adcs: add --altSid flag to embed szOID_NTDS_CA_SECURITY_EXT in CSR#2222
Open
JosuPalacios99 wants to merge 1 commit into
Open
adcs: add --altSid flag to embed szOID_NTDS_CA_SECURITY_EXT in CSR#2222JosuPalacios99 wants to merge 1 commit into
JosuPalacios99 wants to merge 1 commit into
Conversation
ntlmrelayx ADCS relay generates CSRs without the SID extension required by KB5014754 (StrongCertificateBindingEnforcement >= 1, enforced by default since Feb 2025). Certs issued without the extension fail PKINIT on modern DCs and are rejected client-side by certipy v5 with "Object SID mismatch". Add --altSid <SID> parameter (ESC8 and ESC11 paths) that embeds the target account SID inside szOID_NTDS_CA_SECURITY_EXT (OID 1.3.6.1.4.1.311.25.2) using cryptography.x509.UnrecognizedExtension with manual DER/TLV encoding. pyOpenSSL cannot encode this OID since OpenSSL has no knowledge of Microsoft-proprietary extensions. Backward compatible: omitting --altSid keeps the original pyOpenSSL code path unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
ntlmrelayx ADCS relay (ESC8 and ESC11) generates CSRs without the
szOID_NTDS_CA_SECURITY_EXTextension (OID1.3.6.1.4.1.311.25.2).Since KB5014754, DCs with
StrongCertificateBindingEnforcement >= 1(default
2since February 2025) reject certificates that lack thisextension during PKINIT. certipy v5 also validates this client-side and
aborts with
Object SID mismatchbefore reaching the DC.This breaks the ESC1 relay attack chain: even when the CA issues a
certificate with the target account's UPN in the SAN, authentication
fails because the certificate lacks the SID binding that modern DCs
require. The attack was functional before KB5014754 enforcement but is
blocked on any updated environment without this fix.
The root cause is pyOpenSSL: it delegates extension encoding to OpenSSL,
which has no knowledge of Microsoft-proprietary OIDs and cannot encode
this extension via the high-level API.
Fix
Add
--altSid <SID>parameter. When provided,generate_csr()switchesfrom pyOpenSSL to
cryptography.x509.CertificateSigningRequestBuilderwith
UnrecognizedExtension, using pure-Python DER/TLV encoding toconstruct the extension value.
The extension encodes the SID string (e.g.
S-1-5-21-...-500) asUTF-8 inside an OtherName GeneralName with OID
1.3.6.1.4.1.311.25.2.1(szOID_NTDS_OBJECTSID). The CA propagatesthis extension to the issued certificate, satisfying the DC's strong
mapping requirement and restoring ESC1 relay on fully enforced environments.
Backward compatible: omitting
--altSidkeeps the originalpyOpenSSL code path unchanged.
Files changed
impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py— DER helpers +generate_csraltSid pathimpacket/examples/ntlmrelayx/attacks/rpcattack.py— passaltSidtogenerate_csr(ESC11)impacket/examples/ntlmrelayx/utils/config.py—altSidfield +setAltSid()examples/ntlmrelayx.py—--altSidargumentUsage