Some amazing work elsewhere in the KB Alyssa’s Certipy writeup
and more brilliant work here too Phil’s certipy writeup
how to install on windows from our very own in-house wizard rhino
Want to know more?
- Pass-the-Certificate https://thehacker.recipes/ad/movement/kerberos/pass-the-certificate
- UnPAC-the-Hash https://thehacker.recipes/ad/movement/kerberos/unpac-the-hash
- Shadow Credentials https://thehacker.recipes/ad/movement/kerberos/shadow-credentials
- AD CS escalation https://thehacker.recipes/ad/movement/ad
- AD CS escalation
- ESC1,2,3 - misconfigured certificate templates https://thehacker.recipes/ad/movement/ad-cs/certificate-templates
- ESC6 - dangerous CA configuration https://thehacker.recipes/ad/movement/ad-cs/ca-configuration
- ESC4,5,6 - access control vulnerabilities https://thehacker.recipes/ad/movement/ad-cs/access-controls
- ESC8 - web endpoints https://thehacker.recipes/ad/movement/ad
Getting Started
This tool installs are based on the existence of virtualenv.
apt update
apt install python3-virtualenvNote on virtualenv usage:
- these containers are used to allow conflicting dependency installs to live side by side harmoniously
- activate / deactivate dependency containers for proper usage
- with screen/tmux, multiple dependency containers can be activated at the same time
Certipy
Overview: Certipy is used for enumerating ADCS configurations, templates, etc. This tool should be used on most internals where we get ahold of credentialed access.
Possible Blurb:
Certipy and Certify have become de-facto standards for investigating Active Directory Certificate Services (ADCS). These tools automate the enumeration and identification of certificate services configurations. BHIS used Certipy to identify potentially vulnerable certificate templates and attempt domain privilege escalation.
cd /opt/
git clone https://github.com/ly4k/Certipy.git
cd Certipy
virtualenv -p python3 cert-env
source cert-env/bin/activate
python3 setup.py install
python3 -m pip install .
deactivate
cd /opt/Possible Usage:
certipy find -u 'user@example.com' -p <password> -dc-ip <DC_IP> -vulnerable