ADCS cert template modification and ACL enumeration

Related tags

Text Data & NLPmodifyCertTemplate
Overview

Purpose

This tool is designed to aid an operator in modifying ADCS certificate templates so that a created vulnerable state can be leveraged for privilege escalation (and then reset the template to its previous state afterwards). This is specifically designed for a scenario where WriteProperty rights over a template have been compromised, but the operator is unsure which properties the right applies to. In this scenairo, the template's ACL can be queried and the applicable ACE information can be cross-referenced with property GUIDs to determine the modifiable properties.

Associated blog post on the tool and topic.

Usage

usage: modifyCertTemplate.py [-h] -template template name [-property property name] [-value new value] [-get-acl] [-dn distinguished name] [-raw] [-add flag name] [-debug]
                             [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-ldaps]
                             target

Modify the attributes of an Active Directory certificate template

positional arguments:
  target                [[domain/]username[:password]

optional arguments:
  -h, --help            show this help message and exit
  -template template name
                        Name of the target certificate template
  -property property name
                        Name of the target template property
  -value new value      Value to set the specified template property to
  -get-acl              Print the certificate's ACEs
  -dn distinguished name
                        Explicitly set the distinguished name of the certificate template
  -raw                  Output the raw certificate template attributes
  -add flag name        Add a flag to an attribute, maintaining the existing flags
  -debug                Turn DEBUG output ON

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will
                        use the ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)

connection:
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -ldaps                Use LDAPS instead of LDAP

Examples

Querying a Template or Property Value

Query a certificate template (all attributes)

python3 modifyCertTemplate.py -template KerberosAuthentication ez.lab/administrator:pass

Query a single attribute from a certificate template

python3 modifyCertTemplate.py -template KerberosAuthentication -property msPKI-Certificate-Name-Flag ez.lab/administrator:pass

Query the raw values of all template attributes

python3 modifyCertTemplate.py -template KerberosAuthentication -raw ez.lab/administrator:pass

Querying ACL Info

Query the ACL for a certificate template

python3 modifyCertTemplate.py -template KerberosAuthentication -get-acl ez.lab/administrator:pass

Although unrelated to certificate templates, any object's ACL can be queried by providing the object's distinguished name

python3 modifyCertTemplate.py -dn "CN=ws1,CN=computers,DC=ez,DC=lab" -get-acl ez.lab/administrator:pass

Modifying a Template

Add the ENROLLEE_SUPPLIES_SUBJECT flag to the template's msPKI-Certificate-Name-Flag property

python3 modifyCertTemplate.py -template KerberosAuthentication -add enrollee_supplies_subject -property msPKI-Certificate-Name-Flag ez.lab/administrator:pass

Update the value of a certificate template attribute (non-list properties)

python3 modifyCertTemplate.py -template KerberosAuthentication -property msPKI-Certificate-Name-Flag -value -150994944 ez.lab/administrator:pass

Add an EKU to the pKIExtendedKeyUsage property

python3 modifyCertTemplate.py -template KerberosAuthentication -add "client authentication" -property pKIExtendedKeyUsage ez.lab/administrator:pass

Update the value of a list-formatted attribute (i.e. explicitly set the value of pKIExtendedKeyUsage)

python3 modifyCertTemplate.py -template KerberosAuthentication -value "'1.3.6.1.5.5.7.3.4', '1.3.6.1.5.5.7.3.2'" -property pKIExtendedKeyUsage ez.lab/administrator:pass

References, Credits and Other Projects to Check Out!

Owner
Fortalice Solutions, LLC
Fortified Security
Fortalice Solutions, LLC
GitHub Repository
Korean Simple Contrastive Learning of Sentence Embeddings using SKT KoBERT and kakaobrain KorNLU dataset

KoSimCSE Korean Simple Contrastive Learning of Sentence Embeddings implementation using pytorch SimCSE Installation git clone https://github.com/BM-K/

34 Nov 24, 2022
texlive expressions for documents

tex2nix Generate Texlive environment containing all dependencies for your document rather than downloading gigabytes of texlive packages. Installation

Jörg Thalheim 70 Dec 26, 2022
Word2Wave: a framework for generating short audio samples from a text prompt using WaveGAN and COALA.

Word2Wave is a simple method for text-controlled GAN audio generation. You can either follow the setup instructions below and use the source code and CLI provided in this repo or you can have a play

Ilaria Manco 91 Dec 23, 2022
A collection of Korean Text Datasets ready to use using Tensorflow-Datasets.

tfds-korean A collection of Korean Text Datasets ready to use using Tensorflow-Datasets. TensorFlow-Datasets를 이용한 한국어/한글 데이터셋 모음입니다. Dataset Catalog |

Jeong Ukjae 20 Jul 11, 2022
Korean Sentence Embedding Repository

Korean-Sentence-Embedding 🍭 Korean sentence embedding repository. You can download the pre-trained models and inference right away, also it provides

80 Jan 02, 2023
In this repository we have tested 3 VQA models on the ImageCLEF-2019 dataset.

Med-VQA In this repository we have tested 3 VQA models on the ImageCLEF-2019 dataset. Two of these are made on top of Facebook AI Reasearch's Multi-Mo

Kshitij Ambilduke 8 Apr 14, 2022
Implementation of some unbalanced loss like focal_loss, dice_loss, DSC Loss, GHM Loss et.al

Implementation of some unbalanced loss for NLP task like focal_loss, dice_loss, DSC Loss, GHM Loss et.al Summary Here is a loss implementation reposit

121 Jan 01, 2023
A Python 3.6+ package to run .many files, where many programs written in many languages may exist in one file.

RunMany Intro | Installation | VSCode Extension | Usage | Syntax | Settings | About A tool to run many programs written in many languages from one fil

6 May 22, 2022
2021 2학기 데이터크롤링 기말프로젝트

공지 주제 웹 크롤링을 이용한 취업 공고 스케줄러 스케줄 주제 정하기 코딩하기 핵심 코드 설명 + 피피티 구조 구상 // 12/4 토 피피티 + 스크립트(대본) 제작 + 녹화 // ~ 12/10 ~ 12/11 금~토 영상 편집 // ~12/11 토 웹크롤러 사람인_평균

Choi Eun Jeong 2 Aug 16, 2022
A raytrace framework using taichi language

ti-raytrace The code use Taichi programming language Current implement acceleration lvbh disney brdf How to run First config your anaconda workspace,

蕉太狼 73 Dec 11, 2022
Behavioral Testing of Clinical NLP Models

Behavioral Testing of Clinical NLP Models This repository contains code for testing the behavior of clinical prediction models based on patient letter

Betty van Aken 2 Sep 20, 2022
An easy to use Natural Language Processing library and framework for predicting, training, fine-tuning, and serving up state-of-the-art NLP models.

Welcome to AdaptNLP A high level framework and library for running, training, and deploying state-of-the-art Natural Language Processing (NLP) models

Novetta 407 Jan 03, 2023
leaking paid token generator that was a shit lmao for 100$ haha

Discord-Token-Generator-Leaked leaking paid token generator that was a shit lmao for 100$ he selling it for 100$ wth here the code enjoy don't forget

Keevo 5 Apr 15, 2022
The model is designed to train a single and large neural network in order to predict correct translation by reading the given sentence.

Neural Machine Translation communication system The model is basically direct to convert one source language to another targeted language using encode

Nishant Banjade 7 Sep 22, 2022
Using BERT-based models for toxic span detection

SemEval 2021 Task 5: Toxic Spans Detection: Task: Link to SemEval-2021: Task 5 Toxic Span Detection is https://competitions.codalab.org/competitions/2

Ravika Nagpal 1 Jan 04, 2022
使用pytorch+transformers复现了SimCSE论文中的有监督训练和无监督训练方法

SimCSE复现 项目描述 SimCSE是一种简单但是很巧妙的NLP对比学习方法,创新性地引入Dropout的方式,对样本添加噪声,从而达到对正样本增强的目的。 该框架的训练目的为:对于batch中的每个样本,拉近其与正样本之间的距离,拉远其与负样本之间的距离,使得模型能够在大规模无监督语料(也可以

58 Dec 20, 2022
Precision Medicine Knowledge Graph (PrimeKG)

PrimeKG Website | bioRxiv Paper | Harvard Dataverse Precision Medicine Knowledge Graph (PrimeKG) presents a holistic view of diseases. PrimeKG integra

Machine Learning for Medicine and Science @ Harvard 103 Dec 10, 2022
Composed Image Retrieval using Pretrained LANguage Transformers (CIRPLANT)

CIRPLANT This repository contains the code and pre-trained models for Composed Image Retrieval using Pretrained LANguage Transformers (CIRPLANT) For d

Zheyuan (David) Liu 29 Nov 17, 2022
A fast and lightweight python-based CTC beam search decoder for speech recognition.

pyctcdecode A fast and feature-rich CTC beam search decoder for speech recognition written in Python, providing n-gram (kenlm) language model support

Kensho 315 Dec 21, 2022
🐍 A hyper-fast Python module for reading/writing JSON data using Rust's serde-json.

A hyper-fast, safe Python module to read and write JSON data. Works as a drop-in replacement for Python's built-in json module. This is alpha software

Matthias 479 Jan 01, 2023