Certipy
Certipy copied to clipboard
ly4k
Using Certipy to create an AD account gives SSL NO_CYPHERS_AVAILABLE error
@ly4k While this seemed to work only last night, now when I use this command to try and create an AD account, I get the error: [-] Got error: ("('socket ssl wrapping error: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:997)',)",)
certipy account create -username "[email protected]" -password "XXXXX" -user FAKECOMP -dns MYDOMDC.mydom.com Certipy v4.0.0 - by Oliver Lyak (ly4k)
[-] Got error: ("('socket ssl wrapping error: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:997)',)",) [-] Use -debug to print a stacktrace
Here is the debug trace: Certipy v4.0.0 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'TOONDOM.COM' at '10.0.0.7' [+] Resolved 'TOONDOM.COM' from cache: 10.0.0.7 [+] Authenticating to LDAP server [+] Authenticating to LDAP server [-] Got error: ("('socket ssl wrapping error: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:997)',)",) Traceback (most recent call last): File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\certipy-4.0.0-py3.10.egg\certipy\lib\ldap.py", line 77, in connect self.connect(version=ssl.PROTOCOL_TLSv1_2) File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\certipy-4.0.0-py3.10.egg\certipy\lib\ldap.py", line 127, in connect bind_result = ldap_conn.bind() File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\ldap3-2.9.1-py3.10.egg\ldap3\core\connection.py", line 589, in bind self.open(read_server_info=False) File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\ldap3-2.9.1-py3.10.egg\ldap3\strategy\sync.py", line 57, in open BaseStrategy.open(self, reset_usage, read_server_info) File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\ldap3-2.9.1-py3.10.egg\ldap3\strategy\base.py", line 146, in open raise exception_history[0][0] ldap3.core.exceptions.LDAPSocketOpenError: socket ssl wrapping error: [WinError 10054] An existing connection was forcibly closed by the remote host
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\certipy-4.0.0-py3.10.egg\certipy\entry.py", line 60, in main actionsoptions.action File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\certipy-4.0.0-py3.10.egg\certipy\commands\parsers\account.py", line 12, in entry account.entry(options) File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\certipy-4.0.0-py3.10.egg\certipy\commands\account.py", line 280, in entry actionsoptions.account_action File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\certipy-4.0.0-py3.10.egg\certipy\commands\account.py", line 66, in create user = self.connection.get_user(username, silent=True) File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\certipy-4.0.0-py3.10.egg\certipy\commands\account.py", line 50, in connection self._connection.connect() File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\certipy-4.0.0-py3.10.egg\certipy\lib\ldap.py", line 83, in connect self.connect(version=ssl.PROTOCOL_TLSv1) File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\certipy-4.0.0-py3.10.egg\certipy\lib\ldap.py", line 127, in connect bind_result = ldap_conn.bind() File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\ldap3-2.9.1-py3.10.egg\ldap3\core\connection.py", line 589, in bind self.open(read_server_info=False) File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\ldap3-2.9.1-py3.10.egg\ldap3\strategy\sync.py", line 57, in open BaseStrategy.open(self, reset_usage, read_server_info) File "C:\Users\georgej\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\ldap3-2.9.1-py3.10.egg\ldap3\strategy\base.py", line 146, in open raise exception_history[0][0] ldap3.core.exceptions.LDAPSocketOpenError: ("('socket ssl wrapping error: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:997)',)",)
I did see a note in one of the other issues that it might have to do with LDAP. I did use the -scheme ldap switch to try that but it says that LDAP Signing is enabled. But I have that disabled/not configured via GPO:
certipy account create -scheme ldap -username "[email protected]" -password "XXXXX" -user FAKECOMP -dns MYDOMDC.mydom.com Certipy v4.0.0 - by Oliver Lyak (ly4k)
[!] LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead... [-] Got error: ("('socket ssl wrapping error: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:997)',)",) [-] Use -debug to print a stacktrace
Would you have any ideas on the cause of this? I am running Certipy on a non-domain-joined Windows 10 PC in a cmd.exe session running with no elevated privileges.
Oh, and as I said, this all was working yesterday. I even checked Windows Updates and nothing new was installed on my Windows Server 2012 R2 box.
Thanks.
