Hasain Alshakarti

Deploying the Network Device Enrollment Service NDES component, part of the Active Directory Certificate Services ADCS, is a fairly easy task.

Once the installation is completed we need to test and verify the system is working properly but there are no tools available to perform such test. The only option for many administrators is to perform a real deployment using a device that supports SCEP and wait for the results.

After doing some research I found many tools that could perform SCEP operations but almost none of the tools was designated to perform a complete SCEP operation in Windows.

I managed to build a toolbox that works in Windows to test and verify NDES/SCEP deployment. The toolbox is a combination of Openssl and sscep from the The CertNanny Project.

  SCEP Toolbox download:(1.2 MiB, 17,835)

Once you downloaded the toolbox and extracted the files, you need to follow the steps below to verify your NDES/SCEP deployment

1. Get a new SCEP Challenge Password from your SCEP/NDES server

   Direct your browser to http://172.16.1.20/certsrv/mscep_admin/

2. Generate a certificate request providing a Common Name and the Challenge Password when prompted by openssl

   openssl.exe req -config scep.cnf -new -key priv.key -out test.csr

3. Retrieve the CA and RA certificates from your SECP/NDES

   sscep.exe getca -u http://172.16.1.20/certsrv/mscep/ -c ca.crt

   Note: The getca operation will download the RA and CA certificates and save each cert in a file prefixed with a number: ca.crt-0, ca.crt-1, ca.crt-2

4. Enroll a new certificate and make sure to specify the correct RA (-c flag) & CA (-e flag) certificates

   sscep.exe enroll -u http://172.16.1.20/certsrv/mscep/ -k priv.key -r test.csr -l test.crt -c ca.crt-0 -e ca.crt-1

   Note: The requested certificate is stored in the test.crt file

The certificate selection user interface in Windows supports filtering logic to provide a simplified user experience when an application presents multiple certificates. But some applications are not designed to use filtering logic (developers not aware of functionality…) or uses filters that does not provide efficient reduction of the number of certificates presented to the user making it almost impossible for a user to know witch certificate to choose unless opening the certificate and looking at the details of template name, EKU, etc.

This is particularly true when all certificates has been automatically enrolled using the same user DN/CN attribute based on the users Active Directory user object attributes. In addition to that, Autoenrollment does not support variations in certificate subject name unless using some third party policy module installed on the Active Directory Certificates Services.

Knowing that the certificate selection UI supports certificate friendly names. Setting the certificate friendly name to include information about the certificate template can simplify the users task to select the correct certificate.

Friendly names are properties in the X.509 certificate store in Windows that can be set at any time after the certificate has been created/installed in the store.

One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following way:

Create a text file containing the following information:

[Version]
Signature = “$Windows NT$”
[Properties]
11 = “{text}My Friendly Name”

Save the file as friendlyname.inf

Determine the serialnumber of the certificate where the friendly name should be changed.

Run the following command at a command-line:
certutil –repairstore –user my {SerialNumber} FriendlyName.inf

Automating the friendly name can be achieved by either automating/scripting the steps above alternatively by creating a tool that enumerates all certificates in the personal store and assign the friendly name.

A proof of concept CertFN.exe tool was created to automate the above. The tool receives a parameter for the template name to use when filtering the user store, it then sets the friendly name based on the schema “Template Name – Certificate Subject Name”

  CertFN - Certificate Friendly Name Tool download:(39.3 KiB, 4,338)

  CertFN - Certificate Friendly Name Tool - The Powershell Edition download:(1.1 KiB, 5,572)

I was recently involved in a penetration testing activity together with some of my team members at TrueSec and we simply ran into a little issue where we needed to convert some binary files to a more convenient format to be able to transfer to the target system we were working with. This is normally not a big issue but this system was a little bit more tightened than what we normally see at customer’s sites. We could for instance not use WSH to create a decoding script as the system required all scripts running to be signed and when we looked for the debug command it was not there anymore!

 So the challenge was to find a tool already built into the Windows platform that could perform any kind of decoding from text to binary. Since Windows 2000 there is built-in command-line program called certutil.exe for managing Certificate Services and certificate related tasks, this nice tool provides a way to encode and decode files using the Base64 schema. As this tool is one of many built-in tools in Windows, the system did not had any issues to let us use it for the purpose of decoding our Base64 encoded text stream we managed to transfer to the server and the saga could continue as planned, or should I say as we planned 🙂

/Hasain

Vi har nu färdigställt ett verktyg för hantering av Admin & User PIN/Code på Minidriver baserade kort, verktyget släpps som GPL och är tänkt att kunna användas för hantering av mindre mängder kort.

Varför ett sådant verktyg? Vi anser att detta borde funnits i Base CSP:n från början på samma sätt som pintool och motsvarande verktyg i Vista/2008.

Ni får självklart sprida vidare och framtida uppdateringar kommer dessutom att finnas tillgängligt för nedladdningar från www.labcenter.se

Användning:
—————————————————————————-

scUtil.exe, version 1.0, Author: Bjorn Osterman, Company: TrueSec AB, Sweden

syntax: scUtil.exe unblockpin        <adminkey>    <newpin>
scUtil.exe changepin         <oldpin>      <newpin>
scUtil.exe changeadminkey    <oldadminkey> <newadminkey>
scUtil.exe calculateresponse <adminkey>    <challange>
scUtil.exe generaterandomkey

<adminkey> is one the the following alternatives:
– 48 hexadecimal characters
– “default”, representing 48 zeroes
– “random”, representing 48 random hexadecimal characters

<pin> is variable-length string composed of alphanumerical characters
—————————————————————————

Ladda ner: scUtil.zip

/Hasain