https://github.com/grimlockx/ADCSKiller

An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer
https://github.com/grimlockx/ADCSKiller

Last synced: 2 months ago
JSON representation

An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer

• Host: GitHub
• URL: https://github.com/grimlockx/ADCSKiller
• Owner: grimlockx
• License: mit
• Created: 2023-05-19T06:51:41.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2023-05-19T17:36:37.000Z (over 2 years ago)
• Last Synced: 2025-01-02T10:38:20.653Z (10 months ago)
• Language: Python
• Homepage: https://hexastrike.com
• Size: 81.1 KB
• Stars: 701
• Watchers: 6
• Forks: 70
• Open Issues: 8
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking-lists - grimlockx/ADCSKiller - An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer (Python)

README

          
# ADCSKiller - An ADCS Exploitation Automation Tool

ADCSKiller is a Python-based tool designed to automate the process of discovering and exploiting Active Directory Certificate Services (ADCS) vulnerabilities. It leverages features of Certipy and Coercer to simplify the process of attacking ADCS infrastructure. Please note that the ADCSKiller is currently in its first drafts and will undergo further refinements and additions in future updates for sure.

![image](https://github.com/grimlockx/ADCSKiller/assets/95048484/e4102251-cd50-4f74-b8c1-578677d35d0c)

## Features

- Enumerate Domain Administrators via LDAP

- Enumerate Domaincontrollers via LDAP

- Enumerate Certificate Authorities via Certipy

- Exploitation of ESC1

- Exploitation of ESC8

## Installation

Since this tool relies on Certipy and Coercer, both tools have to be installed first.

```bash

git clone https://github.com/ly4k/Certipy && cd Certipy && python3 setup.py install

git clone https://github.com/p0dalirius/Coercer && cd Coercer && pip install -r requirements.txt && python3 setup.py install

git clone https://github.com/grimlockx/ADCSKiller/ && cd ADCSKiller && pip install -r requirements.txt

```

## Usage

```bash

Usage: adcskiller.py [-h] -d DOMAIN -u USERNAME -p PASSWORD -t TARGET -l LEVEL -L LHOST

Options:

-h, --help Show this help message and exit.

-d DOMAIN, --domain DOMAIN

                        Target domain name. Use FQDN

-u USERNAME, --username USERNAME

                        Username.

-p PASSWORD, --password PASSWORD

                        Password.

-dc-ip TARGET, --target TARGET

                        IP Address of the domain controller.

-L LHOST, --lhost LHOST

                         FQDN of the listener machine - An ADIDNS is probably required

```

## Todos

- [ ] Tests, Tests, Tests

- [ ] Enumerate principals which are allowed to dcsync

- [ ] Use dirkjanm's gettgtpkinit.py to receive a ticket instead of Certipy auth

- [ ] Support DC Certificate Authorities

- [ ] ESC2 - ESC7

- [ ] ESC9 - ESC11?

- [ ] Automated add an ADIDNS entry if required

- [ ] Support DCSync functionality

## Credits

- [Oliver Lyak](https://github.com/ly4k/Certipy "Certipy") for Certipy

- [p0dalirius](https://github.com/p0dalirius/Coercer "Coercer") for Coercer

- [SpecterOps](https://specterops.io/) for their research on ADCS

- [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t) for bringing these attacks to my screen