# CA/Template Discovery

{% hint style="info" %}
More in-depth information on AD CS can be found in the [Certified Pre-Owned whitepaper](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf) by SpecterOps.

That bish is 143 pages long, so I'm going to be describing the important parts of the most commonly seen escalation (ESC) attacks.
{% endhint %}

Finding the Active Directory Certificate Service (AD CS) server is as simple as querying a domain controller on the target domain using Lightweight Directory Access Protocol (LDAP).

{% hint style="info" %}
In order to query a computer via LDAP, you must have a valid set of credentials for a domain user (or access to a domain computer if using *certutil.exe*).
{% endhint %}

This is made even easier as several tools already exist to do this easily!

{% tabs %}
{% tab title="netexec" %}
{% embed url="<https://github.com/Pennyw0rth/NetExec>" %}

{% code title="Linux" %}

```fish
netexec ldap -u [username] -p [password] -M adcs
```

{% endcode %}
{% endtab %}

{% tab title="ldapsearch" %}
{% embed url="<https://docs.ldap.com/ldap-sdk/docs/tool-usages/ldapsearch.html>" %}

{% code title="Linux" %}

```fish
ldapsearch \
  -H ldap://dc.domain.local -D 'user@domain' -w 'password' \
  -b 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=sccm,DC=lab' \
  -s one '(objectClass=pKIEnrollmentService)' \
  cn dNSHostName
```

{% endcode %}
{% endtab %}

{% tab title="Certify.exe" %}
{% embed url="<https://github.com/GhostPack/Certify>" %}

{% code title="Windows" %}

```
Certify.exe cas /domain:[domain] 
```

{% endcode %}
{% endtab %}

{% tab title="certutil.exe" %}
{% code title="Windows" %}

```bash
certutil.exe -config - -ping
```

{% endcode %}
{% endtab %}
{% endtabs %}

## Finding Vulnerable Templates

Similar to finding the AD CS server, we can use LDAP to query the AD CS server for information about what templates are available, as well as information about the template, such as permissions required to obtain a certificate.

{% tabs %}
{% tab title="Certipy.py" %}
{% embed url="<https://github.com/ly4k/Certipy>" %}

{% code title="Linux (Attacker)" %}

```fish
certipy find -u [username]@[domain] -p [password] -dc-ip [DC IP] -vulnerable
```

{% endcode %}

{% hint style="info" %}
To get a list of all available certificate templates (including non-vulnerable ones), simply remove the `--vulnerable` flag.
{% endhint %}
{% endtab %}

{% tab title="Certify.exe" %}
{% embed url="<https://github.com/GhostPack/Certify>" %}

{% code title="Windows" %}

```
Certify.exe find /vulnerable /domain:[domain]
```

{% endcode %}
{% endtab %}

{% tab title="Get-ADObject" %}
{% code title="Windows" %}

```bash
Get-ADObject -LDAPFilter '(objectCategory=pKIEnrollmentService)' -SearchBase "CN=Configuration,DC=Weelee,DC=local"
```

{% endcode %}
{% endtab %}
{% endtabs %}

These tools will output a list of templates potentially vulnerable to AD CS exploits known as ESC1 through ESC11.