• Stars
    star
    131
  • Rank 275,867 (Top 6 %)
  • Language
    Python
  • License
    Other
  • Created almost 7 years ago
  • Updated almost 7 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Open source Active Directory security audit framework.

BTA

About BTA

BTA is an open-source Active Directory security audit framework. Its goal is to help auditors harvest the information they need to answer such questions as:

  • Who has rights over a given object (computer, user account, etc.) ?
  • Who can read a given mailbox ?
  • Which are the accounts with domain admin rights ?
  • Who has extended rights (userForceChangePassword, SendAs, etc.) ?
  • What are the changes done on an AD between two points in time ?

The framework is made of

  • an importer able to translate a ntds.dit file, containing all the AD data, into a database
  • tools to query the database
    • AD miner framework
    • AD diff utility
    • small utilities (list of databases, etc.)

The comprehensive set of attributes are imported and can be querried including all schema extensions (Exchange, Sharepoint, etc.).

Each question can be crystallized by an AD expert as a miner, so that it can be used during all audits without doing the hard work again.

Installing BTA

Quick install

Dependencies:

Installation:

  • pip install bta

From sources

Dependencies:

Installation:

  • python setup.py install
[1](1, 2) support for so called long values is a work in progress in the latest versions and is not working well yet. It is working correctly with 2012 alpha version.

Active Directory Security Analysis

Goal:

  • Clean an AD or an AD forest, looking for
    • bad practices
    • forgotten entries
    • backdoors
    • recompromissions
  • BTA is an operationnal tool, ought to be
    • deterministic, reliable
    • running a well established procedure

Protocol

Audit steps:

  1. Extract the ntds.dit file
  2. Import the ntds.dit file in a database
  3. Look for control points in the database

Extraction

Here is a way to backup NTDS.dit file for a domain controller which is running on Windows 2008. See [2] for more information or for Windows 2003 method.

ntdsutil
activate instance ntds
ifm
create full c:{\bs}NTDS_saved
quit
quit
[2]https://www.sstic.org/2012/presentation/audit_ace_active_directory/

Importing

  • ntds.dit is unusable as-is.
  • one ntds.dit is imported into one MongoDB database
  • ability to import several ntds.dit in parallel

Examples:

btaimport -C ::mydb /path/to/ntds.dit
btaimport /path/to/*.dit  --multi             \
  --C-from-filename                         \
     "::%s" "basename rmext 'DB' swap plus"

Analysing

  • Querying the database
    • analysing control points of a database: btaminer
    • analysing differences between 2 bases: btadiff

Analysing control points

  • miners crystallize expertise
    • list of admin accounts
    • list of accounts with extended rights
    • list of accounts with password errors
    • list of various timelines
btaminer -t ReST -C ::AD1 Schema --timelineCS created

Analysis by miner [Schema]
==========================

+---------------+-----------------------+
| Date          | Affected class schema |
+===============+=======================+
| 2009-02-11 18 | 234                   |
| 2011-12-20 00 | 267                   |
| 2011-12-22 14 | 3                     |
| 2011-12-23 18 | 46                    |
+---------------+-----------------------+

Analysing differences

  • diff
    • diff (naive for the moment) between 2 imports at different points in time
    • noise filtering
$ btadiff --CA ::ADclean --CB ::ADbackdoor --ignore-defaults
===============
Starting diffing sd_table
---------------
AB,101: [] *sd_refcount['14'=>'15']
AB,108: [] *sd_refcount['39'=>'41']
A ,229: []
A ,372: []
AB,423: [] *sd_refcount['3'=>'2']
 B,424: []
 B,425: []
 B,428: []
---------------
Table [sd_table]: 160 records checked, 2 disappeared, 3 appeared, 3 changed
===============
[...]
===============
Starting diffing datatable
---------------
AB,3586: [DC001] *logonCount['116'=>'117'], *lastLogon['130052518207794051L'=>'130052535716737649L']
AB,3639: [RID Set] *rIDNextRID['1153'=>'1154']
AB,8784: [A:[gc]/B:[gc  DEL:346bf199-8567-4375-ac15-79ec4b42b270]] +isDeleted,
         *name["u'gc'"=>"u'gc\\nDEL:346bf199-8"], *dc["u'gc'"=>"u'gc\\nDEL:346bf199-8"]
AB,8785: [A:[DomainDnsZones]/B:[DomainDnsZones  DEL:58b2962b-708c-4c93-99ff-0b7e163131f9]]
         +isDeleted, *name["u'DomainDnsZones'"=>"u'DomainDnsZones\\nDE"],
         *dc["u'DomainDnsZones'"=>"u'DomainDnsZones\\nDE"]
AB,8786: [A:[ForestDnsZones]/B:[ForestDnsZones  DEL:87f7d8a2-4d05-48d0-8283-9ab084584470]]
         +isDeleted, *name["u'ForestDnsZones'"=>"u'ForestDnsZones\\nDE"],
         *dc["u'ForestDnsZones'"=>"u'ForestDnsZones\\nDE"]
 B,8789: [snorky insomnihack]
 B,8790: [gc]
 B,8791: [DomainDnsZones]
 B,8792: [ForestDnsZones]
---------------
Table [datatable]: 7636 records checked, 0 disappeared, 4 appeared, 5 changed
===============

Other features

  • can give reports in different formats:
    • live dump
    • ReST document
    • zipped tree of CSV files
  • audit log of writings in a database
  • table consistency checks before mining

Authors

  • Airbus Group CERT
  • Airbus Group Innovations
  • Airbus DS CyberSecurity

More Repositories

1

bincat

Binary code static analyser, with IDA integration. Performs value and taint analysis, type reconstruction, use-after-free and double-free detection
OCaml
1,662
star
2

qemu_blog

A series of posts about QEMU internals:
1,345
star
3

cpu_rec

Recognize cpu instructions in an arbitrary binary file
Python
640
star
4

ilo4_toolbox

Toolbox for HPE iLO4 & iLO5 analysis
Python
412
star
5

warbirdvm

An analysis of the Warbird virtual-machine protection for the CI!g_pStore
Ruby
216
star
6

diffware

An extensively configurable tool providing a summary of the changes between two files or directories, ignoring all the fluff you don't care about.
Python
196
star
7

gustave

GUSTAVE is a fuzzing platform for embedded OS kernels. It is based on QEMU and AFL (and all of its forkserver siblings). It allows to fuzz OS kernels like simple applications.
Python
194
star
8

powersap

Powershell SAP assessment tool
PowerShell
187
star
9

crashos

A tool dedicated to the research of vulnerabilities in hypervisors by creating unusual system configurations.
C
182
star
10

c-compiler-security

Security-related flags and options for C compilers
Python
179
star
11

ramooflax

a bare metal (type 1) VMM (hypervisor) with a python remote control API
C
178
star
12

android_emuroot

Android_Emuroot is a Python script that allows granting root privileges on the fly to shells running on Android virtual machines that use google-provided emulator images called Google API Playstore, to help reverse engineers to go deeper into their investigations.
Python
121
star
13

AutoResolv

Python
71
star
14

elfesteem

ELF/PE/Mach-O parsing library
Python
50
star
15

GEA1_break

Implementation of the key recovery attack against GEA-1 keys (Eurocrypt 2021)
C
47
star
16

airbus-seclab.github.io

Conferences, tools, papers, etc.
43
star
17

AFLplusplus-blogpost

Blogpost about optimizing binary-only fuzzing with AFL++
Shell
34
star
18

nbutools

Tools for offensive security of NetBackup infrastructures
Python
30
star
19

rebus

REbus facilitates the coupling of existing tools that perform specific tasks, where one's output will be used as the input of others.
Python
25
star
20

usbq_core

USB man in the middle linux kernel driver
C
19
star
21

AppVsWild

application process protection hypervisor virtualization encryption
9
star
22

gunpack

Generic unpacker (dynamic)
C
8
star
23

usbq_userland

User land program to be used with usbq_core
Python
8
star
24

ramooflax_scripts

ramooflax python scripts
Python
6
star
25

cpu_doc

Curated set of documents about CPU
3
star
26

c2newspeak

C
3
star
27

rebus_demo

REbus demo agents
Python
2
star
28

security-advisories

2
star
29

pwnvasive

semi-automatic discovery and lateralization
Python
1
star
30

pok

forked from pok-kernel/pok
C
1
star
31

afl

Airbus seclab fork of AFL
C
1
star