LDAP-first ACL enumeration for identifying actionable privilege escalation paths in Active Directory.
Certipy-ACL is a focused enumeration tool that queries and parses nTSecurityDescriptor over LDAP to resolve effective ACL abuse rights without relying on broad object collection.
It identifies privilege escalation primitives such as:
| Privilege | Meaning |
|---|---|
| WriteOwner | Take ownership |
| WriteDACL | Modify permissions |
| GenericAll | Full control |
| GenericWrite | Modify attributes |
| AddSelf | Add to group |
| DCSync | Replicate domain secrets |
| ForceChangePassword | Reset user password |
Certipy-ACL operates on SIDs (Security Identifiers).
You are expected to obtain valid SIDs during enumeration.
Common methods:
lookupsid.py $domain.htb/$user:$psswd@$target
certipy-acl --auth ntlm -u $user@$domain.htb -p $psswd -d $domain.htb --dc-ip $target --filter-sid $taget_sid --resolve-sid
michael → can reset password of → Benjamin Brown
- Attack-focused output — shows what you can actually abuse
- Quiet enumeration — minimal LDAP noise
- Targeted scanning — filter by SID or DN
- BloodHound-aligned — same privilege concepts, live from LDAP
git clone https://github.com/xploitnik/certipy-acl.git
cd certipy-acl
python3 -m venv .venv
source .venv/bin/activate
pip install -e .certipy-acl -u $user@$domain -p $psswd -dc-ip $targetcertipy-acl --auth ntlm -u $user@$domain.htb -p $psswd -d $domain.htb --dc-ip $target --filter-sid $target_sid --resolve-sidcertipy-acl -u $user@$domain -p $psswd -dc-ip $target \
--target-dn "CN=Users,DC=domain,DC=local"certipy-acl ... --only-escalation- NTLM (user + password)
- Kerberos (recommended for OPSEC)
Use Kerberos whenever possible:
export KRB5CCNAME=...
certipy-acl -k ...Certipy-ACL is built to answer one question:
"What can I abuse right now?"
Built for red teamers, CTF players, and operators who want signal over noise.