Certipy - AD CS Attack & Enumeration Toolkit
June 23, 2026 ยท View on GitHub
Certipy is a powerful offensive and defensive toolkit for enumerating and abusing Active Directory Certificate Services (AD CS). It helps red teamers, penetration testers, and defenders assess AD CS misconfigurations - including full support for identifying and exploiting all known ESC1-ESC17 attack paths.
Warning
Use only in environments where you have explicit authorization. Unauthorized use may be illegal.
๐ Features
- ๐ Discover Certificate Authorities and Templates
- ๐ฉ Identify misconfigurations
- ๐ Request and forge certificates
- ๐ญ Perform authentication using certificates
- ๐ก Relay NTLM authentication to AD CS HTTP(S)/RPC endpoints
- ๐๏ธ Support for Shadow Credentials, Golden Certificates, and Certificate Mapping Attacks
- ๐งฐ And much more!
๐ Full Wiki & Documentation
Read the full step-by-step usage guide, including installation, vulnerability explanations, examples, and mitigations in the ๐ Certipy Wiki.
โ๏ธ Installation
See the Installation Guide for instructions on how to install Certipy.
๐ Quick Start
See the Quick Start Guide for a quick overview of the most common commands and usage examples.
๐ฏ Supported AD CS Vulnerabilities
Certipy supports detection and exploitation of AD CS vulnerabilities across the full range of ESC1-ESC17.
For detailed explanations and exploitation steps, refer to the Certipy Wiki.
๐ Resources
See the Resources for selection of key resources related to AD CS security.
๐ค Contributing
Contributions are welcome! See CONTRIBUTING.md for guidelines on reporting issues, improving documentation, or submitting pull requests.
๐ Sponsors
Thanks to these generous sponsors for supporting the development of this project. Your contributions help sustain ongoing work and improvements.
๐ค Author
Developed by @ly4k, with valuable contributions from the community.
๐ Wiki
๐ Visit the Certipy Wiki for detailed documentation, usage examples, ESC vulnerability breakdowns, and mitigation advice.