• Stars
    star
    316
  • Rank 129,392 (Top 3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created almost 3 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Password spraying and bruteforcing tool for Active Directory Domain Services

Description

The smart password spraying and bruteforcing tool for Active Directory Domain Services.

⚠️ This project works. But the filthy coding makes it more PoC than a stable tool. I may or may not rewrite this in the future, but at least you have everything here to work with bruteforce on any protocol. It has been tested in ~10 environments on my side, it works πŸ€·β€β™‚οΈ

Core features

This tool can be used to bruteforce/spray Active Directory accounts credentials. The following attacks are supported, each attack has its own benefits:

  • NTLM over SMB bruteforce: when valid accounts are found, they will be tested for local administrative privileges.
  • NTLM over LDAP bruteforce
  • Kerberos pre-authentication bruteforce: this is the fastest and stealthiest way.
    • The transport protocol can be chosen: UDP or TCP. UDP is the fastest but sometimes throws errors.
    • The etype can be chosen: RC4, AES128, AES256. RC4 is the fastest but AES128 and AES256 are the stealthiest.

Passwords are not the only secrets that can be bruteforced with this tool.

  • When bruteforcing on NTLM: NT hashes can be attempted.
  • When bruteforcing on Kerberos: RC4 keys (i.e. NT hashes) can be attempted.

When valid accounts are found:

  • they can be set as owned in a neo4j database (used by BloodHound)
  • when using neo4j, owned users that are on a path to Domain Admins will be highlighted

This tool can be used in two different modes for different scenarios: smart or brute.

Smart mode

This mode can be used to make sure NOT to lock any account when bruteforcing by:

  • Fetching the enabled users from Active Directory
  • Fetching bad password count for each user
  • Fetching lockout policies (global policy and granular policies set in Password Settings Objects). Nota bene: PSOs can be applied to groups, the tool recursively lists all members from those groups and sets the appropriate lockout threshold for each user.
  • Bruteforcing users according to the information found (i.e. keep the bad password count below the lockout threshold. A safety margin can be set).

In order for the first LDAP enumeration to occur, this mode requires knowledge of a low-priv user credentials. The following authentications are supported:

Before bruteforcing anything, this mode also recursively fetches the members of special groups (Administrators, Domain Admins, Entreprise Key Admins, and many more). When valid credentials are found, if the account is part of those members, it will be highlighted.

In smart mode, bruteforce can also be skipped to only show fetched users or password policies.

Brute mode

The brute mode doesn't require prior knowledge of a low-priv user credentials but doesn't have safety features like the smart mode. This mode CAN effectively lock accounts. In this mode, a username (or list of usernames) has to be supplied.

  • Bruteforce can be operated line per line when supplying lists for both usernames and passwords/hashes
  • On the first successful bruteforced authentication, the tool will recursively fetch (using LDAP) the members of special groups (Administrators, Domain Admins, Entreprise Key Admins, and many more). When valid credentials are found, if the account is part of those members, it will be highlighted.
  • Bruteforce can be stopped when a valid account is found

Usage

This tool is designed to give its users the most control over what is happening. This leads to a complex (not complicated, there's a difference) usage. This tool is built around multiple subparsers allocated in the following manner (cf. following graph and picture).

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

Credits & thanks

This tool as well as its code was inspired/based on:

We thank all contributors behind those projects.

Memes

And now, here is a collection of memes that perfectly frames this tool's spirit (feel free to contribute)

More Repositories

1

The-Hacker-Recipes

This project is aimed at freely providing technical guides on various hacking topics: Active Directory services, web services, servers, intelligence gathering, physical intrusion, phishing, mobile apps, iot, social engineering, etc.
587
star
2

pywhisker

Python version of the C# tool for "Shadow Credentials" attacks
Python
548
star
3

Exegol

Exegol is a fully featured and community-driven hacking environment
Shell
468
star
4

shellerator

Simple CLI tool for the generation of bind and reverse shells in multiple languages
Python
344
star
5

targetedKerberoast

Kerberoast with ACL abuse capabilities
Python
280
star
6

ShadowCoerce

MS-FSRVP coercion abuse PoC
Python
260
star
7

The-Hacker-Tools

This project is aimed at freely providing technical guides on various hacking tools.
75
star
8

telegram-bot-cli

This is a command line tool I use when I want to get notified, on Telegram (on my phone), that something has finished running (on my laptop).
Python
58
star
9

httpmethods

HTTP verb tampering & methods enumeration
Python
50
star
10

uberfile

Simple CLI tool for the generation of downloader oneliners for UNIX-like or Windows systems
Python
35
star
11

hashonymize

Anonymize your hashcat formatted files for online cracking
Python
26
star
12

Get-GPPPassword

Python script for extracting and decrypting Group Policy Preferences passwords
Python
19
star
13

CVE-2020-7961

Exploit script for CVE-2020-7961
Python
18
star
14

google-colab-hashcat

Jupyter Notebook
14
star
15

Exegol-images

Docker images of the Exegol project
Shell
1
star
16

CrackMapExec-MachineAccountQuota

CrackMapExec module that retrieves the "MachineAccountQuota" domain-level attribute.
Python
1
star