NTLM

Default when -p argument is specified. Works with LDAP/LDAPS, e.g. -p 'Password123!' or -p :2B576ACBE6BCFDA7294D6BD18041B8FE. You can also provide b64 or hex passwords by providing -f b64 or -f hex. If -p is not specified, triggers Integrated Windows authentication if credentials are stored in SSPI session.

Kerberos

Enabled when -k argument is specified. Works with LDAP/LDAPS.
It supports the following:
- Integrated Windows authentication if tickets are stored in SSPI session (no need to provide any other additional argument in this case)
- Password using the additional argument -p 'Password123!'
- AES or RC4 key using the additional argument -p <key> followed by -f aes or -f rc4
- TGT or ST in ccache/kirbi/keytab format set in -k additional arguments: -k ccache=ticket.ccache, -k kirbi=ticket.kirbi, -k keytab=ticket.keytab
- PEM or PFX format set in -k additional arguments: -k pem=cert.pem, -k pfx=cert.pfx
- Windows Certstore using -c empty instead of -k
- If performing inter-domain authentication (Credentials are from Dom A and you want to use them on Dom B and Dom B trusts Dom A), provide Dom A KDC in kdc=192.168.100.1 and Dom B KDC in kdcc=192.168.120.1 with Dom B name in realmc=DomB, such as: -k kirbi=ticket.kirbi kdc=192.168.100.1 kdcc=192.168.120.1 realmc=DomB

📝 Note

You can provide a b64/hex ticket/cert instead of a file if `-f b64` or `-f hex` is set

⚠️ Warning

**You must** set the hostname and not the IP of the DC in `--host` (you can then provide the IP in --dc-ip if there is no DNS resolution for the hostname)

Certificate

Supports P12 or PFX certificates
Enabled by using -c Administrator.key:Administrator.crt if the key and certificate are in separated files or -c :Administrator.pem if the key and certificate are concatenated in the same file.
If the certificate is password protected you can provide a password in -p
This authentication method works with LDAP/LDAPS.

⚠️ Warning

A bug on LDAP was introduced in May 2023 update [preventing successful authentication](https://learn.microsoft.com/en-us/answers/questions/1373156/why-does-kb5026409-cause-sasl-external-to-fail) even with a valid certificate. Fixed in [October 2023 update](https://support.microsoft.com/en-us/topic/october-10-2023-kb5031407-security-only-update-fbabe467-2b2e-4871-891a-3716394b2a45)

Generate a Certificate

## Get the CA Authority name
$ certipy find -u Administrator@bloody -p <password> -dc-ip 192.168.10.2 -debug
Certipy v4.0.0 - by Oliver Lyak (ly4k)

[+] Authenticating to LDAP server
[+] Bound to ldaps://192.168.10.2:636 - ssl
[+] Default path: DC=bloody,DC=local
[+] Configuration path: CN=Configuration,DC=bloody,DC=local
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[+] Trying to resolve 'DC01.bloody.local' at '192.168.10.2'
[*] Trying to get CA configuration for 'bloody-DC01-CA' via CSRA
[+] Trying to get DCOM connection for: 192.168.10.2
[*] Got CA configuration for 'bloody-DC01-CA'
[+] Resolved 'DC01.bloody.local' from cache: 192.168.10.2
[+] Connecting to 192.168.10.2:80

## Get the PFX
$ certipy req -u Administrator@bloody.local -p <password> -target 192.168.10.2 -ca bloody-DC01-CA -template User
Certipy v4.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with UPN 'Administrator@bloody.local'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

Convert PFX to PEM

$ openssl pkcs12 -in administrator.pfx -out administrator.pem -nodes
Enter Import Password:

LDAPS

Add the -s flag to enable LDAPS. By default AD doesn't support LDAPS (port 636), it has to be enabled and setup with a certificate authority server.