Enumeration

Locating operational Certification Authorities and understanding the PKI structure of the organization is extremely helpful when attempting to exploit ADCS. You will commonly need to query the CA by DNS name as well as understanding enrollment rights on published certificate templates. Certify and its python counterpart Certipy are invaluable tools for this.

You will need to be authenticated to identify CAs via LDAP requests made by these tools. Sometimes you get lucky though, and a computer's NETBIOS name is CA-CERT-SERVER.

Find CAs and Published Templates

Certify.exe find
certipy find -u user@contoso.com -p pass -dc-ip 10.10.10.10 -stdout
netexec ldap 10.10.10.10 -u user -p pass -M adcs

Both tools also include automated searches for vulnerable configurations.

Certify.exe find /vulnerable
certipy find -u user@contoso.com -p pass -dc-ip 10.10.10.10 -vulnerable -stdout

PreviousAD Certificate Services NextCertificate Authentication

Last updated 4 months ago