Skip to content

Can't Extract Certificate with SAN #130

New issue
New issue
Open
Open
Can't Extract Certificate with SAN#130
@Tx0actical

Description

@Tx0actical
Tx0actical
opened on Feb 6, 2026

Hi, the certificate retrieved using the collect command is missing the SAN making it pretty much unusable without creating a CSR after manually specifying the SAN in a config file. Here's the output:

    ──(kali㉿kali)-[~/DonPAPI/donpapi]
    └─$ dpp -v collect -u <redacted> --aesKey <redacted> -t 192.168.1.101 -d <redacted>     
    [💀] [+] DonPAPI Version 2.1.0
    [💀] [+] Output directory at /home/kali/.donpapi
    [💀] [+] Loaded 1 targets
    [💀] [+] Recover file available at /home/kali/.donpapi/recover/recover_1770187701
    [<redacted>.local] [+] Starting gathering credz
    [<redacted>.local] [+] Dumping SAM
    [<redacted>.local] [*] Saving remote SAM database
    [<redacted>.local] [*] RegSave on filepath: ..\Users\Default\AppData\Local\Temp\6604-0506-5058-7750.log
    [<redacted>.local] [*] Downloading hive on share: C$ on filepath: \Users\Default\AppData\Local\Temp\6604-0506-5058-7750.log
    [<redacted>.local] [-] Could not dump SAM.
    [<redacted>.local] [-] No account found in SAM (maybe blocked by EDR)
    [<redacted>.local] [+] Dumping LSA
    [<redacted>.local] [*] Saving remote SECURITY database
    [<redacted>.local] [*] RegSave on filepath: ..\Users\Default\AppData\Local\Temp\8503-5067-9266-7673.log
    [<redacted>.local] [*] Downloading hive on share: C$ on filepath: \Users\Default\AppData\Local\Temp\8503-5067-9266-7673.log
    [<redacted>.local] [$] [LSA] (Unknown User):Us$rT0AccessDBwithImpersonation
    [<redacted>.local] [$] [LSA] (Unknown User):0wnerOftheIntraNetz!
    [<redacted>.local] [*] Got 6 LSA secrets
    [<redacted>.local] [+] Dumping User and Machine masterkeys
    [<redacted>.local] [$] [DPAPI] Got 11 masterkeys
    [<redacted>.local] [+] Dumping User and Machine Certificates
    [<redacted>.local] [$] [Certificates] [SYSTEM] - SAN not found - SAN not found_4850B565A3A36A1A.pfx - Client auth possible

<output truncated for brevity>

Despite it says "Client auth possible", when a TGT is requested with this certificate via Rubeus it returns KDC_ERR_CLIENT_NAME_MISMATCH. This issue confirms the root cause.

I think this might be an issue with the tooling because the original certificate does have a SAN but not the one DonPAPI extracted.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions