Certutil is a really naughty tool. It accepts lots of various command line arguments that I believe are not widely known – and this post (and maybe some follow-up posts) is hoping to change that.
One of the first things I caught when I started analysing its command line arguments was the mysterious, case-insensitive command line argument comparison with the ‘uSAGE’ string. It turns out that certutil offers two different usage information depending on a command line option. If you just use ‘?’ then it’s the ‘official’ version. If it’s ‘uSAGE’ then it’s the unofficial one. Of course, once I found out I ran into Google and Twitter to find out if it is IN THE KNOWN.
Yes, it was. @0gtweet did it my favourite way – the hard way :-), @dunarth did it the right way, and @chris_ayres did it the earliest way (AFAICT).
Okay, with this out of the way, we look at the actual command line arguments.
Wait. What about the command line switches? Similarly to PowerShell, certutil accepts command line arguments using a number of different characters:
- / (Unicode 0x002F)
- – (Unicode 0x002D)
- – (Unicode 0x2013)
- − (Unicode 0x2212)
- ? (Unicode 0x00FB)
I still can’t figure out why the last Unicode character on that list is being accepted. The Unicode character 0x00FB is ‘รป’. If you know, please let me know and I will update the post.
Another discovery is brought to us by two unusual environment variables:
- certsrv_rawhex – shows stuff in raw hex (e.g. certs)
- CertSrv_Chain – enables debugging information being available for cert chain
- CERTSRV_LOGMAX – maximum length of the certutil.log file
- CERTSRV_DEBUG – enables certutil debug mode
- CERTSRV_LOGFILE – name of the log file
The ‘certutil.log’ file is a log file that is created if DbgIsSSActive function imported from ‘certcli.dll’ which forwards it to ‘certca.dll’ returns true. I am kidding, it’s a convoluted way to say that certain conditions need to be met for the ‘certutil.log’ to be created, They can be either set via Registry (HKLMSoftwareMicrosoftCryptographyAutoEnrollmentDebug=XXX OR HKLMSYSTEMCurrentControlSetServicesCertSvcConfigurationDebug=XXX), or via environment variables listed below.
In fact, setting
set CERTSRV_LOGFILE=c:testfoo.log
set CERTSRV_DEBUG=0xFFFFFFFF
will enable full logging to your main console and to the file c:testfoo.log.
Pick up your favorite certutil command and give it a go. You will like the output as it helps to troubleshoot your manual testing 
Finally, while certutil is primarily a command line application, it does create a windows called ‘CertUtil Application’ of class ‘CertUtil’, and apart from it, provides a UI for some of its commands (e..g -URL).
The post Certulitis – one tool that keeps on giving first appeared on Malware Devil.
https://www.malwaredevil.com/2020/08/30/certulitis-one-tool-that-keeps-on-giving/?utm_source=rss&utm_medium=rss&utm_campaign=certulitis-one-tool-that-keeps-on-giving
No comments:
Post a Comment