Cardboard Iguana Security
spells
Abusing wildcard expansion in Bash
Access the Windows Registry using PowerShell
Add Windows users at the command line
Aircrack-NG
ARP scanning
ARP
AS-REP roasting with Impacket
AS-REP roasting With Rubeus
AS-REP roasting
Automate Netlify builds with IFTTT
Automatically stabilize a reverse shell with socat
Avoid dropping privileges with SUID Bash
awk
Backdoor Visual Basic Scripts
basenc
Bash reverse shell
Bash scripting
Bulk edit Windows permissions
Burp Suite
Bypass the PowerShell execution policy
Bypass Windows antivirus with C Sharp
Calculate a file hash on Windows with CertUtil
Call Mimikatz from a meterpreter shell
cat
cewl
Change a branch name in Git
Change an RSA key passphrase with OpenSSL
Cisco IOS
Common Windows user types
Compact VM disk images
Confirm the existence of a Gmail address
crackmapexec
Create a GPG key with SSH support
Create a zip bomb
CUPP
Day One to Obsidian conversion script
DCERPC
Debugging Bash scripts
Default CIFS shares
dig
dir
Disable AMSI
DRSUAPI
Easy reverse DNS lookups
enum4linux
Enumerate AD CS templates with CertUtil
Equivalent Windows and UNIX commands
Evil-WinRM
Exploit LD_LIBRARY_PATH
Exploit LD_PRELOAD
Exploit local Windows services
Exploit local Windows tasks
Exploit remote Windows services
Exploit remote Windows tasks
Exploit the Bash PS4 prompt
Exploit the Windows DLL search order
Exploit the Windows FoDHelper
Exploit the WinLogon initialization sequence
Exploit VBA scripts with msfvenom
Exploit weak etc-passwd permissions
Exploit weak etc-shadow permissions
Exploit Windows file associations
Exploit Windows HTML applications with msfvenom
Exploit Windows services
Exploit Windows shortcut files
Exploit Windows tasks
Export highlights and annotations from Kobo eReaders
Extract the webpage title from a URL
ffmpeg
Find and replace a single line in a large text file
Find executables with SUID capabilities
find
findstr
finger
Fix EXIF data on Google Photos exports
FTP
FTPS
fuff
gdb
Gemini compatible markdown
Get a shell from ViM
Get an SSL certificate
Get-FileHash
Get-WinEvent
Git on Windows
gobuster
Golden and silver ticket attacks
grep
Hashcat
HTML applications
HTTP
Hydra
icacls
ICMP
iftop
IIS configuration data
IMAP
Impacket
Invoke-Mimikatz
Invoke-WebRequest
iOS quirks
ipconfig
IPSec
IPv4
Java
John the Ripper
JSON Web Tokens
Kerberoasting with Impacket
Kerberoasting with Rubeus
Kerberoasting
Kerberos
Kerbrute
less
Load a shell with a simple executable
Local file inclusion attacks
Look up unicode symbols and emojis
MAC address
Magic numbers
man
Match files to packages in Debian-based operating systems
Match files to packages in Red Hat-based operating systems
Metasploit MS SQL modules
meterpreter
Mimikatz
MITRE ATTaCK emulation plans
more
MS SQL
msfconsole
msfvenom
MySQL
nano
nbtscan
net
netcat
netsh
netstat
NFS
Nikto
Nmap
Node.js
nslookup
NTLM hashes
Oracle SQL Server
OSI model
OWASP ZAP
Perl
PHP local file inclusion attacks
PHP
ping
Poison null byte attack
Poison null byte in PHP
Polkit
Pop a SYSTEM shell on the Windows login screen using sticky keys
Pop a SYSTEM shell on the Windows login screen using Utilman
POP3
Port scanning with Bash
POSIX process signals
Powercat
PowerShell reverse shell
PowerView
ps
Pull SSL certificates from an external server
Python
Quick-n-dirty Python web server
Quickly bypass ssh-agent
Quickly find the canonical path of a file
RCE via XXE in PHP
Read a file beginning with a dash
reg
RegEx metacharacters
Remotely install a Windows package with PowerShell
Remove duplicate lines in Bash
Retrieve AIX fileset information
Retrieve AIX system information
Rubeus
Ruby
Run a remote Windows command using PowerShell
Run commands directly with PowerShell
RunAs
Send a command using OpenSSL
Set the PATH in a session on UNIX-like operating systems
Set the PATH in a session on Windows
Set up WMI in PowerShell
Shell stabilization
SIP
smbclient
smbget
smbmap
SMTP
socat
SQL injection attacks
SQLMap
ss
SSH
sudo
systemctl
systeminfo
tar
TCP header flags
TCP headers
TCP window size
TCP
tcpdump
Telnet
The Harvester
tmux
Transfer files over FTP using netcat
UDP
unbuffer
Uniform resource locators
UNIX file descriptors
UNIX password hashes
UNIX permissions
Unquoted path handling in Windows
Upgrade PostgreSQL
Use a Raspberry Pi 4B as hacking accessory
Use an alternate SSH key with Git
Use Bash functions to backdoor executables
Use Burp Suite with Firefox
Use Burp Suite with mobile apps
Use curl and jq with web APIs
Use OpenSSL to encrypt and decrypt files
Use the Windows Firewall to relay ports
Use unsupported display resolutions with Samsung DeX
Use WinRM with PowerShell
Useful built-in commands for Linux reconnaissance
Useful built-in commands for Windows reconnaissance
Useful Linux reconnaissance scripts
Useful scripts for Windows reconnaissance
ViM
Visual Basic for Applications
wfuzz
whoami
Wi-Fi
Windows DLL search order
Windows event IDs
Windows event logs
Windows local service accounts
Windows logon scripts
Windows permissions
Windows reconnaissance with PowerShell
Windows Remote Management
Windows Run and RunOnce Registry keys
Windows Scripting Host
Windows SeBackup and SeRestore permissions
Windows SeImpersonate and SeAssignPrimaryToken permissions
Windows service ACLs
Windows services
Windows SeTakeOwnership permission
Windows Startup folder
Windows unattended installation data
winrs
Wireshark
wmic
Work with base64 encoding using PowerShell
Work with remote services using WMI and PowerShell
Work with remote tasks using WMI and PowerShell
Working with services in PowerShell
XFreeRDP
XSS attacks
Xterm
xxd
XXE attacks
youtube-dl
Cardboard Iguana Security
Cardboard Iguana Security

Enumerate AD CS templates with CertUtil

AD CS is AD's PKI, and is used on the back end for everything from provisioning disk encryption keys to user authentication. Certificate templates are a way to automate the certificate request process: Rather than an admin approving all CSRs manually, AD CS checks to see if a relevant "template" (which is really a template + associated settings + an access policy) exists that matches the supplied CSR and is configured to allow the requesting user to generate a certificate.

Enumerate all certificate templates from a domain-joined computer and domain-authenticated user:

certutil -v -template
  • We need to be able to actually request a certificate. This is indicated by an Allow Enroll or Allow Full Control permission that has been assigned to a group or user you have access to.
  • The certificate needs to be usable for Kerberos authentication. This is true when the "Enhanced Key Usage" extension allows for "Client Authentication".
  • We need to be able to set the certificate's "Subject Alternative Name". This is indicated by TemplatePropSubjectNameFlags (a.k.a. CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) being set to 1.

(There are actually some other requirements - like fully automated certificate provisioning - but by default these are all satisfied.)

If a certificate has the above properties, then we can use it to create a certificate in the name of another user and then forge Kerberos tickets for that user with a tool like Rubeus.

Enumerate AD CS templates with CertUtil
Interactive graph
On this page
Enumerate AD CS templates with CertUtil
Powered by Obsidian Publish