|
1 | 1 | # regcertipy |
2 | | -Parses cached certificate templates from a Windows Registry `.reg` file and |
3 | | -displays them in the same style as |
4 | | -[Certipy](https://github.com/ly4k/Certipy) does. |
| 2 | + |
| 3 | +Parses cached certificate templates from a Windows Registry `.reg` file and displays them in the same style as [Certipy](https://github.com/ly4k/Certipy) does. |
5 | 4 |
|
6 | 5 | ## Getting started |
7 | | -We prefer using the [uv package manager](https://docs.astral.sh/uv/), as it |
8 | | -will automatically create a virtual environment for you. Alternatively, you |
9 | | -can use `pip install regcertipy` within any other Python environment that |
10 | | -you manage. |
| 6 | + |
| 7 | +We prefer using the [uv package manager](https://docs.astral.sh/uv/), as it will automatically create a virtual environment for you. Alternatively, you can use `pip install regcertipy` within any other Python environment that you manage. |
11 | 8 |
|
12 | 9 | ``` |
13 | 10 | $ uv venv |
14 | 11 | $ source .venv/bin/activate |
15 | 12 | $ uv pip install regcertipy |
16 | 13 | $ regcertipy -h |
17 | | -usage: regcertipy [-h] regfile |
| 14 | +usage: regcertipy [-h] [-s SID_FILE] [-f {.reg,reg_bof}] [-text] [-stdout] |
| 15 | + [-json] [-csv] [-output prefix] [--neo4j-user NEO4J_USER] |
| 16 | + [--neo4j-pass NEO4J_PASS] [--neo4j-host NEO4J_HOST] |
| 17 | + [--neo4j-port NEO4J_PORT] [--use-owned-sids] |
| 18 | + regfile |
18 | 19 |
|
19 | 20 | Regfile ingestor for Certipy |
20 | 21 |
|
21 | 22 | positional arguments: |
22 | | - regfile Path to the .reg file. |
| 23 | + regfile Path to the .reg file. |
23 | 24 |
|
24 | 25 | options: |
25 | | - -h, --help show this help message and exit |
| 26 | + -h, --help show this help message and exit |
| 27 | + -s SID_FILE, --sid-file SID_FILE |
| 28 | + File containing the user's SIDs |
| 29 | + -f {.reg,reg_bof}, --input-format {.reg,reg_bof} |
| 30 | + Format of input file |
| 31 | +
|
| 32 | +output options: |
| 33 | + -text Output result as formatted text file |
| 34 | + -stdout Output result as text directly to console |
| 35 | + -json Output result as JSON |
| 36 | + -csv Output result as CSV |
| 37 | + -output prefix Filename prefix for writing results to |
| 38 | +
|
| 39 | +BloodHound: |
| 40 | + --neo4j-user NEO4J_USER |
| 41 | + Username for neo4j |
| 42 | + --neo4j-pass NEO4J_PASS |
| 43 | + Password for neo4j |
| 44 | + --neo4j-host NEO4J_HOST |
| 45 | + Host for neo4j |
| 46 | + --neo4j-port NEO4J_PORT |
| 47 | + Port for neo4j |
| 48 | + --use-owned-sids Use the SIDs of all owned principals as the user SIDs |
26 | 49 | ``` |
27 | 50 |
|
28 | | -Use regedit.exe to export the keys under |
29 | | -`HKEY_USERS\.DEFAULT\Software\ Microsoft\Cryptography\CertificateTemplateCache\`. |
30 | | -Then, the .reg file can be fed into regcertipy with: regcertipy <regfile>. |
| 51 | +Use regedit.exe to export the keys under `HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache\`. Then, the .reg file can be fed into regcertipy with: regcertipy <regfile>. |
31 | 52 |
|
32 | 53 |  |
33 | 54 |
|
| 55 | +Alternatively, it is possible to parse output the Outflank C2 `reg query` command by specifying the `-f reg_bof` flag. This parses the following (truncated) output. |
| 56 | + |
| 57 | +``` |
| 58 | +[01/01/1970 12:34:56 PM] (finished) Outflank > reg query -r HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache |
| 59 | +
|
| 60 | +Reg Key: HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache |
| 61 | +
|
| 62 | +Reg Value: TimestampAfter |
| 63 | +Reg Type: REG_BINARY |
| 64 | +Reg Data: 86F63B1D13E7DB01 |
| 65 | +
|
| 66 | +Reg Value: Timestamp |
| 67 | +Reg Type: REG_BINARY |
| 68 | +Reg Data: 86F63B1D13E7DB01 |
| 69 | +
|
| 70 | +Reg Key: HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache\Administrator |
| 71 | +
|
| 72 | +Reg Value: DisplayName |
| 73 | +Reg Type: REG_SZ |
| 74 | +Reg Data: Administrator |
| 75 | +
|
| 76 | +Reg Value: SupportedCSPs |
| 77 | +Reg Type: REG_MULTI_SZ |
| 78 | +Reg Data: Microsoft Enhanced Cryptographic Provider v1.0 Microsoft Base Cryptographic Provider v1.0 |
| 79 | +
|
| 80 | +Reg Value: ExtKeyUsageSyntax |
| 81 | +Reg Type: REG_MULTI_SZ |
| 82 | +Reg Data: 1.3.6.1.4.1.311.10.3.1 1.3.6.1.4.1.311.10.3.4 1.3.6.1.5.5.7.3.4 1.3.6.1.5.5.7.3.2 |
| 83 | +
|
| 84 | +[...] |
| 85 | +``` |
| 86 | + |
| 87 | +### SIDs |
| 88 | + |
| 89 | +Because `regcertipy` is intended for offline usage, SIDs cannot be dynamically resolved. Therefore, `regcertipy` includes a couple of options that can be used for offline SID information. |
| 90 | + |
| 91 | +Firstly, the `--sid-file` flag can be used to provide a list of SIDs that the user is a member of. This list can be obtained from BloodHound or other tools. |
| 92 | + |
| 93 | +Secondly, `regcertipy` can use a `neo4j` connection to dynamically resolve SIDs using BloodHound's database. This, combined with the `--use-owned-sids` command can help you find vulnerable templates exploitable by objects marked as owned in BloodHound. |
| 94 | + |
34 | 95 | ## Development |
35 | | -Note that we use the [Black code formatter](https://black.readthedocs.io/en/stable/) |
36 | | -for code formatting. Moreover, we use the Git Flow branching model, meaning |
37 | | -that we actively develop on the "develop" branch, and merge to the "main" |
38 | | -branch (& tag it) when a new release is made, making the "main" branch the |
39 | | -production branch. |
| 96 | + |
| 97 | +Note that we use the [Black code formatter](https://black.readthedocs.io/en/stable/) for code formatting. Moreover, we use the Git Flow branching model, meaning that we actively develop on the "develop" branch, and merge to the "main" branch (& tag it) when a new release is made, making the "main" branch the production branch. |
40 | 98 |
|
41 | 99 | ``` |
42 | 100 | $ uv sync --dev # Also installs the Black code formatter. |
43 | 101 | $ uv run black . # To format the current code base. |
44 | 102 | $ uv run regcertipy -h |
45 | | -usage: regcertipy [-h] regfile |
| 103 | +usage: regcertipy [-h] [-s SID_FILE] [-f {.reg,reg_bof}] [-text] [-stdout] |
| 104 | + [-json] [-csv] [-output prefix] [--neo4j-user NEO4J_USER] |
| 105 | + [--neo4j-pass NEO4J_PASS] [--neo4j-host NEO4J_HOST] |
| 106 | + [--neo4j-port NEO4J_PORT] [--use-owned-sids] |
| 107 | + regfile |
46 | 108 |
|
47 | 109 | Regfile ingestor for Certipy |
48 | 110 |
|
49 | 111 | positional arguments: |
50 | | - regfile Path to the .reg file. |
| 112 | + regfile Path to the .reg file. |
51 | 113 |
|
52 | 114 | options: |
53 | | - -h, --help show this help message and exit |
| 115 | + -h, --help show this help message and exit |
| 116 | + -s SID_FILE, --sid-file SID_FILE |
| 117 | + File containing the user's SIDs |
| 118 | + -f {.reg,reg_bof}, --input-format {.reg,reg_bof} |
| 119 | + Format of input file |
| 120 | +
|
| 121 | +output options: |
| 122 | + -text Output result as formatted text file |
| 123 | + -stdout Output result as text directly to console |
| 124 | + -json Output result as JSON |
| 125 | + -csv Output result as CSV |
| 126 | + -output prefix Filename prefix for writing results to |
| 127 | +
|
| 128 | +BloodHound: |
| 129 | + --neo4j-user NEO4J_USER |
| 130 | + Username for neo4j |
| 131 | + --neo4j-pass NEO4J_PASS |
| 132 | + Password for neo4j |
| 133 | + --neo4j-host NEO4J_HOST |
| 134 | + Host for neo4j |
| 135 | + --neo4j-port NEO4J_PORT |
| 136 | + Port for neo4j |
| 137 | + --use-owned-sids Use the SIDs of all owned principals as the user SIDs |
54 | 138 | ``` |
55 | 139 |
|
56 | | -You can also run the `__init__.py` or `__main.py__` Python file in your |
57 | | -favourite debugger. |
| 140 | +You can also run the `__init__.py` or `__main.py__` Python file in your favourite debugger. |
0 commit comments