ADCS reconnaissance and enumeration (with certipy and bloodhound)

Active Directory Certificate Services (AD CS) in Windows Server® 2012. AD CS is the Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.

Install Certipy

sudo pip3 install certipy-ad

• Let’s start the enumeration with certipy

sudo certipy find -u  joaquin.Pereida@maryland.local -p 'horse' -dc-ip 192.168.56.12 -bloodhound

• This will search the certificate server, and dump all the information needed in three format :

  • bloodhound : a zip ready to import in bloodhound (if you use certipy 4.0 you will have to install the bloodhound gui modified by oliver lyak, if you do not want to use the modified version, you must use the -old-bloodhound option)

  • json : information json formated

  • txt : a textual format

• Certipy 4.0 reintroduce also the -vulnerable option to show the vulnerable templates.

sudo certipy find -u joaquin.Pereida@maryland.local -p 'horse' -vulnerable -dc-ip 192.168.56.12 -stdout

• We can find an ESC1 vulnerable template :

  • Enrollment rights to all domain users

  • Client authentication

  • And Enroll supplies subject

  • There is also an ESC2 vulnerable template:

And others vulnerable templates, let’s take a look in bloodhound.

• Import the zip file created with certipy.

• And take an overview with : PKI->Find certificate authority, select the certificate authority and click : “see enabled templates”