The Future of Certipy and the Release of v5 & ESC16 #270
Replies: 7 comments 1 reply
-
|
Super, hot fire. Thanks for your excellent contributions. |
Beta Was this translation helpful? Give feedback.
-
|
Holy cow you're alive! |
Beta Was this translation helpful? Give feedback.
-
|
Very glad to see you back and with a new release to boot. I think it is now clear how big of an impact your research and tool has had in the field :) |
Beta Was this translation helpful? Give feedback.
-
|
Great 👌 ! Thanks for your time and the work 👌 ! |
Beta Was this translation helpful? Give feedback.
-
|
Great stuff, will be awesome to be working with the main tool again!!! |
Beta Was this translation helpful? Give feedback.
-
|
Amazing update! how to detect vulnerable ESC16 using certipy or bloodhound-ce though ? |
Beta Was this translation helpful? Give feedback.
-
|
See the wiki :) |
Beta Was this translation helpful? Give feedback.
-
|
Amazing effort 👏! For someone like me, just learning about ADCS, your wiki is a gold mine! Thanks for that! |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Certipy has been quiet for a while - but not forgotten. After two years without active maintenance, I'm happy to say that changes are coming. Today, I'm releasing Certipy v5.
It's been two years since I last actively maintained Certipy. A lot has happened in that time, both personally and professionally. Certipy fell into a long pause, while other responsibilities and projects took priority. During that period, the number of open issues and pull requests steadily grew, eventually reaching a point where returning to them felt overwhelming. Life circumstances, other personal projects, and a general lack of time meant that Certipy was placed on the backburner.
Since then, I've spent most of my free time working on another project and research - specifically a tool for assessing Microsoft cloud security - which has taken nearly all my available time and energy outside of my day job. Certipy, on the other hand, was left as it was: a tool that had grown far beyond what I originally imagined, but without the maintenance to match.
Still, the community around Certipy never went away. People continued to use it, contribute code, report issues, and help others - something I'm genuinely grateful for. Whether through a pull request, a comment, or simply pointing someone in the right direction, your contributions have made a real impact.
Sponsorship has also meant a lot - not just as financial support, but as a sign that the work is valued. Most of those funds go toward lab infrastructure, licenses, testing, and research time.
Special thanks to @fgeek, @mxrch, and @itgramabi for supporting Certipy even during the quiet periods. Your support helped make this release possible.
When I first released Certipy four years ago, it was just a personal side project. I built it for my own day-to-day work in offensive security, and I shared it because I thought others might find it useful. I never expected it to be widely adopted - let alone become a core tool not only for penetration testers and red teams, but also auditors and defenders around the world.
As the project gained traction, expectations changed. What started as a tool I maintained for myself became one that others depended on. That shift was rewarding, but also difficult. New feature requests, bug reports, incomplete pull requests, and low-effort issue submissions became the norm - and managing all of this, without dedicated time or help, eventually felt like a second job.
Many issues lacked necessary context or reproducible steps. Several pull requests were submitted without proper testing, or didn't follow the code quality standards of the repository. As more piled up, the energy required to work through them increased. At some point, progress ground to a halt - not for lack of care, but simply due to capacity.
Certipy v5 – What's Behind the Release
With Certipy v5, I've made the time to return to the project. This release reflects a renewed effort to bring it up to date - not only by addressing the existing backlog of issues and contributions, but by improving the foundation of the tool itself.
In this release, roughly 55 open issues and 40 pull requests have been reviewed and addressed. That process involved reproducing bugs, rewriting or testing code, and making judgment calls on which features to retain, rewrite, or retire. Over the life of the project, more than 170 issues and 80 pull requests have required similar triage and maintenance.
Alongside this, much of the codebase has been refactored for clarity and maintainability. Type hints have been added, edge cases handled more consistently, and overall structure improved.
To help users - both new and experienced - I've also created a completely new wiki:
👉 https://github.com/ly4k/Certipy/wiki
The wiki includes:
This is meant to make Certipy more accessible and useful, while also contributing to a deeper understanding of AD CS security.
What's New in v5
No major version bump without new escalations.
Certipy v5 introduces support for ESC13, ESC15, and a new escalation technique - ESC16 - published as part of this release. It also includes support for post-exploitation of ESC12 and ESC14. While these two cannot be directly detected or exploited by Certipy, the tool assists in follow-up actions once exploited. ESC12 requires code execution on the target, and ESC14 is best identified through BloodHound and exploited manually via LDAP.
🛡️ Support for Hardened Environments
Certipy is now far more robust in modern, secured AD CS environments:
Certificate enrollment over HTTPS with Channel Binding enforced - building on previous support for HTTP/HTTPS, v5 can now operate even when Channel Binding is required
Relaying to HTTPS endpoints when Channel Binding is not enforced, expanding attack surface coverage
LDAP Signing and LDAPS Channel Binding are now enabled by default, matching modern AD hardening guidelines
NTLM and Kerberos authentication are now also fully supported across:
These protections can be disabled to help test whether target environments enforce them
All of this has been implemented without relying on patched forks of third-party libraries (such as ly4k/ldap3), making Certipy cleaner and easier to maintain.
🔍 Improved Detection and Accuracy
Detection logic and exploitation checks have been refined across several paths:
ESC1 now avoids false positives and false negatives caused by misinterpreted permissions
ESC8 checks for HTTPS availability and Channel Binding enforcement, reducing both false positives and false negatives
The HTTP engine has been upgraded in the entire codebase, improving compatibility and reliability
The
findcommand now provides:🔧 General Quality-of-Life Improvements
Certipy v5 introduces several enhancements that simplify usage and help avoid surprises:
ESC4 abuse has been improved for consistency, safety, and better restore handling
No more silent file overwrites - you'll be prompted if the output file already exists, or Certipy will auto-create a new filename with a random suffix
Failsafe output fallback - if a file can't be written (e.g., permission issues), Certipy will dump the result to stdout (base64-encoded if binary)
Many more LDAP authentication flags are now supported across commands
All LDAP functionality is now powered by a single, unified engine supporting:
This streamlines operations across the entire tool and ensures consistent behavior between sub-commands
🐞 Debugging & Developer Experience
Debugging has been improved across the board, with clearer logging and better visibility into internal operations. It's generally recommended to run Certipy in debug mode when exploring or troubleshooting.
And yes, the most significant change in v5 may very well be this:
The
-debugflag has moved.Old usage:
New usage:
While the moved
-debugflag might seem like a small joke, it's also a symbol of something bigger. The change reflects the broader restructuring Certipy has undergone for this release - extending far beyond just CLI behavior. The codebase has been reformatted, reorganized, and improved to support new features, enable better error handling, and provide a more consistent experience across all functionality.Certipy v5 includes 330+ commits (up from 120 in the previous version) and integrates changes from over 80 pull requests. Many of these are behind-the-scenes improvements that can't be captured in a bullet list: protocol rewrites, refactors, edge-case handling, and more. The result is a more stable, flexible, and capable tool - both for the red teamer on an assessment and the defender trying to close the gaps.
Functionality Retired
A few features have been removed in this release:
Acknowledging Contributions
I've done my best to acknowledge everyone who contributed to Certipy - whether through code, ideas, or support. Not all pull requests could be merged directly, especially where they lacked testing, were outdated, or had been superseded. Still, I've tried to preserve attribution to grant contributor badges where appropriate, even when the code was rewritten from scratch.
Thanks especially to @zimedev and @GeisericII for their ongoing maintenance of forked versions of Certipy during its quiet period. And thanks to everyone who helped others in the issue tracker - community support has been invaluable.
Looking Ahead
To help manage Certipy more sustainably going forward, a few structural changes are being introduced:
This isn't about gatekeeping - it's about using limited time effectively and ensuring contributions meet the same standard that users expect from Certipy itself.
Maintaining Certipy requires more than just writing code. A large part of the work lies in reproducing issues that come from diverse and often complex environments - whether that's multi-domain forests, uncommon certificate templates, outdated domain controllers, or environments where AD CS behaves unexpectedly. Sometimes it's chasing down minor bugs like inconsistent TLS handling. Other times it's hours spent trying to replicate behavior that occurs only in very specific Windows builds - anything from fully patched Server 2025 to legacy deployments from 2022 or earlier.
That kind of work - reproducing complex edge cases, setting up tailored environments, digging through undocumented behavior - takes time and resources. Time and resources that can be hard to justify without some kind of support behind it.
Which is why I'm grateful to those who has sponsored Certipy. It's not only about enabling development - it's about acknowledging the time, care, and effort that goes into making it reliable.
So once again, thank you to @fgeek, @mxrch, and @itgramabi for backing Certipy through its quiet periods. Your support helped make this release happen.
If you'd like to support Certipy's continued development, you can do so here:
👉 https://github.com/sponsors/ly4k
Thank you for your trust, your patience, and for continuing to use Certipy. I hope you find v5 to be everything you need it to be - and more.
ly4k
Beta Was this translation helpful? Give feedback.
All reactions