Fix certipy-find support for NT hash and AES key auth

[azoxlpf]

Description

The certipy-find module did not pass the right authentication parameters to Certipy : with an NT hash (-H) or an AES key (--aesKey), authentication failed (“NTLM needs password” or “No credentials provided for TGT request”). This is fixed by passing the missing arguments to Certipy’s Target : hashes, aes, and dc_ip.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Screenshots (if appropriate):

Before :

After :

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• New and existing e2e tests pass locally with my changes
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[NeffIsBack]

Thanks for the bug fix PR! Any idea why passing nt/lm hash down to certipy does not do the job?

[azoxlpf]

Thanks for the bug fix PR! Any idea why passing nt/lm hash down to certipy does not do the job?

Hmmm, I think it's because when we build a Target in code, its __init__ doesn't parse the hashes string into lmhash and nthash, that only happens in Target.from_options(). The auth code (LDAP, Kerberos, NTLM) actually uses target.lmhash and target.nthash, so if we only pass hashes, those stay empty and we get "NTLM needs password" / "No credentials provided for TGT request". So we have to pass lmhash, nthash, and dc_ip explicitly.

[NeffIsBack]

Thanks for the bug fix PR! Any idea why passing nt/lm hash down to certipy does not do the job?

Hmmm, I think it's because when we build a Target in code, its __init__ doesn't parse the hashes string into lmhash and nthash, that only happens in Target.from_options(). The auth code (LDAP, Kerberos, NTLM) actually uses target.lmhash and target.nthash, so if we only pass hashes, those stay empty and we get "NTLM needs password" / "No credentials provided for TGT request". So we have to pass lmhash, nthash, and dc_ip explicitly.

You mean the other way round right? Because we were passing nthash/lmhash down but not hashes. Also from what i can tell connection.hash is the same as connection.nthash and therefore probably not what hashes expect. Should probably be aligned (removed) anyway, gonna take a look and test that next month.