ADCSKiller is a Python-based tool designed to automate the process of discovering and exploiting Active Directory Certificate Services (ADCS) vulnerabilities.
It leverages the features of Certipy and Coercer to simplify the process of attacking ADCS infrastructure.
Please note that the ADCSKiller is currently in its first draft and will undergo further refinements and additions in future updates.
Features
- Enumerate Domain Administrators via LDAP
- Enumerate domain controllers via LDAP
- Enumerate Certificate Authorities via Certipy
- Exploitation of ESC1
- Exploitation of ESC8
Installation
Since this tool relies on Certipy and Coercer, both tools have to be installed first.
git clone https://github.com/ly4k/Certipy && cd Certipy && python3 setup.py install
git clone https://github.com/p0dalirius/Coercer && cd Coercer && pip install -r requirements.txt && python3 setup.py install
git clone https://github.com/grimlockx/ADCSKiller/ && cd ADCSKiller && pip install -r requirements.txt
Usage
Usage: adcskiller.py [-h] -d DOMAIN -u USERNAME -p PASSWORD -t TARGET -l LEVEL -L LHOST
Options:
-h, --help Show this help message and exit.
-d DOMAIN, --domain DOMAIN
Target domain name. Use FQDN
-u USERNAME, --username USERNAME
Username.
-p PASSWORD, --password PASSWORD
Password.
-dc-ip TARGET, --target TARGET
IP Address of the domain controller.
-L LHOST, --lhost LHOST
FQDN of the listener machine - An ADIDNS is probably required
Todos
- Tests, Tests, Tests
- Enumerate the principals which are allowed to dcsync
- Use dirkjanm’s gettgtpkinit.py to receive a ticket instead of Certipy auth
- Support DC Certificate Authorities
- ESC2–ESC7
- ESC9 or ESC11?
- Automated add an ADIDNS entry if required
- Support DCSync functionality
Credits
- Oliver Lyak for Certipy
- p0dalirius for Coercer
- SpecterOps for their research on ADCS
- S3cur3Th1sSh1t for bringing these attacks to my screen