|
1 | 1 | # regcertipy |
2 | | -Parses cached certificate templates from a Windows Registry `.reg` file and |
3 | | -displays them in the same style as |
4 | | -[Certipy](https://github.com/ly4k/Certipy) does. |
| 2 | + |
| 3 | +Parses cached certificate templates from a Windows Registry `.reg` file and displays them in the same style as [Certipy](https://github.com/ly4k/Certipy) does. |
5 | 4 |
|
6 | 5 | ## Getting started |
7 | | -We prefer using the [uv package manager](https://docs.astral.sh/uv/), as it |
8 | | -will automatically create a virtual environment for you. Alternatively, you |
9 | | -can use `pip install regcertipy` within any other Python environment that |
10 | | -you manage. |
| 6 | + |
| 7 | +We prefer using the [uv package manager](https://docs.astral.sh/uv/), as it will automatically create a virtual environment for you. Alternatively, you can use `pip install regcertipy` within any other Python environment that you manage. |
11 | 8 |
|
12 | 9 | ``` |
13 | 10 | $ uv venv |
@@ -51,30 +48,53 @@ BloodHound: |
51 | 48 | --use-owned-sids Use the SIDs of all owned principals as the user SIDs |
52 | 49 | ``` |
53 | 50 |
|
54 | | -Use regedit.exe to export the keys under |
55 | | -`HKEY_USERS\.DEFAULT\Software\ Microsoft\Cryptography\CertificateTemplateCache\`. |
56 | | -Then, the .reg file can be fed into regcertipy with: regcertipy <regfile>. |
| 51 | +Use regedit.exe to export the keys under `HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache\`. Then, the .reg file can be fed into regcertipy with: regcertipy <regfile>. |
57 | 52 |
|
58 | 53 |  |
59 | 54 |
|
| 55 | +Alternatively, it is possible to parse output the Outflank C2 `reg query` command by specifying the `-f reg_bof` flag. This parses the following (truncated) output. |
| 56 | + |
| 57 | +``` |
| 58 | +[01/01/1970 12:34:56 PM] (finished) Outflank > reg query -r HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache |
| 59 | +
|
| 60 | +Reg Key: HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache |
| 61 | +
|
| 62 | +Reg Value: TimestampAfter |
| 63 | +Reg Type: REG_BINARY |
| 64 | +Reg Data: 86F63B1D13E7DB01 |
| 65 | +
|
| 66 | +Reg Value: Timestamp |
| 67 | +Reg Type: REG_BINARY |
| 68 | +Reg Data: 86F63B1D13E7DB01 |
| 69 | +
|
| 70 | +Reg Key: HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache\Administrator |
| 71 | +
|
| 72 | +Reg Value: DisplayName |
| 73 | +Reg Type: REG_SZ |
| 74 | +Reg Data: Administrator |
| 75 | +
|
| 76 | +Reg Value: SupportedCSPs |
| 77 | +Reg Type: REG_MULTI_SZ |
| 78 | +Reg Data: Microsoft Enhanced Cryptographic Provider v1.0 Microsoft Base Cryptographic Provider v1.0 |
| 79 | +
|
| 80 | +Reg Value: ExtKeyUsageSyntax |
| 81 | +Reg Type: REG_MULTI_SZ |
| 82 | +Reg Data: 1.3.6.1.4.1.311.10.3.1 1.3.6.1.4.1.311.10.3.4 1.3.6.1.5.5.7.3.4 1.3.6.1.5.5.7.3.2 |
| 83 | +
|
| 84 | +[...] |
| 85 | +``` |
| 86 | + |
60 | 87 | ### SIDs |
61 | 88 |
|
62 | 89 | Because `regcertipy` is intended for offline usage, SIDs cannot be dynamically resolved. Therefore, `regcertipy` includes a couple of options that can be used for offline SID information. |
63 | 90 |
|
64 | 91 | Firstly, the `--sid-file` flag can be used to provide a list of SIDs that the user is a member of. This list can be obtained from BloodHound or other tools. |
65 | 92 |
|
66 | | -Secondly, `regcertipy` can use a `neo4j` connection to dynamically resolve SIDs using BloodHound's database. For this, install the `neo4j` dependency using: |
67 | | - |
68 | | -``` |
69 | | -uv pip install --group bloodhound |
70 | | -``` |
| 93 | +Secondly, `regcertipy` can use a `neo4j` connection to dynamically resolve SIDs using BloodHound's database. This, combined with the `--use-owned-sids` command can help you find vulnerable templates exploitable by objects marked as owned in BloodHound. |
71 | 94 |
|
72 | 95 | ## Development |
73 | | -Note that we use the [Black code formatter](https://black.readthedocs.io/en/stable/) |
74 | | -for code formatting. Moreover, we use the Git Flow branching model, meaning |
75 | | -that we actively develop on the "develop" branch, and merge to the "main" |
76 | | -branch (& tag it) when a new release is made, making the "main" branch the |
77 | | -production branch. |
| 96 | + |
| 97 | +Note that we use the [Black code formatter](https://black.readthedocs.io/en/stable/) for code formatting. Moreover, we use the Git Flow branching model, meaning that we actively develop on the "develop" branch, and merge to the "main" branch (& tag it) when a new release is made, making the "main" branch the production branch. |
78 | 98 |
|
79 | 99 | ``` |
80 | 100 | $ uv sync --dev # Also installs the Black code formatter. |
@@ -117,5 +137,4 @@ BloodHound: |
117 | 137 | --use-owned-sids Use the SIDs of all owned principals as the user SIDs |
118 | 138 | ``` |
119 | 139 |
|
120 | | -You can also run the `__init__.py` or `__main.py__` Python file in your |
121 | | -favourite debugger. |
| 140 | +You can also run the `__init__.py` or `__main.py__` Python file in your favourite debugger. |
0 commit comments