¶ Certify
https://github.com/GhostPack/Certify
¶ About
Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).
¶ Usage
C:\Tools>Certify.exe
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
Find information about all registered CAs:
Certify.exe cas [/ca:SERVER\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/hideAdmins] [/showAllPermissions] [/skipWebServiceChecks] [/quiet]
Find all enabled certificate templates:
Certify.exe find [/ca:SERVER\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]
Find vulnerable/abusable certificate templates using default low-privileged groups:
Certify.exe find /vulnerable [/ca:SERVER\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]
Find vulnerable/abusable certificate templates using all groups the current user context is a part of:
Certify.exe find /vulnerable /currentuser [/ca:SERVER\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]
Find enabled certificate templates where ENROLLEE_SUPPLIES_SUBJECT is enabled:
Certify.exe find /enrolleeSuppliesSubject [/ca:SERVER\ca-name| /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]
Find enabled certificate templates capable of client authentication:
Certify.exe find /clientauth [/ca:SERVER\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]
Find all enabled certificate templates, display all of their permissions, and don't display the banner message:
Certify.exe find /showAllPermissions /quiet [/ca:COMPUTER\CA_NAME | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local]
Find all enabled certificate templates and output to a json file:
Certify.exe find /json /outfile:C:\Temp\out.json [/ca:COMPUTER\CA_NAME | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local]
Enumerate access control information for PKI objects:
Certify.exe pkiobjects [/domain:domain.local] [/showAdmins] [/quiet]
Request a new certificate using the current user context:
Certify.exe request /ca:SERVER\ca-name [/subject:X] [/template:Y] [/install]
Request a new certificate using the current machine context:
Certify.exe request /ca:SERVER\ca-name /machine [/subject:X] [/template:Y] [/install]
Request a new certificate using the current user context but for an alternate name (if supported):
Certify.exe request /ca:SERVER\ca-name /template:Y /altname:USER
Request a new certificate on behalf of another user, using an enrollment agent certificate:
Certify.exe request /ca:SERVER\ca-name /template:Y /onbehalfof:DOMAIN\USER /enrollcert:C:\Temp\enroll.pfx [/enrollcertpw:CERT_PASSWORD]
Download an already requested certificate:
Certify.exe download /ca:SERVER\ca-name /id:X [/install] [/machine]
Certify completed in 00:00:00.0200190
¶ License
Certify is provided under the 3-clause BSD license below.
Copyright (c) 2021, Will Schroeder and Lee Christensen
All rights reserved.
- Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
¶ Screenshots of results
¶ Certificates
¶ How to start?
You can find this here.