Certipy is a powerful offensive and defensive toolkit for enumerating and abusing Active Directory Certificate Services (AD CS). It helps red teamers, penetration testers, and defenders assess AD CS misconfigurations - including full support for identifying and exploiting all known ESC1-ESC16 attack paths.
Warning
Use only in environments where you have explicit authorization. Unauthorized use may be illegal.
- 🔎 Discover Certificate Authorities and Templates
- 🚩 Identify misconfigurations
- 🔐 Request and forge certificates
- 🎭 Perform authentication using certificates
- 📡 Relay NTLM authentication to AD CS HTTP(S)/RPC endpoints
- 🗝️ Support for Shadow Credentials, Golden Certificates, and Certificate Mapping Attacks
- 🧰 And much more!
Read the full step-by-step usage guide, including installation, vulnerability explanations, examples, and mitigations in the 📘 Certipy Wiki.
See the Installation Guide for instructions on how to install Certipy.
See the Quick Start Guide for a quick overview of the most common commands and usage examples.
Certipy supports detection and exploitation of AD CS vulnerabilities across the full range of ESC1-ESC16.
For detailed explanations and exploitation steps, refer to the Certipy Wiki.
See the Resources for selection of key resources related to AD CS security.
Contributions are welcome! See CONTRIBUTING.md for guidelines on reporting issues, improving documentation, or submitting pull requests.
Thanks to these generous sponsors for supporting the development of this project. Your contributions help sustain ongoing work and improvements.
Developed by @ly4k, with valuable contributions from the community.
📖 Visit the Certipy Wiki for detailed documentation, usage examples, ESC vulnerability breakdowns, and mitigation advice.