Added option to Enumerate Templates via HTTP Relaying to /certsrv/certreqxt.asp Endpoint

[jhicks-r7]

While testing a network's AD CS environment, I had traffic I was able to relay, but default templates were disabled. I performed some testing on what other endpoints you could relay to, and discovered that several ADCS web enrollment endpoints contain a list of templates the authenticated user can enroll in. One of these endpoints, /certsrv/certrqxt.asp, conveniently has them listed in a dropdown box between tags:

If we relay credentials to this endpoint with ntlmrelayx while capturing network traffic, then analyze that traffic in wireshark and follow the TCP stream, we can see that the templates are returned in the response HTML source:

In the case of this test, I did not have valid credentials and hadn't determined a way to acquire them, so this was used to obtain initial domain access by relaying for a certificate that I deduced was likely able to be used for authentication. I think this technique may be helpful in situations where:

• Another way to obtain credentials cannot be found
• You can't relay to LDAP due to LDAP signing or other protections (If you can relay to LDAP, just dump ADCS)
• You have a consistent method of obtaining credentials to relay

As I can see this being a useful technique in the future, I modified certipy to add a -enum-templates options that will relay to the /certsrv/certreqxt.asp endpoint, obtain the response, parse out the valid templates using BeautifulSoup, and then print them to the terminal:

I would like to expand this in the future, including storing the template names in a file for later reference, and possibly look into either prompting for an additional relay to obtain a certificate, or just yoloing obtaining a certificate for each template (perhaps an option?), but wanted to submit this first before working on it more!