Certificates in AD

Read the Certified Pre-Owned white-paper to understand certificates and their attack vectors

Certipy

Certipy is incomptible with Python 3.11 and greater atm. A quick solution is found here

To enumerate AD for vulnerable certifications, we can utilize this command:

sudo certipy-ad find -u 'user@domain' -dc-ip <dc-ip> -vulnerable -enabled

Certipy outputs the configuration details of interest in JSON and TXT files following the naming convention "<DATE-TIMESTAMP>_Certipy"

ESC1

A certificate template with the ESC1 vulnerability allows low-privileged users to enroll and request a certificate for any domain object specified by the user. This means that any user with enrollment rights can request a certificate for a privileged account, such as a domain administrator.

Vulnerable templates have the following configurations:

• Client Authentication: True

• Enabled: True

• Enrollee Supplies Subject: True

• Requires Management Approval: False

• Authorized Signatures Required: 0

The Certipy command required to request a certificate includes the following arguments:

The full Certipy command is shown below:

If everything goes well you'll get a certificate <target_user>.pfx which can then be used to request a TGT.

With Rubeus:

With Certipy:

Note that if you get the error "KDC_ERR_PADATA_TYPE_NOSUPP" - PKINIT is not available. You can then instead try to connect with LDAP directly.

If you use Certipy to retrieve certificates, you can extract key and cert from the pfx by using:

Then we can use passTheCert.py to perform different LDAP operations.