Active Directory

bloodhound: BloodHound is an application developed with one purpose: to find relationships within an Active Directory (AD) domain to discover attack paths.

Max: Maximizing BloodHound. Max is a good boy.

cypheroth: Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.

./cypheroth.sh -u neo4j -p BloodHound -d TESTLAB.LOCAL -a localhost:7687 -v true -t 10s

InveighZero: InveighZero is a C# LLMNR/NBNS/mDNS/DNS/DHCPv6 spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. This version shares many features with the PowerShell version of Inveigh.

CrackMapExec: CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.

KerberosUserEnum: Kerberos accounts enumeration taking advantage of AS-REQ, I wrote this script to practice my understanding of Kerberos.

./Enum.py --file=/tmp/usernames --dcip=192.168.88.1 --domain=TESTDOMAIN --port=88

kerbrute: A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.

Kerbrute has three main commands:

  • bruteuser - Bruteforce a single user's password from a wordlist

  • bruteforce - Read username:password combos from a file or stdin and test them

  • passwordspray - Test a single password against a list of users

  • userenum - Enumerate valid domain usernames via Kerberos

./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
./kerbrute_linux_amd64 bruteforce --dc 192.168.x.x -d domain users.txt --safe -o out.txt

ldapdomaindump: Active Directory information dumper via LDAP.

ADSearch: A tool written for cobalt-strike's execute-assembly command that allows for more efficent querying of AD.

ADHuntTool: official report for the AdHuntTool. C# Script used for Red Team. It can be used by Cobalt Strike execute-assembly or as a standalone executable.

Usage: ADHuntTool.exe options domain [arguments]
ADHuntTool.exe Set
ADHuntTool.exe DumpLocalAdmin RingZer0 *optional*computername
ADHuntTool.exe DumpLocalGroup RingZer0 *optional*computername
ADHuntTool.exe DumpRemoteSession RingZer0 *optional*computername
ADHuntTool.exe DumpWkstaSession RingZer0 *optional*computername
ADHuntTool.exe CheckAdmin RingZer0 *optional*computername
ADHuntTool.exe DumpTrust RingZer0
ADHuntTool.exe DumpAllUsers RingZer0
ADHuntTool.exe DumpUser RingZer0 mr.un1k0d3r
ADHuntTool.exe DumpUsersEmail RingZer0
ADHuntTool.exe DumpAllComputers RingZer0
ADHuntTool.exe DumpComputer RingZer0 DC01
ADHuntTool.exe DumpAllGroups RingZer0
ADHuntTool.exe DumpGroup RingZer0 "Domain Admins"
ADHuntTool.exe DumpPasswordPolicy Ringzer0,DC=local
ADHuntTool.exe DumpCertificateTemplates Ringzer0,DC=local
ADHuntTool.exe DumpPwdLastSet RingZer0
ADHuntTool.exe DumpLastLogon RingZer0
ADHuntTool.exe CheckManaged RingZer0
ADHuntTool.exe DumpLapsPassword RingZer0 *optional*computername
ADHuntTool.exe DumpUserPassword RingZer0
ADHuntTool.exe DumpRemoteSession RingZer0 *optional*computername
ADHuntTool.exe PasswordBruteForce RingZer0 *optional*username (samaccountname)
ADHuntTool.exe GetShare target *optional*Domain\Username Password
ADHuntTool.exe GetService target *optional*Domain\Username Password

Talon: Talon is a tool designed to perform automated password guessing attacks while remaining undetected. Talon can enumerate a list of users to identify which users are valid, using Kerberos. Talon can also perform a password guessing attack against the Kerberos and LDAPS (LDAP Secure) services. Talon can either use a single domain controller or multiple ones to perform these attacks, randomizing each attempt, between the domain controllers and services (LDAP or Kerberos).

[email protected]:~# ./Talon -Hostfile DCs -Userfile ValidUsers -D STARLABS.local -P "Password!" -sleep 2
__________ ________ ___ ________ ________
|\___ _\\\ __ \|\ \ |\ __ \|\ ___ \
\|___ \ \_\ \ \|\ \ \ \ \ \ \|\ \ \ \\ \ \
\ \ \ \ \ __ \ \ \ \ \ \\\ \ \ \\ \ \
\ \ \ \ \ \ \ \ \ \____\ \ \\\ \ \ \\ \ \
\ \__\ \ \__\ \__\ \_______\ \_______\ \__\\ \__\
\|__| \|__|\|__|\|_______|\|_______|\|__| \|__|
(@Tyl0us)
[-] 172.16.144.186 STARLABS.LOCAL\ballen:Password! = Failed
[-] 172.16.144.185 STARLABS.LOCAL\csnow:Password! = Failed
[-] 172.16.144.186 STARLABS.LOCAL\wwest:Password! = User's Account Locked
[*] Account lock out detected - Do you want to continue.[y/n]:

RemotePotato0: RemotePotato0 is an exploit that allows you to escalate your privileges from a generic User to Domain Admin.