Add DCOM support for req command

[qtc-de]

In the last few months, we encountered more and more ADCS instances that neither supported web enrollment, nor exposed the CertSvc via plain RPC. The output of certipy req looks like this in that case:

[+] Trying to resolve 'XYZ.ABC' at '...'
[+] Trying to resolve 'ABC' at '...'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:...[\pipe\cert]
[!] Failed to connect to endpoint ncacn_np:...[\pipe\cert]: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
[+] Trying to resolve dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE'
[+] Failed to resolve dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE'
[-] Failed to get dynamic TCP endpoint for CertSvc
[-] Got error: 'NoneType' object has no attribute 'request'

Still, the ADCS was full functional and native Windows tooling like mmc was capable of obtaining certificates. At this point we noticed that mmc does not rely on plain RPC, but DCOM for obtaining the certificate. The corresponding DCOM interface ICertRequestD is described in this microsoft spec.

And indeed adjusting certipy to use DCOM instead of plain RPC allowed us to obtain certificates again. This MR adds this functionality and allows users to specify the -dcom switch with the req action.

The error handling was copied from the RPC related certipy code and may not fit 100% for COM. However, this is something that probably pops up in user issues and can be investigated then 🙃

[shaaati]

I see that this "only" affects files dealing with the "req" command. Would this also be useful for the "relay" command or is this not applicable due to DCOM hardening?

[cmjlove1]

I see that this "only" affects files dealing with the "req" command. Would this also be useful for the "relay" command or is this not applicable due to DCOM hardening?

It appears that when relaying, it is necessary to use web enrollment for certificate issuance instead of other methods.

[shaaati]

It appears that when relaying, it is necessary to use web enrollment for certificate issuance instead of other methods.

That is not correct. See for example the description of ESC11 in this repository. Relay is also possible against RPC if certain configuration is present (that is, IF_ENFORCEENCRYPTICERTREQUEST is not set).

This is why I was wondering if DCOM could also be used as a relay target. Maybe this also depends on specific configuration settings and would be too much for this pull request, but instead should be a dedicated ESC number on its own. Unfortunately, I don't know much about DCOM and therefore can't evaluate the possibility myself.

[cmjlove1]

It appears that when relaying, it is necessary to use web enrollment for certificate issuance instead of other methods.

That is not correct. See for example the description of ESC11 in this repository. Relay is also possible against RPC if certain configuration is present (that is, IF_ENFORCEENCRYPTICERTREQUEST is not set).

This is why I was wondering if DCOM could also be used as a relay target. Maybe this also depends on specific configuration settings and would be too much for this pull request, but instead should be a dedicated ESC number on its own. Unfortunately, I don't know much about DCOM and therefore can't evaluate the possibility myself.

Oh, indeed, that's my mistake. I didn't take ESC11 into consideration, only focused on ESC8