 'Password123!' -timeout 60 -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: LAB.LOCAL.
[!] Use -debug to print a stacktrace
[*] Finding certificate templates
[*] Found 41 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 18 enabled certificate templates
[*] Finding issuance policies
[*] Found 29 issuance policies
[*] Found 0 OIDs linked to templates
[!] DNS resolution failed: The DNS query name does not exist: LAB-DC.lab.local.
[!] Use -debug to print a stacktrace
[*] Retrieving CA configuration for 'lab-LAB-DC-CA' via RRP
[*] Successfully retrieved CA configuration for 'lab-LAB-DC-CA'
[*] Checking web enrollment for CA 'lab-LAB-DC-CA' @ 'LAB-DC.lab.local'
[!] Error checking web enrollment: [Errno 104] Connection reset by peer
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : lab-LAB-DC-CA
DNS Name : LAB-DC.lab.local
Certificate Subject : CN=lab-LAB-DC-CA, DC=lab, DC=local
Certificate Serial Number : 16BD1CE8853DB8B5488A16757CA7C101
Certificate Validity Start : 2022-03-26 00:07:46+00:00
Certificate Validity End : 2027-03-26 00:17:46+00:00
Web Enrollment
HTTP
Enabled : True
HTTPS
Enabled : False
User Specified SAN : Enabled
Request Disposition : Issue
Enforce Encryption for Requests : Disabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : LAB.LOCAL\Administrators
Access Rights
Enroll : LAB.LOCAL\Authenticated Users
LAB.LOCAL\Black Wasp
LAB.LOCAL\James
LAB.LOCAL\user_manageCA
LAB.LOCAL\Juanmy
LAB.LOCAL\Josy
ManageCa : LAB.LOCAL\Black Wasp
LAB.LOCAL\James
LAB.LOCAL\user_manageCA
LAB.LOCAL\Juanmy
LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
LAB.LOCAL\Administrators
ManageCertificates : LAB.LOCAL\Josy
LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
LAB.LOCAL\Administrators
[+] User Enrollable Principals : LAB.LOCAL\Black Wasp
LAB.LOCAL\Authenticated Users
[+] User ACL Principals : LAB.LOCAL\Black Wasp
[!] Vulnerabilities
ESC6 : Enrollee can specify SAN.
ESC7 : User has dangerous permissions.
ESC8 : Web Enrollment is enabled over HTTP.
ESC11 : Encryption is not enforced for ICPR (RPC) requests.
[*] Remarks
ESC6 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates
0
Template Name : TestingCert
Display Name : TestingCert
Enabled : False
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : IncludeSymmetricAlgorithms
PendAllRequests
PublishToDs
Private Key Flag : ExportableKey
Extended Key Usage : Client Authentication
Secure Email
Encrypting File System
Requires Manager Approval : True
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2023-11-21T06:52:00+00:00
Template Last Modified : 2023-11-21T06:52:00+00:00
Permissions
Enrollment Permissions
Enrollment Rights : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
Object Control Permissions
Owner : LAB.LOCAL\Administrator
Full Control Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Owner Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Dacl Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Property Enroll : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
1
Template Name : ESC9
Display Name : ESC9
Certificate Authorities : lab-LAB-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireUpn
SubjectAltRequireEmail
SubjectRequireEmail
SubjectRequireDirectoryPath
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
AutoEnrollment
NoSecurityExtension
Private Key Flag : ExportableKey
Extended Key Usage : Client Authentication
Secure Email
Encrypting File System
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2023-05-03T11:21:35+00:00
Template Last Modified : 2023-07-05T11:47:33+00:00
Permissions
Enrollment Permissions
Enrollment Rights : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
Object Control Permissions
Owner : LAB.LOCAL\Administrator
Full Control Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Owner Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Dacl Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Property Enroll : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
[+] User Enrollable Principals : LAB.LOCAL\Domain Users
[!] Vulnerabilities
ESC9 : Template has no security extension.
[*] Remarks
ESC9 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
2
Template Name : ESC7_1
Display Name : ESC7_1
Certificate Authorities : lab-LAB-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : IncludeSymmetricAlgorithms
PendAllRequests
PublishToDs
Private Key Flag : ExportableKey
Extended Key Usage : Client Authentication
Secure Email
Encrypting File System
Requires Manager Approval : True
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2023-05-02T19:33:13+00:00
Template Last Modified : 2023-07-05T11:47:29+00:00
Permissions
Enrollment Permissions
Enrollment Rights : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
Object Control Permissions
Owner : LAB.LOCAL\Administrator
Full Control Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Owner Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Dacl Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Property Enroll : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
[+] User Enrollable Principals : LAB.LOCAL\Domain Users
3
Template Name : ESC3
Display Name : ESC3
Certificate Authorities : lab-LAB-DC-CA
Enabled : True
Client Authentication : False
Enrollment Agent : True
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireUpn
SubjectAltRequireEmail
SubjectRequireEmail
SubjectRequireDirectoryPath
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
AutoEnrollment
Private Key Flag : ExportableKey
Extended Key Usage : Certificate Request Agent
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2023-05-01T17:47:22+00:00
Template Last Modified : 2023-07-05T11:47:23+00:00
Permissions
Enrollment Permissions
Enrollment Rights : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
Object Control Permissions
Owner : LAB.LOCAL\Administrator
Full Control Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Owner Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Dacl Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Property Enroll : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
[+] User Enrollable Principals : LAB.LOCAL\Domain Users
[!] Vulnerabilities
ESC3 : Template has Certificate Request Agent EKU set.
4
Template Name : ESC4
Display Name : ESC4
Certificate Authorities : lab-LAB-DC-CA
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireUpn
SubjectAltRequireEmail
SubjectRequireEmail
SubjectRequireDirectoryPath
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
AutoEnrollment
Private Key Flag : ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2023-05-01T17:12:55+00:00
Template Last Modified : 2023-07-05T11:47:26+00:00
Permissions
Enrollment Permissions
Enrollment Rights : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
Object Control Permissions
Owner : LAB.LOCAL\Administrator
Full Control Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
LAB.LOCAL\Black Wasp
Write Owner Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
LAB.LOCAL\Black Wasp
Write Dacl Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
LAB.LOCAL\Black Wasp
Write Property Enroll : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
[+] User Enrollable Principals : LAB.LOCAL\Black Wasp
LAB.LOCAL\Domain Users
[+] User ACL Principals : LAB.LOCAL\Black Wasp
[!] Vulnerabilities
ESC4 : User has dangerous permissions.
β Expected Behavior
certipy should manipulate the ESC4 template making it vulnerable to ESC1
π Additional Context
