truelyyours

Certipy - AD CS

4 min read

GitHub: https://github.com/ly4k/Certipy

Certipy is a powerful offensive and defensive toolkit for enumerating and abusing Active Directory Certificate Services (AD CS). It helps red teamers, penetration testers, and defenders assess AD CS misconfigurations - including full support for identifying and exploiting all known ESC1-ESC16 attack paths.

Usage

Refer to the Certipy Command Reference for a complete list of commands and options. The following sections will cover the most relevant commands for AD CS abuse, including their usage and examples.

Key Certipy sub-commands include:

  • find - Enumerate AD CS configuration in the domain. This scans for CAs, Certificate Templates, and related objects, highlighting potential misconfigurations or vulnerable settings. This is often the first step attackers or auditors use, as it provides a detailed report of what templates exist and which ESC vulnerabilities might be present. (See below for examples of find output.)
  • req (request) - Request a certificate from a CA. This command allows you to actively attempt enrollment for a given template. You can specify template name, CA name, alternate credentials to use for the request, subject name overrides, etc. It supports requesting via RPC, DCOM, or HTTP(S). Attackers usually use certipy req to exploit vulnerable templates by obtaining certs they shouldn’t be entitled to (for impersonation).
  • auth - Authenticate using a certificate. This is essentially a “pass-the-certificate” operation. Given a PFX (certificate + private key), certipy auth will perform a domain authentication (Kerberos PKINIT) and can retrieve a TGT and the NTLM hash using the certificate. In some cases, it may also be preferable to use Schannel authentication to LDAP instead of Kerberos. This is used after an attacker obtains a cert (via req or other means) to translate that into actual domain access (Kerberos tickets or LDAP connections as that identity).
  • relay - Perform an NTLM relay attack targeting AD CS HTTP(S) or RPC endpoints (ESC8/ESC11). Certipy can act as an NTLM relay tool: listening for incoming NTLM authentication (from a coerced machine or victim) and then relaying that to the AD CS enrollment interface to get a certificate issued for the victim. This automates the ESC8 attack (and ESC11 for RPC) end-to-end, granting a certificate for the victim’s account if successful.
  • shadow - Perform Shadow Credentials attack (certificate-based persistence via Key Credentials). This command can create a certificate-linked credential on a user (in the msDS-KeyCredentialLink attribute). With certipy shadow, an attacker with appropriate rights can install a certificate on an object such that they can authenticate as that object via certificate (even if not via typical AD CS pathways).
  • forge - Forge certificates given a compromised CA. If you have a CA’s private key (for example, stolen from an offline CA or from backup), this command allows creating arbitrary certificates (e.g., a “Golden Certificate”) signed by that CA. You input the CA cert and key (PFX), and specify details for a new certificate (like a UPN, DNS, etc.), and Certipy will output a forged cert. This is extremely powerful for persistence if a root or subordinate CA is compromised.
  • ca - Manage Certificate Authority settings. This can enable or disable templates on a CA, approve or deny pending requests, and add or remove CA certificate managers (officers). It’s useful for post-exploitation or during certain attack chains (for example, if you’ve gained rights to modify CA settings via ESC7, you could use certipy ca to enable a vulnerable template or approve your malicious request).
  • template - Manage Certificate Template objects in AD. You can dump a template’s configuration to a file, modify it, and write it back. This is helpful for scenarios like ESC4 (where you have rights to edit a template): you could use Certipy to change template settings (e.g., allow SAN or change permissions) and later restore them.
  • account - Manage user/computer account attributes related to certificates. This includes adding or modifying things like SPNs, DNS hostnames, UPNs, or passwords for accounts. It’s an advanced command that attackers might use in complex chains (e.g., creating a machine account with a specific name to exploit a certificate mapping). For instance, certipy account can create a new computer account if the current user has the right (MachineAccountQuota), setting attributes that might later be used in an attack.

Most Certipy commands accept common connection options (like -dc-ip, -u/-p for credentials, -hashes for pass-the-hash, -k for Kerberos from ccache, etc.). This allows flexible authentication methods. For example, you can use -hashes with a NTLM hash or -aes with a Kerberos AES key to authenticate without knowing the cleartext password.