查找证书服务器
>rackmapexec ldap domain.lab -u username -p password -M adcs
>ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName
使用 certutil 枚举 AD 企业 CA
>certutil.exe -config - -ping