Certipy: Authentication error for Windows Server 2022?

Facing issues when authenticating to Windows Server 2022 (password/ticket valid)

certipy find -scheme ldaps -enabled -dc-only -dc-ip <redacted> -ns <redacted> -target <redacted> -dns-tcp -k -u <redacted> -debug

Certipy v4.8.0 - by Oliver Lyak (ly4k)
...
[+] Getting TGS for 'host/<redacted>'
[+] Got TGS for 'host/<redacted>'
[-] Got error: [{'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '80090346: LdapErr: DSID-0C09070F, comment: AcceptSecurityContext error, data 80090346, v4f7c\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}]
...


certipy find -enabled -dc-only -dc-ip <redacted> -ns <redacted> -target <redacted> -dns-tcp -u <redacted> -debug

...
[+] Authenticating to LDAP server
[-] Got error: Failed to authenticate to LDAP. Invalid credentials

About this issue

  • Original URL
  • State: closed
  • Created 9 months ago
  • Reactions: 2
  • Comments: 15 (4 by maintainers)

Most upvoted comments

I made a fork of LDAP3 and merged the PR from @ThePirateWhoSmellsOfSunflowers. Thanks a lot for that!

The new Certipy version 4.8.1 now supports LDAP channel binding over LDAPS using NTLM authentication. Kerberos authentication isn’t supported, and LDAP signing isn’t supported as well. While I’d like to support Kerberos and LDAP signing, I do not have the time or knowledge yet to implement this in the forked LDAP3 module.

If you encounter an environment with LDAP signing, I’d recommend using LDAPS instead of LDAP, and if required, use channel binding as well with the new -ldap-channel-binding switch. To use the new channel binding feature, it is required to pip install the forked module: pip3 install git+https://github.com/ly4k/ldap3. This will uninstall the old module and install the forked module. The old module doesn’t seem to have had any commits since May 2023, but I’ll try to keep an eye on it.

In the meantime, we’ll use this quick and dirty fix, and Certipy will spit out better error messages with relevant information (including the pip install command) if you end up in this scenario.

+5
ly4k on Sep 19, 2023

Thanks for reporting. I am looking into it.

+3
ly4k on Sep 18, 2023

Simple Authentication is a “non NTLM authentication” as defined in the LDAPv3 RFC but Active Directory is compatible with it. You will need to change certipy code to something like

This worked in my environment with -scheme ldaps - I just adjusted ldap.py quick and dirty. Many thanks, great community!

+2
symmetrisch on Sep 19, 2023

I have a Github sponsors profile, which isn’t supposed to be public yet, as I’m planning to publish it when my next tool is released, but it is available and live here: https://github.com/sponsors/ly4k 😃

As for Certipy, I am considering making a fork of ldap3 and merging the PRs. I will test later.

+1
ly4k on Sep 19, 2023

Yeah this seemed to fix the invalidCredential issue , which is a step forward in the right direction . But now i have another issue with enum.py :

[-] Got error: module 'enum' has no attribute '_decompose'
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certipy/commands/find.py", line 782, in security_to_bloodhound_aces
    standard_rights = list(rights["rights"])
                      ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/enum.py", line 1482, in __iter__
    yield from self._iter_member_(self._value_)
  File "/usr/lib/python3.11/enum.py", line 1369, in _iter_member_by_def_
    yield from sorted(
               ^^^^^^^
  File "/usr/lib/python3.11/enum.py", line 1371, in <lambda>
    key=lambda m: m._sort_order_,
                  ^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute '_sort_order_'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certipy/entry.py", line 60, in main
    actions[options.action](options)
  File "/usr/lib/python3/dist-packages/certipy/commands/parsers/find.py", line 12, in entry
    find.entry(options)
  File "/usr/lib/python3/dist-packages/certipy/commands/find.py", line 1185, in entry
    find.find()
  File "/usr/lib/python3/dist-packages/certipy/commands/find.py", line 455, in find
    self.output_bloodhound_data(prefix, templates, cas)
  File "/usr/lib/python3/dist-packages/certipy/commands/find.py", line 578, in output_bloodhound_data
    aces = self.security_to_bloodhound_aces(security)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certipy/commands/find.py", line 784, in security_to_bloodhound_aces
    standard_rights = rights["rights"].to_list()
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certipy/lib/constants.py", line 265, in to_list
    members, _ = enum._decompose(cls, self._value_)
                 ^^^^^^^^^^^^^^^
AttributeError: module 'enum' has no attribute '_decompose'

I have seen some other issues that relate to my new one , I’ll try to see If i can fix it like its mentioned in this issue https://github.com/ly4k/Certipy/issues/159 . Thank you very much for your time and for your help @ThePirateWhoSmellsOfSunflowers @ly4k .

+1
b1gy7 on Sep 19, 2023

Simple Authentication is a “non NTLM authentication” as defined in the LDAPv3 RFC but Active Directory is compatible with it. You will need to change certipy code to something like

connection = ldap3.Connection(server, authentication=ldap3.SIMPLE, user='my_user@domain.local', password='password')

instead of

connection = ldap3.Connection(server, authentication=ldap3.NTLM, user='domain.local\\my_user', password='password')

Yes the password is sent in cleartext but within a TLS channel, because you are using LDAPS.

+1
ThePirateWhoSmellsOfSunflowers on Sep 19, 2023
Read more comments on GitHub
← anatole: Error
Lychee: After v3 to v4 migration: Albums are there, but photos are missing →