├── .gitattributes ├── Dockerfile ├── Readme.md └── proxychains4.conf /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # Dockerfile 2 | FROM python:3.10.4-slim-buster 3 | RUN pip install --upgrade pip 4 | RUN pip install certipy-ad 5 | RUN apt update && apt install git -y 6 | RUN apt-get install -y proxychains4 7 | COPY proxychains4.conf /etc/proxychains4.conf 8 | RUN pip3 install git+https://github.com/ly4k/ldap3 9 | WORKDIR /tmp 10 | -------------------------------------------------------------------------------- /Readme.md: -------------------------------------------------------------------------------- 1 | # Docker Version of Certipy 2 | 3 | Runs with Python 3.10.4 4 | 5 | ## Build 6 | 7 | ```bash 8 | sudo docker build -t certipy:latest . 9 | ``` 10 | 11 | ## Run 12 | 13 | ```bash 14 | sudo docker run -it -v $(pwd):/tmp certipy:latest certipy find -u 'user' -p 'password' -dc-ip 10.10.208.229 15 | ``` 16 | 17 | ## Pass Hostname to Container 18 | 19 | ```bash 20 | sudo docker run -it -v $(pwd):/tmp --add-host=DC:10.10.90.78 certipy:latest certipy req -u 'user@domain.loc' -p "Password" -dc-ip 10.10.90.78 -target 'DC' -ca 'domain-DC-CA' -template 'RetroClients' -upn 'Administrator@domain.loc' -key-size 4096 21 | ``` 22 | 23 | ## Use LDAPS and LDAP Channel Binding 24 | 25 | ```bash 26 | sudo docker run -it -v $(pwd):/tmp certipy:latest certipy find -u 'user' -p 'password' -scheme ldaps -ldap-channel-binding 27 | ``` 28 | 29 | ## Use socks5 proxy via proxychains 30 | 31 | ```bash 32 | sudo docker run -it --network="host" -v $(pwd):/tmp certipy:latest proxychains4 -q certipy find -u 'user' -p 'pass' -dc-ip 10.10.173.69 33 | ``` -------------------------------------------------------------------------------- /proxychains4.conf: -------------------------------------------------------------------------------- 1 | # proxychains.conf VER 4.x 2 | # 3 | # HTTP, SOCKS4a, SOCKS5 tunneling proxifier with DNS. 4 | 5 | 6 | # The option below identifies how the ProxyList is treated. 7 | # only one option should be uncommented at time, 8 | # otherwise the last appearing option will be accepted 9 | # 10 | #dynamic_chain 11 | # 12 | # Dynamic - Each connection will be done via chained proxies 13 | # all proxies chained in the order as they appear in the list 14 | # at least one proxy must be online to play in chain 15 | # (dead proxies are skipped) 16 | # otherwise EINTR is returned to the app 17 | # 18 | strict_chain 19 | # 20 | # Strict - Each connection will be done via chained proxies 21 | # all proxies chained in the order as they appear in the list 22 | # all proxies must be online to play in chain 23 | # otherwise EINTR is returned to the app 24 | # 25 | #round_robin_chain 26 | # 27 | # Round Robin - Each connection will be done via chained proxies 28 | # of chain_len length 29 | # all proxies chained in the order as they appear in the list 30 | # at least one proxy must be online to play in chain 31 | # (dead proxies are skipped). 32 | # the start of the current proxy chain is the proxy after the last 33 | # proxy in the previously invoked proxy chain. 34 | # if the end of the proxy chain is reached while looking for proxies 35 | # start at the beginning again. 36 | # otherwise EINTR is returned to the app 37 | # These semantics are not guaranteed in a multithreaded environment. 38 | # 39 | #random_chain 40 | # 41 | # Random - Each connection will be done via random proxy 42 | # (or proxy chain, see chain_len) from the list. 43 | # this option is good to test your IDS :) 44 | 45 | # Make sense only if random_chain or round_robin_chain 46 | #chain_len = 2 47 | 48 | # Quiet mode (no output from library) 49 | #quiet_mode 50 | 51 | ## Proxy DNS requests - no leak for DNS data 52 | # (disable all of the 3 items below to not proxy your DNS requests) 53 | 54 | # method 1. this uses the proxychains4 style method to do remote dns: 55 | # a thread is spawned that serves DNS requests and hands down an ip 56 | # assigned from an internal list (via remote_dns_subnet). 57 | # this is the easiest (setup-wise) and fastest method, however on 58 | # systems with buggy libcs and very complex software like webbrowsers 59 | # this might not work and/or cause crashes. 60 | proxy_dns 61 | 62 | # method 2. use the old proxyresolv script to proxy DNS requests 63 | # in proxychains 3.1 style. requires `proxyresolv` in $PATH 64 | # plus a dynamically linked `dig` binary. 65 | # this is a lot slower than `proxy_dns`, doesn't support .onion URLs, 66 | # but might be more compatible with complex software like webbrowsers. 67 | #proxy_dns_old 68 | 69 | # method 3. use proxychains4-daemon process to serve remote DNS requests. 70 | # this is similar to the threaded `proxy_dns` method, however it requires 71 | # that proxychains4-daemon is already running on the specified address. 72 | # on the plus side it doesn't do malloc/threads so it should be quite 73 | # compatible with complex, async-unsafe software. 74 | # note that if you don't start proxychains4-daemon before using this, 75 | # the process will simply hang. 76 | #proxy_dns_daemon 127.0.0.1:1053 77 | 78 | # set the class A subnet number to use for the internal remote DNS mapping 79 | # we use the reserved 224.x.x.x range by default, 80 | # if the proxified app does a DNS request, we will return an IP from that range. 81 | # on further accesses to this ip we will send the saved DNS name to the proxy. 82 | # in case some control-freak app checks the returned ip, and denies to 83 | # connect, you can use another subnet, e.g. 10.x.x.x or 127.x.x.x. 84 | # of course you should make sure that the proxified app does not need 85 | # *real* access to this subnet. 86 | # i.e. dont use the same subnet then in the localnet section 87 | #remote_dns_subnet 127 88 | #remote_dns_subnet 10 89 | remote_dns_subnet 224 90 | 91 | # Some timeouts in milliseconds 92 | tcp_read_time_out 15000 93 | tcp_connect_time_out 8000 94 | 95 | ### Examples for localnet exclusion 96 | ## localnet ranges will *not* use a proxy to connect. 97 | ## note that localnet works only when plain IP addresses are passed to the app, 98 | ## the hostname resolves via /etc/hosts, or proxy_dns is disabled or proxy_dns_old used. 99 | 100 | ## Exclude connections to 192.168.1.0/24 with port 80 101 | # localnet 192.168.1.0:80/255.255.255.0 102 | 103 | ## Exclude connections to 192.168.100.0/24 104 | # localnet 192.168.100.0/255.255.255.0 105 | 106 | ## Exclude connections to ANYwhere with port 80 107 | # localnet 0.0.0.0:80/0.0.0.0 108 | # localnet [::]:80/0 109 | 110 | ## RFC6890 Loopback address range 111 | ## if you enable this, you have to make sure remote_dns_subnet is not 127 112 | ## you'll need to enable it if you want to use an application that 113 | ## connects to localhost. 114 | # localnet 127.0.0.0/255.0.0.0 115 | # localnet ::1/128 116 | 117 | ## RFC1918 Private Address Ranges 118 | # localnet 10.0.0.0/255.0.0.0 119 | # localnet 172.16.0.0/255.240.0.0 120 | # localnet 192.168.0.0/255.255.0.0 121 | 122 | ### Examples for dnat 123 | ## Trying to proxy connections to destinations which are dnatted, 124 | ## will result in proxying connections to the new given destinations. 125 | ## Whenever I connect to 1.1.1.1 on port 1234 actually connect to 1.1.1.2 on port 443 126 | # dnat 1.1.1.1:1234 1.1.1.2:443 127 | 128 | ## Whenever I connect to 1.1.1.1 on port 443 actually connect to 1.1.1.2 on port 443 129 | ## (no need to write :443 again) 130 | # dnat 1.1.1.2:443 1.1.1.2 131 | 132 | ## No matter what port I connect to on 1.1.1.1 port actually connect to 1.1.1.2 on port 443 133 | # dnat 1.1.1.1 1.1.1.2:443 134 | 135 | ## Always, instead of connecting to 1.1.1.1, connect to 1.1.1.2 136 | # dnat 1.1.1.1 1.1.1.2 137 | 138 | # ProxyList format 139 | # type ip port [user pass] 140 | # (values separated by 'tab' or 'blank') 141 | # 142 | # only numeric ipv4 addresses are valid 143 | # 144 | # 145 | # Examples: 146 | # 147 | # socks5 192.168.67.78 1080 lamer secret 148 | # http 192.168.89.3 8080 justu hidden 149 | # socks4 192.168.1.49 1080 150 | # http 192.168.39.93 8080 151 | # 152 | # 153 | # proxy types: http, socks4, socks5, raw 154 | # * raw: The traffic is simply forwarded to the proxy without modification. 155 | # ( auth types supported: "basic"-http "user/pass"-socks ) 156 | # 157 | [ProxyList] 158 | # add proxy here ... 159 | # meanwile 160 | # defaults set to "tor" 161 | #socks4 127.0.0.1 9050 162 | socks5 127.0.0.1 1080 163 | 164 | --------------------------------------------------------------------------------