ADCSKiller - An ADCS Exploitation Automation Tool

Danial Zahoor
23 Sep, 2023
An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer

ADCSKiller is a Python-based tool designed to automate the process of discovering and exploiting Active Directory Certificate Services (ADCS) vulnerabilities. It leverages features of Certipy and Coercer to simplify the process of attacking ADCS infrastructure. Please note that the ADCSKiller is currently in its first drafts and will undergo further refinements and additions in future updates for sure.

image

Features

  • Enumerate Domain Administrators via LDAP
  • Enumerate Domaincontrollers via LDAP
  • Enumerate Certificate Authorities via Certipy
  • Exploitation of ESC1
  • Exploitation of ESC8

Installation

Since this tool relies on Certipy and Coercer, both tools have to be installed first.

git clone https://github.com/ly4k/Certipy && cd Certipy && python3 setup.py install
git clone https://github.com/p0dalirius/Coercer && cd Coercer && pip install -r requirements.txt && python3 setup.py install
git clone https://github.com/grimlockx/ADCSKiller/ && cd ADCSKiller && pip install -r requirements.txt

Usage

Usage: adcskiller.py [-h] -d DOMAIN -u USERNAME -p PASSWORD -t TARGET -l LEVEL -L LHOST

Options:
-h, --help Show this help message and exit.
-d DOMAIN, --domain DOMAIN
                        Target domain name. Use FQDN
-u USERNAME, --username USERNAME
                        Username.
-p PASSWORD, --password PASSWORD
                        Password.
-dc-ip TARGET, --target TARGET
                        IP Address of the domain controller.
-L LHOST, --lhost LHOST
                         FQDN of the listener machine - An ADIDNS is probably required

Todos

  •  Tests, Tests, Tests
  •  Enumerate principals which are allowed to dcsync
  •  Use dirkjanm's gettgtpkinit.py to receive a ticket instead of Certipy auth
  •  Support DC Certificate Authorities
  •  ESC2 - ESC7
  •  ESC9 - ESC11?
  •  Automated add an ADIDNS entry if required
  •  Support DCSync functionality

Credits



Download ADCSKiller

Danial Zahoor

Danial Zahoor

Professional Ethical Hacker and Cybersecurity Researcher with a proven track record in dismantling online threats. Successfully neutralized 4 scammer networks, thwarted 13 phishing schemes, and disrupted 4 kidnapper networks. Committed to ensuring online safety and security, I leverage my expertise to protect individuals and organizations from digital threats. Passionate about cybersecurity education and empowering others to stay safe online.

Next Post Previous Post
No Comment
Add Comment
comment url