Certipy v4.0 releases: Active Directory certificate abuse
Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).
- Schannel authentication for LDAPS
- SSPI / Integrated Windows authentication
- New BloodHound format for forked version
- Improved text and JSON output for
findwith vulnerable templates and CAs, and ability to hide administrators and non-vulnerable templates
- Both UPN and DNS SAN are supported for certificates instead of old
- Certificate enrollment via Web Enrollment instead of RPC
- New request options: Renew, Key Archival, Key Size
- Added PyInstaller specification
- General restructure and change of parameters
git clone https://github.com/ly4k/Certipy.git
python3 setup.py install
Automatically abuse certificate templates for privilege escalation. This action will try to find, request and authenticate as the Administrator user. Upon success, a credential cache will be saved and the NT hash will be decrypted from the PAC in the TGS_REP.
To demonstrate how easy it is to misconfigure certificate templates, the default certificate template Web Server has been copied to Copy of Web Server. The only change was that the EKU Server Authentication was removed and that authenticated users are allowed to enroll. This will allow enrollees to specify the subject and use it for client authentication, i.e. authenticate as any user. If no EKUs are specified, then the certificate can be used for all purposes. Alternatively, one could add the Client Authentication EKU.
In this example, the user john is a low privileged user who is allowed to enroll for the Copy of Web Server template.
By default, the user Administrator is chosen. Use the -user parameter to create a certificate for another user.
The find action will find certificate templates that are enabled by one or more CAs.
Find vulnerable templates
Use the -vulnerable parameter to only find vulnerable certificate templates.
Use the -user parameter to find vulnerable certificate templates for another user. By default, the current user will be used.
Copyright (c) 2021 ly4k