- Notifications
You must be signed in to change notification settings - Fork10
Parses cached certificate templates from a Windows Registry file and displays them in the same style as Certipy does
License
outflanknl/regcertipy
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Parses cached certificate templates from a Windows Registry.reg file and displays them in the same style asCertipy does.
We prefer using theuv package manager, as it will automatically create a virtual environment for you. Alternatively, you can usepip install regcertipy within any other Python environment that you manage.
$ uv venv$ source .venv/bin/activate$ uv pip install regcertipy$ regcertipy -husage: regcertipy [-h] [-s SID_FILE] [-f {.reg,reg_bof}] [-text] [-stdout] [-json] [-csv] [-output prefix] [--neo4j-user NEO4J_USER] [--neo4j-pass NEO4J_PASS] [--neo4j-host NEO4J_HOST] [--neo4j-port NEO4J_PORT] [--use-owned-sids] regfileRegfile ingestor for Certipypositional arguments: regfile Path to the .reg file.options: -h, --help show this help message and exit -s SID_FILE, --sid-file SID_FILE File containing the user's SIDs -f {.reg,reg_bof}, --input-format {.reg,reg_bof} Format of input fileoutput options: -text Output result as formatted text file -stdout Output result as text directly to console -json Output result as JSON -csv Output result as CSV -output prefix Filename prefix for writing results toBloodHound: --neo4j-user NEO4J_USER Username for neo4j --neo4j-pass NEO4J_PASS Password for neo4j --neo4j-host NEO4J_HOST Host for neo4j --neo4j-port NEO4J_PORT Port for neo4j --use-owned-sids Use the SIDs of all owned principals as the user SIDsUse regedit.exe to export the keys underHKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache\. Then, the .reg file can be fed into regcertipy with: regcertipy .
Alternatively, it is possible to parse output the Outflank C2reg query command by specifying the-f reg_bof flag. This parses the following (truncated) output.
[01/01/1970 12:34:56 PM] (finished) Outflank > reg query -r HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCacheReg Key: HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCacheReg Value: TimestampAfterReg Type: REG_BINARYReg Data: 86F63B1D13E7DB01Reg Value: TimestampReg Type: REG_BINARYReg Data: 86F63B1D13E7DB01Reg Key: HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache\AdministratorReg Value: DisplayNameReg Type: REG_SZReg Data: AdministratorReg Value: SupportedCSPsReg Type: REG_MULTI_SZReg Data: Microsoft Enhanced Cryptographic Provider v1.0 Microsoft Base Cryptographic Provider v1.0 Reg Value: ExtKeyUsageSyntaxReg Type: REG_MULTI_SZReg Data: 1.3.6.1.4.1.311.10.3.1 1.3.6.1.4.1.311.10.3.4 1.3.6.1.5.5.7.3.4 1.3.6.1.5.5.7.3.2[...]Becauseregcertipy is intended for offline usage, SIDs cannot be dynamically resolved. Therefore,regcertipy includes a couple of options that can be used for offline SID information.
Firstly, the--sid-file flag can be used to provide a list of SIDs that the user is a member of. This list can be obtained from BloodHound or other tools.
Secondly,regcertipy can use aneo4j connection to dynamically resolve SIDs using BloodHound's database. This, combined with the--use-owned-sids command can help you find vulnerable templates exploitable by objects marked as owned in BloodHound.
Note that we use theBlack code formatter for code formatting. Moreover, we use the Git Flow branching model, meaning that we actively develop on the "develop" branch, and merge to the "main" branch (& tag it) when a new release is made, making the "main" branch the production branch.
$ uv sync --dev # Also installs the Black code formatter.$ uv run black . # To format the current code base.$ uv run regcertipy -husage: regcertipy [-h] [-s SID_FILE] [-f {.reg,reg_bof}] [-text] [-stdout] [-json] [-csv] [-output prefix] [--neo4j-user NEO4J_USER] [--neo4j-pass NEO4J_PASS] [--neo4j-host NEO4J_HOST] [--neo4j-port NEO4J_PORT] [--use-owned-sids] regfileRegfile ingestor for Certipypositional arguments: regfile Path to the .reg file.options: -h, --help show this help message and exit -s SID_FILE, --sid-file SID_FILE File containing the user's SIDs -f {.reg,reg_bof}, --input-format {.reg,reg_bof} Format of input fileoutput options: -text Output result as formatted text file -stdout Output result as text directly to console -json Output result as JSON -csv Output result as CSV -output prefix Filename prefix for writing results toBloodHound: --neo4j-user NEO4J_USER Username for neo4j --neo4j-pass NEO4J_PASS Password for neo4j --neo4j-host NEO4J_HOST Host for neo4j --neo4j-port NEO4J_PORT Port for neo4j --use-owned-sids Use the SIDs of all owned principals as the user SIDsYou can also run the__init__.py or__main.py__ Python file in your favourite debugger.
About
Parses cached certificate templates from a Windows Registry file and displays them in the same style as Certipy does
Resources
License
Uh oh!
There was an error while loading.Please reload this page.