Active Directory Certificate Services (ADCS) enumeration and abuse. Generates data that can be imported into BloodHound.
- What is Active Directory Certificate Services? (Microsoft)
Installation
- Certipy (GitHub)
Kali Linux
sudo apt install certipy-adPython package
- certipy-ad 4.8.2 (PyPI)
pip3 install certipy-adOther Certipy
- certipy 0.1.3 (PyPI)
To investigate.
pip3 install certipyHelp
certipy-ad -hCertipy v4.8.2 - by Oliver Lyak (ly4k)
usage: certipy-ad [-v] [-h] {account,auth,ca,cert,find,forge,ptt,relay,req,shadow,template} ...
Active Directory Certificate Services enumeration and abuse
positional arguments:
{account,auth,ca,cert,find,forge,ptt,relay,req,shadow,template}
Action
account Manage user and machine accounts
auth Authenticate using certificates
ca Manage CA and certificates
cert Manage certificates and private keys
find Enumerate AD CS
forge Create Golden Certificates
ptt Inject TGT for SSPI authentication
relay NTLM Relay to AD CS HTTP Endpoints
req Request certificates
shadow Abuse Shadow Credentials for account takeover
template Manage certificate templates
options:
-v, --version Show Certipy's version number and exit
-h, --help Show this help message and exitEnumeration
Enumerate AD CS.
- -bloodhound: results for the BloodHound version from @ly4k with PKI support
- -old-bloodhound: results for the original BloodHound version from @BloodHoundAD without PKI support
certipy-ad find -u user01@example.com -dc-ip $IPcertipy-ad find -u user01@domain.com -dc-ip $IP -bloodhoundcertipy-ad find -u user01@domain.com -dc-ip $IP -old-bloodhoundcertipy-ad find -u user01@example.com -dc-ip $IP -vulnerableSeen in demo, not tested.
certipy-ad req -u user01@example.com -dc-ip $IP -ca 'some-CA'Usage
certipy-ad [-v] [-h] {account,auth,ca,cert,find,forge,ptt,relay,req,shadow,template}