add kerberos support for -web

certipy/commands/req.py

@@ -34,6 +34,7 @@
     rsa,
     x509,
 )
+from certipy.lib.kerberos import HttpxImpacketKerberosAuth
 from certipy.lib.errors import translate_error_code
 from certipy.lib.formatting import print_certificate_identifications
 from certipy.lib.logger import logging
@@ -447,23 +448,19 @@ def session(self) -> httpx.Client:
         if self._session is not None:
             return self._session
 
+        # Create a session with httpx
         if self.target.do_kerberos:
-            raise Exception(
-                "Kerberos authentication is currently not supported with Web Enrollment"
-            )
+            session = httpx.Client(auth=HttpxImpacketKerberosAuth(self.target), timeout=self.target.timeout, verify=False)
+        else:
+            password = self.target.password
+            if self.target.nthash:
+                password = "%s:%s" % (self.target.nthash, self.target.nthash)
 
+            principal = "%s\\%s" % (self.target.domain, self.target.username)
+            session = httpx.Client(auth=HttpNtlmAuth(principal, password), timeout=self.target.timeout, verify=False)
+
         scheme = self.parent.scheme
         port = self.parent.port
-
-        password = self.target.password
-        if self.target.nthash:
-            password = "%s:%s" % (self.target.nthash, self.target.nthash)
-
-        principal = "%s\\%s" % (self.target.domain, self.target.username)
-
-        # Create a session with httpx
-        session = httpx.Client(auth=HttpNtlmAuth(principal, password), timeout=self.target.timeout, verify=False)
-
         base_url = "%s://%s:%i" % (scheme, self.target.target_ip, port)
         logging.info("Checking for Web Enrollment on %s" % repr(base_url))
 

certipy/lib/kerberos.py

@@ -1,3 +1,4 @@
+import base64
 import datetime
 import os
 from typing import Tuple
@@ -11,6 +12,7 @@
 from impacket.spnego import SPNEGO_NegTokenInit, TypesMech
 from pyasn1.codec.ber import decoder, encoder
 from pyasn1.type.univ import noValue
+import httpx
 
 from certipy.lib.logger import logging
 from certipy.lib.target import Target
@@ -251,7 +253,7 @@ def get_kerberos_type1(
     authenticator["crealm"] = domain
     seq_set(authenticator, "cname", principal.components_to_asn1)
     now = datetime.datetime.utcnow()
-
+    
     authenticator["cusec"] = now.microsecond
     authenticator["ctime"] = KerberosTime.to_asn1(now)
 
@@ -268,3 +270,21 @@ def get_kerberos_type1(
     blob["MechToken"] = encoder.encode(ap_req)
 
     return cipher, session_key, blob.getData(), username
+
+class HttpxImpacketKerberosAuth(httpx.Auth):
+    def __init__(self, target, service="HTTP"):
+        """
+        :param target: the Target object
+        :param service: the service to use for authentication
+        """
+        self.target = target
+        self.service = service
+
+    def auth_flow(self, request: httpx.Request):
+        _, _, spnego_blob, _ = get_kerberos_type1(self.target, self.target.remote_name, self.service)
+
+        auth_header = "Negotiate " + base64.b64encode(spnego_blob).decode()
+        request.headers["Authorization"] = auth_header
+
+        # Yield the modified request to be sent.
+        yield request