Skip to content

Added the certifried module#1148

Open
E1A wants to merge 2 commits intoPennyw0rth:mainfrom
E1A:pr-certifried
Open

Added the certifried module#1148
E1A wants to merge 2 commits intoPennyw0rth:mainfrom
E1A:pr-certifried

Conversation

@E1A
Copy link
Contributor

@E1A E1A commented Mar 12, 2026

Description

This PR adds a LDAP module to check whether the DC and CA show signs of being vulnerable to Certifried (CVE-2022-26923)

It does the following:

  • Enumerates CAs and published templates with Certipy
  • Requests a client-auth certificate from the CA
  • Checks whether the issued certificate contains the post-may-2022 SID security extension
  • If the certificate is SID-less, attempts an LDAPS Schannel bind with that certificate against the DC

The module reports three outcomes:

  • CA-side hardening present: issued cert includes the SID extension
  • Possible vulnerable to Certifried, SID-less user cert accepted over Schannel
  • SID-less cert was rejected over Schannel

For machine accounts, the module checks the LDAP object type, prefers the Machine template and fails if the account has no dNSHostName

What this module proves (not 100% guarantee if the vuln is present):

  • Whether the CA issues a SID-less client-auth certificate
  • Whether the DC accepts that SID-less certificate over LDAPS Schannel

No new third party dependency update is required

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Deprecation of feature or functionality
  • This change requires a documentation update
  • This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Setup guide for the review

Tested locally with Python 3.11.2 on Debian WSL
Reviewer requirements:

  • An AD environment with a CA
  • LDAPS enabled on the DC if the Schannel part is tested

Module options:

  • CA: restrict checks to a specific CA name
  • PASSIVE_TEMPLATE: force a specific template for the CA/DC probe
  • TIMEOUT: timeout in seconds for Certipy operations

Review command:

  • netexec ldap $dc_ip -u $user -p $password -M certifried

Validation performed:

Vulnerable environment (ludus):
Domain user

  • User template issued a SID-less cert
  • Schannel accepted the certificate
  • The module reported that the system could be vulnerable

Machine account without a dNSHostName (default when its created using the add-computer module):

  • The module preferred the Machine template
  • The module failed cleanly with Machine cert probe failed, machine account has no dNSHostName

Machine account with a dNSHostName:

  • Machine template issued a SID-less cert
  • Schannel accepted the certificate
  • The module reported that the system could be vulnerable

Patched environment (ludus):
Domain user

  • User template issued a cert with the SID extension present
  • Schannel was skipped
  • The module reported that CA-side hardening is present

Machine account without a dNSHostName (default when its created using the add-computer module):

  • The module preferred the Machine template
  • The module failed cleanly with Machine cert probe failed, machine account has no dNSHostName

Machine account with a dNSHostName:

  • Machine template issued a cert with the SID extension present
  • Schannel was skipped
  • The module reported that the CA is patched

Tryhackme CVE-2022-26923 room (https://tryhackme.com/room/cve202226923)
Domain user

  • User template issued a SID-less cert
  • Schannel accepted the certificate
  • The module reported that the system could be vulnerable

lmk if I need to provide my ludus config ranges files :D

Screenshots (if appropriate):

Unpatched

Domain user
domuser-unpatched

Machine accounts
machine-accounts-unpatched

Patched

Domain user
domuser-patched

Machine accounts
machine-accounts-patched

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

  • I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
  • New and existing e2e tests pass locally with my changes
  • If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

@NeffIsBack
Copy link
Member

NeffIsBack commented Mar 13, 2026

Thanks for the PR, definitely looks cool!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zblurx zblurx Awaiting requested review from zblurx zblurx is a code owner

@Marshall-Hallenbeck Marshall-Hallenbeck Awaiting requested review from Marshall-Hallenbeck Marshall-Hallenbeck is a code owner

@NeffIsBack NeffIsBack Awaiting requested review from NeffIsBack NeffIsBack is a code owner

@mpgn mpgn Awaiting requested review from mpgn mpgn is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

new module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@E1A @NeffIsBack