ADE - ActiveDirectoryEnum
python -m ade
usage: ade [-h] [--dc DC] [-o OUT_FILE] [-u USER] [-s] [-smb] [-kp] [-bh] [-spn] [-sysvol] [--all] [--no-creds] [--dry-run]
[--exploit EXPLOIT]
___ __ _ ____ _ __ ______
/ | _____/ /_(_) _____ / __ \(_)_______ _____/ /_____ _______ __/ ____/___ __ ______ ___
/ /| |/ ___/ __/ / | / / _ \/ / / / / ___/ _ \/ ___/ __/ __ \/ ___/ / / / __/ / __ \/ / / / __ `__ \
/ ___ / /__/ /_/ /| |/ / __/ /_/ / / / / __/ /__/ /_/ /_/ / / / /_/ / /___/ / / / /_/ / / / / / /
/_/ |_\___/\__/_/ |___/\___/_____/_/_/ \___/\___/\__/\____/_/ \__, /_____/_/ /_/\__,_/_/ /_/ /_/
/____/
/*----------------------------------------------------------------------------------------------------------*/
optional arguments:
-h, --help show this help message and exit
--dc DC Hostname of the Domain Controller
-o OUT_FILE, --out-file OUT_FILE
Path to output file. If no path, CWD is assumed (default: None)
-u USER, --user USER Username of the domain user to query with. The username has to be domain name as `[email protected]`
-s, --secure Try to estalish connection through LDAPS
-smb, --smb Force enumeration of SMB shares on all computer objects fetched
-kp, --kerberos_preauth
Attempt to gather users that does not require Kerberos preauthentication
-bh, --bloodhound Output data in the format expected by BloodHound
-spn Attempt to get all SPNs and perform Kerberoasting
-sysvol Search sysvol for GPOs with cpassword and decrypt it
--all Run all checks
--no-creds Start without credentials
--dry-run Don't execute a test but run as if. Used for testing params etc.
--exploit EXPLOIT Show path to PoC exploit code
The new inclusion of embedded exploits can yield results such as:
...
[ WARN ] DC may be vulnerable to: [ cve-2020-1472 ]
...
To query an exploit for PoC code:
$ python -m ade --exploit cve-2020-1472
Exploit for: cve-2020-1472 can be found at: https://github.com/dirkjanm/CVE-2020-1472
Install
Run installation through pip3:
pip3 install ActiveDirectoryEnum
python -m ade
If you run BlackArch, ActiveDirectoryEnum is available through pacman
as such:
pacman -S activedirectoryenum
Included attacks/vectors
- ASREPRoasting
- Kerberoasting
- Dump AD as BloodHound JSON files
- Searching GPOs in SYSVOL for cpassword and decrypting
- Run without creds and attempt to gather for further enumeration during the run
- Sample exploits included:
- CVE-2020-1472
Collaboration
While this project is developed to fit my needs, any collaboration is appreciated. Please feel free to fork the project, make changes according to the License agreements and make a Pull Request. I only ask that:
- Keep equivalent naming standard as the base project
- Keep equivalent syntaxing
- Test your code
- Error handling is incorporated
- Document the feature - both in code but also for potential Wiki page
Thanks & Acknowledgements
Big thanks to the creators of:
Impacket
@github
BloodHound
@github
BloodHound.py
@github
CVE-2020-1472
by Tom Tervoort of Secura
Without the above this wrapper was not possible.