act

ActiveDirectoryEnum

Enumerate AD through LDAP with a collection of helpfull scripts being bundled

Showing:

Popularity

Downloads/wk

0

GitHub Stars

91

Maintenance

Last Commit

2mos ago

Contributors

9

Package

Dependencies

21

License

Categories

Readme

GitHub stars GitHub forks GitHub license FOSSA Status Total alerts Language grade: Python Pypi version PyPI downloads

Packaging status

ADE - ActiveDirectoryEnum

 python -m ade
usage: ade [-h] [--dc DC] [-o OUT_FILE] [-u USER] [-s] [-smb] [-kp] [-bh] [-spn] [-sysvol] [--all] [--no-creds] [--dry-run]
           [--exploit EXPLOIT]

        ___        __  _            ____  _                __                   ______                    
       /   | _____/ /_(_)   _____  / __ \(_)_______  _____/ /_____  _______  __/ ____/___  __  ______ ___ 
      / /| |/ ___/ __/ / | / / _ \/ / / / / ___/ _ \/ ___/ __/ __ \/ ___/ / / / __/ / __ \/ / / / __ `__ \
     / ___ / /__/ /_/ /| |/ /  __/ /_/ / / /  /  __/ /__/ /_/ /_/ / /  / /_/ / /___/ / / / /_/ / / / / / /
    /_/  |_\___/\__/_/ |___/\___/_____/_/_/   \___/\___/\__/\____/_/   \__, /_____/_/ /_/\__,_/_/ /_/ /_/ 
                                                                      /____/                             

/*----------------------------------------------------------------------------------------------------------*/

optional arguments:
  -h, --help            show this help message and exit
  --dc DC               Hostname of the Domain Controller
  -o OUT_FILE, --out-file OUT_FILE
                        Path to output file. If no path, CWD is assumed (default: None)
  -u USER, --user USER  Username of the domain user to query with. The username has to be domain name as `user@domain.org`
  -s, --secure          Try to estalish connection through LDAPS
  -smb, --smb           Force enumeration of SMB shares on all computer objects fetched
  -kp, --kerberos_preauth
                        Attempt to gather users that does not require Kerberos preauthentication
  -bh, --bloodhound     Output data in the format expected by BloodHound
  -spn                  Attempt to get all SPNs and perform Kerberoasting
  -sysvol               Search sysvol for GPOs with cpassword and decrypt it
  --all                 Run all checks
  --no-creds            Start without credentials
  --dry-run             Don't execute a test but run as if. Used for testing params etc.
  --exploit EXPLOIT     Show path to PoC exploit code

The new inclusion of embedded exploits can yield results such as:

...
[ WARN ] DC may be vulnerable to: [ cve-2020-1472 ]
...

To query an exploit for PoC code:

$ python -m ade --exploit cve-2020-1472
Exploit for: cve-2020-1472 can be found at: https://github.com/dirkjanm/CVE-2020-1472

Install

Run installation through pip3:

pip3 install ActiveDirectoryEnum
python -m ade

If you run BlackArch, ActiveDirectoryEnum is available through pacman as such:

pacman -S activedirectoryenum

Included attacks/vectors

  • ASREPRoasting
  • Kerberoasting
  • Dump AD as BloodHound JSON files
  • Searching GPOs in SYSVOL for cpassword and decrypting
  • Run without creds and attempt to gather for further enumeration during the run
  • Sample exploits included:
  • CVE-2020-1472

Collaboration

While this project is developed to fit my needs, any collaboration is appreciated. Please feel free to fork the project, make changes according to the License agreements and make a Pull Request. I only ask that:

  • Keep equivalent naming standard as the base project
  • Keep equivalent syntaxing
  • Test your code
  • Error handling is incorporated
  • Document the feature - both in code but also for potential Wiki page

Thanks & Acknowledgements

Big thanks to the creators of: Impacket @github BloodHound @github BloodHound.py @github CVE-2020-1472 by Tom Tervoort of Secura

Without the above this wrapper was not possible.

License

FOSSA Status

Rate & Review

Great Documentation0
Easy to Use0
Performant0
Highly Customizable0
Bleeding Edge0
Responsive Maintainers0
Poor Documentation0
Hard to Use0
Slow0
Buggy0
Abandoned0
Unwelcoming Community0
100
No reviews found
Be the first to rate

Alternatives

No alternatives found

Tutorials

No tutorials found
Add a tutorial