ADCSKiller – An ADCS Exploitation Automation Tool

ADCSKiller is a Python-based tool designed to automate the process of discovering and exploiting Active Directory Certificate Services (ADCS) vulnerabilities.

It leverages the features of Certipy and Coercer to simplify the process of attacking ADCS infrastructure.

Please note that the ADCSKiller is currently in its first draft and will undergo further refinements and additions in future updates.

Features

Enumerate Domain Administrators via LDAP
Enumerate domain controllers via LDAP
Enumerate Certificate Authorities via Certipy
Exploitation of ESC1
Exploitation of ESC8

Installation

Since this tool relies on Certipy and Coercer, both tools have to be installed first.

git clone https://github.com/ly4k/Certipy && cd Certipy && python3 setup.py install
git clone https://github.com/p0dalirius/Coercer && cd Coercer && pip install -r requirements.txt && python3 setup.py install
git clone https://github.com/grimlockx/ADCSKiller/ && cd ADCSKiller && pip install -r requirements.txt

Usage

Usage: adcskiller.py [-h] -d DOMAIN -u USERNAME -p PASSWORD -t TARGET -l LEVEL -L LHOST

Options:
-h, --help Show this help message and exit.
-d DOMAIN, --domain DOMAIN
                        Target domain name. Use FQDN
-u USERNAME, --username USERNAME
                        Username.
-p PASSWORD, --password PASSWORD
                        Password.
-dc-ip TARGET, --target TARGET
                        IP Address of the domain controller.
-L LHOST, --lhost LHOST
                         FQDN of the listener machine - An ADIDNS is probably required

Todos

Tests, Tests, Tests
Enumerate the principals which are allowed to dcsync
Use dirkjanm’s gettgtpkinit.py to receive a ticket instead of Certipy auth
Support DC Certificate Authorities
ESC2–ESC7
ESC9 or ESC11?
Automated add an ADIDNS entry if required
Support DCSync functionality

Credits

Oliver Lyak for Certipy
p0dalirius for Coercer
SpecterOps for their research on ADCS
S3cur3Th1sSh1t for bringing these attacks to my screen

Certiception – Reinventing Network Security With Deceptive Active Directory Certificate Services

July 16, 2024

In "Cyber security"

ADCSPwn : A Tool To Escalate Privileges In An Active Directory Network By Coercing Authenticate From Machine Accounts And Relaying To The Certificate Service

August 13, 2021

In "Kali Linux"

Stifle : A Post-Exploitation Tool For Explicit Certificate Mapping In Active Directory

February 18, 2025

In "Exploitation Tools"

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.