ADCS cert template modification and ACL enumeration

Related tags

Text Data & NLPmodifyCertTemplate
Overview

Purpose

This tool is designed to aid an operator in modifying ADCS certificate templates so that a created vulnerable state can be leveraged for privilege escalation (and then reset the template to its previous state afterwards). This is specifically designed for a scenario where WriteProperty rights over a template have been compromised, but the operator is unsure which properties the right applies to. In this scenairo, the template's ACL can be queried and the applicable ACE information can be cross-referenced with property GUIDs to determine the modifiable properties.

Associated blog post on the tool and topic.

Usage

usage: modifyCertTemplate.py [-h] -template template name [-property property name] [-value new value] [-get-acl] [-dn distinguished name] [-raw] [-add flag name] [-debug]
                             [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-ldaps]
                             target

Modify the attributes of an Active Directory certificate template

positional arguments:
  target                [[domain/]username[:password]

optional arguments:
  -h, --help            show this help message and exit
  -template template name
                        Name of the target certificate template
  -property property name
                        Name of the target template property
  -value new value      Value to set the specified template property to
  -get-acl              Print the certificate's ACEs
  -dn distinguished name
                        Explicitly set the distinguished name of the certificate template
  -raw                  Output the raw certificate template attributes
  -add flag name        Add a flag to an attribute, maintaining the existing flags
  -debug                Turn DEBUG output ON

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will
                        use the ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)

connection:
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -ldaps                Use LDAPS instead of LDAP

Examples

Querying a Template or Property Value

Query a certificate template (all attributes)

python3 modifyCertTemplate.py -template KerberosAuthentication ez.lab/administrator:pass

Query a single attribute from a certificate template

python3 modifyCertTemplate.py -template KerberosAuthentication -property msPKI-Certificate-Name-Flag ez.lab/administrator:pass

Query the raw values of all template attributes

python3 modifyCertTemplate.py -template KerberosAuthentication -raw ez.lab/administrator:pass

Querying ACL Info

Query the ACL for a certificate template

python3 modifyCertTemplate.py -template KerberosAuthentication -get-acl ez.lab/administrator:pass

Although unrelated to certificate templates, any object's ACL can be queried by providing the object's distinguished name

python3 modifyCertTemplate.py -dn "CN=ws1,CN=computers,DC=ez,DC=lab" -get-acl ez.lab/administrator:pass

Modifying a Template

Add the ENROLLEE_SUPPLIES_SUBJECT flag to the template's msPKI-Certificate-Name-Flag property

python3 modifyCertTemplate.py -template KerberosAuthentication -add enrollee_supplies_subject -property msPKI-Certificate-Name-Flag ez.lab/administrator:pass

Update the value of a certificate template attribute (non-list properties)

python3 modifyCertTemplate.py -template KerberosAuthentication -property msPKI-Certificate-Name-Flag -value -150994944 ez.lab/administrator:pass

Add an EKU to the pKIExtendedKeyUsage property

python3 modifyCertTemplate.py -template KerberosAuthentication -add "client authentication" -property pKIExtendedKeyUsage ez.lab/administrator:pass

Update the value of a list-formatted attribute (i.e. explicitly set the value of pKIExtendedKeyUsage)

python3 modifyCertTemplate.py -template KerberosAuthentication -value "'1.3.6.1.5.5.7.3.4', '1.3.6.1.5.5.7.3.2'" -property pKIExtendedKeyUsage ez.lab/administrator:pass

References, Credits and Other Projects to Check Out!

Owner
Fortalice Solutions, LLC
Fortified Security
Fortalice Solutions, LLC
GitHub Repository
Repo for Enhanced Seq2Seq Autoencoder via Contrastive Learning for Abstractive Text Summarization

ESACL: Enhanced Seq2Seq Autoencoder via Contrastive Learning for AbstractiveText Summarization This repo is for our paper "Enhanced Seq2Seq Autoencode

Rachel Zheng 14 Nov 01, 2022
A desktop GUI providing an audio interface for GPT3.

Jabberwocky neil_degrasse_tyson_with_audio.mp4 Project Description This GUI provides an audio interface to GPT-3. My main goal was to provide a conven

16 Nov 27, 2022
PyTorch implementation and pretrained models for XCiT models. See XCiT: Cross-Covariance Image Transformer

Cross-Covariance Image Transformer (XCiT) PyTorch implementation and pretrained models for XCiT models. See XCiT: Cross-Covariance Image Transformer L

Facebook Research 605 Jan 02, 2023
Lingtrain Aligner — ML powered library for the accurate texts alignment.

Lingtrain Aligner ML powered library for the accurate texts alignment in different languages. Purpose Main purpose of this alignment tool is to build

Sergei Averkiev 76 Dec 14, 2022
Simple virtual assistant using pyttsx3 and speech recognition optionally with pywhatkit and pther libraries.

VirtualAssistant Simple virtual assistant using pyttsx3 and speech recognition optionally with pywhatkit and pther libraries. Third Party Libraries us

Logadheep 1 Nov 27, 2021
Implementation of the Hybrid Perception Block and Dual-Pruned Self-Attention block from the ITTR paper for Image to Image Translation using Transformers

ITTR - Pytorch Implementation of the Hybrid Perception Block (HPB) and Dual-Pruned Self-Attention (DPSA) block from the ITTR paper for Image to Image

Phil Wang 17 Dec 23, 2022
A versatile token stream for handwritten parsers.

Writing recursive-descent parsers by hand can be quite elegant but it's often a bit more verbose than expected, especially when it comes to handling indentation and reporting proper syntax errors. Th

Valentin Berlier 8 Nov 30, 2022
Machine translation models released by the Gourmet project

Gourmet Models Overview The Gourmet project has released several machine translation models to translate low-resource languages. This repository conta

Edinburgh NLP 5 Dec 08, 2021
sangha, pronounced "suhng-guh", is a social networking, booking platform where students and teachers can share their practice.

Flask React Project This is the backend for the Flask React project. Getting started Clone this repository (only this branch) git clone https://github

Courtney Newcomer 17 Sep 29, 2021
chaii - hindi & tamil question answering

chaii - hindi & tamil question answering This is the solution for rank 5th in Kaggle competition: chaii - Hindi and Tamil Question Answering. The comp

abhishek thakur 33 Dec 18, 2022
Lyrics generation with GPT2-based Transformer

HuggingArtists - Train a model to generate lyrics Create AI-Artist in just 5 minutes! 🚀 Run the demo notebook to train 🚀 Run the GUI demo to test Di

Aleksey Korshuk 65 Dec 19, 2022
Fake Shakespearean Text Generator

Fake Shakespearean Text Generator This project contains an impelementation of stateful Char-RNN model to generate fake shakespearean texts. Files and

Recep YILDIRIM 1 Feb 15, 2022
Constituency Tree Labeling Tool

Constituency Tree Labeling Tool The purpose of this package is to solve the constituency tree labeling problem. Look from the dataset labeled by NLTK,

张宇 6 Dec 20, 2022
This repository implements a brute-force spellchecker utilizing the Damerau-Levenshtein edit distance.

About spellchecker.py Implementing a highly-accurate, brute-force, and dynamically programmed spellchecking program that utilizes the Damerau-Levensht

Raihan Ahmed 1 Dec 11, 2021
A library for Multilingual Unsupervised or Supervised word Embeddings

MUSE: Multilingual Unsupervised and Supervised Embeddings MUSE is a Python library for multilingual word embeddings, whose goal is to provide the comm

Facebook Research 3k Jan 06, 2023
Textlesslib - Library for Textless Spoken Language Processing

textlesslib Textless NLP is an active area of research that aims to extend NLP t

Meta Research 379 Dec 27, 2022
A method to generate speech across multiple speakers

VoiceLoop PyTorch implementation of the method described in the paper VoiceLoop: Voice Fitting and Synthesis via a Phonological Loop. VoiceLoop is a n

Facebook Archive 873 Dec 15, 2022
NLP, before and after spaCy

textacy: NLP, before and after spaCy textacy is a Python library for performing a variety of natural language processing (NLP) tasks, built on the hig

Chartbeat Labs Projects 2k Jan 04, 2023
A notebook that shows how to import the IITB English-Hindi Parallel Corpus from the HuggingFace datasets repository

We provide a notebook that shows how to import the IITB English-Hindi Parallel Corpus from the HuggingFace datasets repository. The notebook also shows how to segment the corpus using BPE tokenizatio

Computation for Indian Language Technology (CFILT) 9 Oct 13, 2022
CoNLL-English NER Task (NER in English)

CoNLL-English NER Task en | ch Motivation Course Project review the pytorch framework and sequence-labeling task practice using the transformers of Hu

Kevin 2 Jan 14, 2022