Skip to content

Commit cca2527

Browse files
committed
Update README.md
1 parent 58f656a commit cca2527

3 files changed

Lines changed: 384 additions & 339 deletions

File tree

README.md

Lines changed: 41 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,10 @@
11
# regcertipy
2-
Parses cached certificate templates from a Windows Registry `.reg` file and
3-
displays them in the same style as
4-
[Certipy](https://github.com/ly4k/Certipy) does.
2+
3+
Parses cached certificate templates from a Windows Registry `.reg` file and displays them in the same style as [Certipy](https://github.com/ly4k/Certipy) does.
54

65
## Getting started
7-
We prefer using the [uv package manager](https://docs.astral.sh/uv/), as it
8-
will automatically create a virtual environment for you. Alternatively, you
9-
can use `pip install regcertipy` within any other Python environment that
10-
you manage.
6+
7+
We prefer using the [uv package manager](https://docs.astral.sh/uv/), as it will automatically create a virtual environment for you. Alternatively, you can use `pip install regcertipy` within any other Python environment that you manage.
118

129
```
1310
$ uv venv
@@ -51,30 +48,53 @@ BloodHound:
5148
--use-owned-sids Use the SIDs of all owned principals as the user SIDs
5249
```
5350

54-
Use regedit.exe to export the keys under
55-
`HKEY_USERS\.DEFAULT\Software\ Microsoft\Cryptography\CertificateTemplateCache\`.
56-
Then, the .reg file can be fed into regcertipy with: regcertipy <regfile>.
51+
Use regedit.exe to export the keys under `HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache\`. Then, the .reg file can be fed into regcertipy with: regcertipy <regfile>.
5752

5853
![Example of how to export a .reg file](resources/regedit.png)
5954

55+
Alternatively, it is possible to parse output the Outflank C2 `reg query` command by specifying the `-f reg_bof` flag. This parses the following (truncated) output.
56+
57+
```
58+
[01/01/1970 12:34:56 PM] (finished) Outflank > reg query -r HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache
59+
60+
Reg Key: HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache
61+
62+
Reg Value: TimestampAfter
63+
Reg Type: REG_BINARY
64+
Reg Data: 86F63B1D13E7DB01
65+
66+
Reg Value: Timestamp
67+
Reg Type: REG_BINARY
68+
Reg Data: 86F63B1D13E7DB01
69+
70+
Reg Key: HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache\Administrator
71+
72+
Reg Value: DisplayName
73+
Reg Type: REG_SZ
74+
Reg Data: Administrator
75+
76+
Reg Value: SupportedCSPs
77+
Reg Type: REG_MULTI_SZ
78+
Reg Data: Microsoft Enhanced Cryptographic Provider v1.0 Microsoft Base Cryptographic Provider v1.0
79+
80+
Reg Value: ExtKeyUsageSyntax
81+
Reg Type: REG_MULTI_SZ
82+
Reg Data: 1.3.6.1.4.1.311.10.3.1 1.3.6.1.4.1.311.10.3.4 1.3.6.1.5.5.7.3.4 1.3.6.1.5.5.7.3.2
83+
84+
[...]
85+
```
86+
6087
### SIDs
6188

6289
Because `regcertipy` is intended for offline usage, SIDs cannot be dynamically resolved. Therefore, `regcertipy` includes a couple of options that can be used for offline SID information.
6390

6491
Firstly, the `--sid-file` flag can be used to provide a list of SIDs that the user is a member of. This list can be obtained from BloodHound or other tools.
6592

66-
Secondly, `regcertipy` can use a `neo4j` connection to dynamically resolve SIDs using BloodHound's database. For this, install the `neo4j` dependency using:
67-
68-
```
69-
uv pip install --group bloodhound
70-
```
93+
Secondly, `regcertipy` can use a `neo4j` connection to dynamically resolve SIDs using BloodHound's database. This, combined with the `--use-owned-sids` command can help you find vulnerable templates exploitable by objects marked as owned in BloodHound.
7194

7295
## Development
73-
Note that we use the [Black code formatter](https://black.readthedocs.io/en/stable/)
74-
for code formatting. Moreover, we use the Git Flow branching model, meaning
75-
that we actively develop on the "develop" branch, and merge to the "main"
76-
branch (& tag it) when a new release is made, making the "main" branch the
77-
production branch.
96+
97+
Note that we use the [Black code formatter](https://black.readthedocs.io/en/stable/) for code formatting. Moreover, we use the Git Flow branching model, meaning that we actively develop on the "develop" branch, and merge to the "main" branch (& tag it) when a new release is made, making the "main" branch the production branch.
7898

7999
```
80100
$ uv sync --dev # Also installs the Black code formatter.
@@ -117,5 +137,4 @@ BloodHound:
117137
--use-owned-sids Use the SIDs of all owned principals as the user SIDs
118138
```
119139

120-
You can also run the `__init__.py` or `__main.py__` Python file in your
121-
favourite debugger.
140+
You can also run the `__init__.py` or `__main.py__` Python file in your favourite debugger.

pyproject.toml

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[project]
22
name = "regcertipy"
3-
version = "1.0.0"
3+
version = "1.1.0"
44
description = """
55
Parses cached certificate templates from a Windows Registry file and \
66
displays them in the same style as Certipy does.
@@ -13,6 +13,7 @@ authors = [
1313
requires-python = ">=3.12"
1414
dependencies = [
1515
"certipy-ad==5.0.3",
16+
"neo4j>=5.28.1",
1617
]
1718

1819
[project.scripts]
@@ -26,6 +27,3 @@ build-backend = "hatchling.build"
2627
dev = [
2728
"black>=25.1.0",
2829
]
29-
bloodhound = [
30-
"neo4j",
31-
]

0 commit comments

Comments
 (0)