• Stars
    star
    332
  • Rank 126,957 (Top 3 %)
  • Language
    C#
  • License
    MIT License
  • Created about 6 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

zBang is a risk assessment tool that detects potential privileged account threats

zBang is a special risk assessment tool that detects potential privileged account threats in the scanned network.

Organizations and red teamers can utilize zBang to identify potential attack vectors and improve the security posture of the network. The results can be analyzed with the graphic interface or by reviewing the raw output files.

More details on zBang could be found in the Big zBang Theory blog post by @Hechtov:
https://www.cyberark.com/threat-research-blog/the-big-zbang-theory-a-new-open-source-tool/

The tool is built from five different scanning modules:

  1. ACLight scan - discovers the most privileged accounts that must be protected, including suspicious Shadow Admins.
  2. Skeleton Key scan - discovers Domain Controllers that might be infected by Skeleton Key malware.
  3. SID History scan - discovers hidden privileges in domain accounts with secondary SID (SID History attribute).
  4. RiskySPNs scan - discovers risky configuration of SPNs that might lead to credential theft of Domain Admins
  5. Mystique scan - discovers risky Kerberos delegation configuration in the network.

For your convenience, there is also a summarized Data Sheet about zBang:
https://github.com/cyberark/zBang/blob/master/zBang%20Summarized%20Data%20Sheet.pdf

Execution Requirements

  1. Run it with any domain user. The scans do not require any extra privileges; the tool performs read-only LDAP queries to the DC.
  2. Run the tool from a domain joined machine (a Windows machine).
  3. PowerShell version 3 or above and .NET 4.5 (it comes by default in Windows 8/2012 and above).

Quick Start Guide

  1. Download and run the release version from this GitHub repository link or compile it with your favorite compiler.
    • Sometimes, when downloading it through the browser, you will need to "unblock" the downloaded zBang.exe file.
  2. In the opening screen, choose what scans you wish to execute.
    In the following example, all five scans are chosen:

  1. To view demo results, click “Reload.”
    zBang tool comes with built-in initiating demo data; you can view the results of the different scans and play with the graphic interface.
  2. To initiate new scans in your network, click “Launch.” A new window will pop up and will display the status of the different scans.

  1. When the scans are completed, there will be a message saying the results were exported to an external zip file.

  1. The results zip file will be in the same folder of zBang and will have a unique name with the time and the date of the scans. You can also import previous results into the zBang GUI without the need of rerunning the scans.
    To import previous results, click “Import” in the zBang’s opening screen.

Go Over zBang Results

A. ACLight scan:

alt text

  1. Choose the domain you have scanned.
  2. You will see a list of the most privileged accounts that were discovered.
  3. On the left side - view “standard” privileged accounts that get their privileges due to their group membership.
  4. On the right side - view “Shadow Admins.” Those accounts get their privileges through direct ACL permissions assignment. Those accounts might be stealthier than standard “domain admin” users, and therefore, they might not be as secure as they should be. Attackers often target and try to compromise such accounts.
  5. On each account, you can double click and review its permissions graph. It may help you understand why this account was classified as privileged.

alt text

  1. The different abusable ACL permissions are described in a small help page. Click the “question mark” in the upper right corner to view:

  1. More details on the threat of Shadow Admins are available in the blog post - “Shadow Admins – The Stealthy Accounts That You Should Fear The Most”:
    https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/

  2. For manual examination of the scan results, unzip the saved zBang results file and check the results folder: "[Path of the zBang’s unzipped results file]\ACLight-master\Results”, contains a summary report - “Privileged Accounts - Layers Analysis.txt”.

  3. On each of the discovered privileged accounts:

    • Identify the privileged account.
    • Reduce unnecessary permissions from the account.
    • Secure the account. After validating these three steps, you can mark the account with a “V” in the small selection box, turning it green on the interface.
  4. The goal is to make all the accounts marked as “secured” with the green color.

B. Skeleton Key scan

  1. In the scan page (click the relevant bookmark in the above section), there will be a list of all the scanned DCs.
  2. Make sure all of them are clean and marked with green.
  3. If the scan finds a potential infected DC, it is crucial to initiate an investigation process.

alt text

  1. More details on Skeleton Key malware are available in the blog post “Active Directory Domain Controller Skeleton Key Malware & Mimikatz” by @PyroTek3: https://adsecurity.org/?p=1255

C. SID History scan

  1. In this scan page, there will be a list of the domain accounts with secondary SID (SID History attribute).
  2. Each account will have two connector arrows, one to the left for its main SID, the other to the right for its secondary SID (with the mask icon).
  3. If the main SID is privileged, it will be in red, and if the SID history is privileged, there will be displayed as a red mask.
  4. You should search for the possible very risky situations, in which an account has a non-privileged main SID but at the same time has a privileged secondary SID.
    This scenario is very suspicious and you should check this account and investigate why it received a privileged secondary SID. Make sure it wasn’t added by a potential intruder in the network.

alt text

* For a visualization convenience, if a large number of accounts with non-privileged SID history are present (more than ten), they will be filtered out from the display, as those accounts are less sensitive.

  1. For manual examination of the scan results, unzip the saved zBang results file and check csv file:
    “[Path of the zBang’s unzipped results file]\SIDHistory\Results\Report.csv".
  2. More details on abusing SID History are available in the blog post “Security Focus: sIDHistory” by Ian Farr: https://blogs.technet.microsoft.com/poshchap/2015/12/04/security-focus-sidhistory-sid-filtering-sanity-check-part-1-aka-post-100/

D. RiskySPNs scan

  1. In the scan results page, there will be a list of all the SPNs that registered with user accounts.
  2. If the user account is a privileged account, it will be in red.
  3. It is very risky to have SPNs that are registered under privileged accounts. Try and change/disable those SPNs. Use machine accounts for SPNs or reduce unnecessary permissions from the users who have SPNs registered to them. It’s also recommended to assign strong passwords to those users, and implement automatic rotation of each password.

alt text

  1. For manual examination of the scan results, unzip the saved zBang results file and check csv file:
    “[Path of the zBang’s unzipped results file]\RiskySPN-master\Results\RiskySPNs-test.csv".
  2. More details on Risky SPNs are available in the blog post “Service Accounts – Weakest Link in the Chain”:
    https://www.cyberark.com/blog/service-accounts-weakest-link-chain/

E. Mystique scan

  1. The scan result page includes a list of all the discovered accounts trusted with delegation permissions.
  2. There are three delegation types: Unconstrained, Constrained and Constrained with Protocol Transition. The account color corresponds to its delegation permission type.
  3. Disable old and unused accounts trusted with delegation rights. In particular, check the risky delegation types of “Unconstrained” and “Constrained with Protocol Transition.” Convert “Unconstrained” delegation to “Constrained” delegation so it will be permitted only for specific needed services. “Protocol Transition” type of delegation must be revalidated and disabled, if possible.

alt text

  1. For manual examination of the scan results, unzip the saved zBang results file and check csv file: “[Path of the zBang’s unzipped results file]\Mystique-master\Results\delegation_info.csv".
  2. More details on risky delegation configuration are available in the blog post - “Weakness Within: Kerberos Delegation”: https://www.cyberark.com/threat-research-blog/weakness-within-kerberos-delegation/

Performance

zBang runs quickly and doesn’t need any special privileges over the network. As the only communication required is to the domain controller through legitimate read-only LDAP queries, a typical execution time of zBang on a network with around 1,000 user accounts will be seven minutes.
When you intend to scan large networks with multiple trust-connected domains, it’s recommended to check the domain trusts configuration or run zBang separately from within each domain to avoid possible permission and connectivity issues.

Checksum

zBang version 1.2.1:
SHA-256 ce747740a9a24c330c18c2f09f6ee344e1806666abf21c8c2f964fa61f438903

Authors

zBang was developed by CyberArk Labs as a quick and dirty POC intended to help security teams worldwide. Feedback and comments are welcome.

Main points of contact:
Asaf Hecht (@Hechtov), Nimrod Stoler (@n1mr0d5) and Lavi Lazarovitz (@__Curi05ity__)

More Repositories

1

KubiScan

A tool to scan Kubernetes cluster for risky permissions
Python
1,310
star
2

SkyArk

SkyArk helps to discover, assess and secure the most privileged entities in Azure and AWS
PowerShell
862
star
3

ACLight

A script for advanced discovery of Privileged Accounts - includes Shadow Admins
PowerShell
783
star
4

conjur

CyberArk Conjur automatically secures secrets used by privileged users and machine identities
Ruby
760
star
5

kubeletctl

A client for kubelet
Go
730
star
6

summon

CLI that provides on-demand secrets access for common DevOps tools
Go
687
star
7

bash-lib

Library for bash utility methods and tools
Shell
656
star
8

PipeViewer

A tool that shows detailed information about named pipes in Windows
C#
551
star
9

DLLSpy

DLL Hijacking Detection Tool
C++
481
star
10

shimit

A tool that implements the Golden SAML attack
Python
331
star
11

RPCMon

RPC Monitor tool based on Event Tracing for Windows
C#
317
star
12

Evasor

A tool to be used in post exploitation phase for blue and red teams to bypass APPLICATIONCONTROL policies
C#
309
star
13

BlobHunter

Find exposed data in Azure with this public blob scanner
Python
306
star
14

RiskySPN

Detect and abuse risky SPNs
PowerShell
258
star
15

secretless-broker

Secure your apps by making them Secretless
Go
234
star
16

White-Phoenix

A tool to recover content from files encrypted with intermittent encryption
Python
218
star
17

kubernetes-rbac-audit

Tool for auditing RBACs in Kubernetes
Python
215
star
18

MITM_Intercept

A little bit less hackish way to intercept and modify non-HTTP protocols through Burp & others.
Python
201
star
19

epv-api-scripts

These API scripts enable CyberArk users to automate privileged account management task like account creation, user management, and more.
PowerShell
197
star
20

ketshash

A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.
PowerShell
168
star
21

rdpfuzz

Tools for fuzzing RDP
C
122
star
22

SkyWrapper

SkyWrapper helps to discover suspicious creation forms and uses of temporary tokens in AWS
Python
104
star
23

EasyPeasy

Find accounts using common and default passwords in Active Directory.
PowerShell
65
star
24

pas-on-cloud

CyberArk Privileged Access Security on Cloud
Python
60
star
25

ansible-security-automation-collection

CyberArk Ansible Security Automation Collection
Python
60
star
26

CYBRHardeningCheck

A utility to check CyberArk component servers hardening status
PowerShell
53
star
27

summon-aws-secrets

Summon provider for AWS Secrets Manager
Go
52
star
28

cyberark-aws-auto-onboarding

Solutions for automatically detecting, managing and securing privileged accounts in AWS EC2
Python
40
star
29

pas-orchestrator

CyberArk Privileged Access Security automatic deployment using Ansible
Python
38
star
30

summon-conjur

CyberArk Conjur provider for Summon
Go
38
star
31

ansible-modules

Ansible Modules for CyberArk Privileged Account Security Web Service SDK
Python
37
star
32

conjur-quickstart

Start securing your secrets and infrastructure by installing Conjur, using Docker and the official Conjur containers on DockerHub.
Shell
33
star
33

malware-research

C++
33
star
34

Fuzzer-V

C
30
star
35

sidecar-injector

Sidecar Injector for the Conjur Kubernetes Authenticator and Secretless
Go
29
star
36

ChattyCaty

JavaScript
28
star
37

conjur-oss-helm-chart

Helm chart for deploying Conjur OSS to Kubernetes
Shell
27
star
38

secrets-provider-for-k8s

Cyberark secrets provider for k8s
Go
26
star
39

PwnKit-Hunter

PwnKit-Hunter is here to help you check if your systems are vulnerable to CVE-2021-4043, a.k.a. PwnKit
Python
25
star
40

PreCog

Discover "HotSpots" - potential spots for credentials theft
PowerShell
23
star
41

terraform-provider-conjur

Terraform provider for Conjur
Shell
21
star
42

pvwa

Ansible role to deploy Cyberark Password Vault Web Access
Jinja
20
star
43

conjur-api-go

Go client for the CyberArk Conjur API
Go
20
star
44

slosilo

A Ruby interface to standard cryptographic primitives
Ruby
17
star
45

password-lookup-plugin

cyberarkpassword Lookup Plugin
17
star
46

cyberark-conjur-cli

CyberArk Conjur command line interface written in Python
Python
17
star
47

psm

Ansible role to deploy Cyberark Privileged Session Manager
PowerShell
16
star
48

conjur-template

Template repo for Conjur repositories
16
star
49

conjur-api-java

Java client for the CyberArk Conjur API
Java
15
star
50

summon-keyring

Cross-platform provider for Summon that talks to keyrings.
Python
15
star
51

cpm

Ansible role to deploy Cyberark Central Policy Manager
PowerShell
15
star
52

conjur-api-dotnet

.NET client for the CyberArk Conjur API
C#
15
star
53

cyberark-conjur-cli-docker-based

CyberArk Conjur command line interface (Ruby)
Ruby
15
star
54

parse-a-changelog

A validator for changelogs using the Keep a Changelog standard (http://keepachangelog.com)
Ruby
15
star
55

ansible-aim-provider

Ansible Galaxy Role to install and uninstall Cyberark AIM provider
14
star
56

kubernetes-conjur-deploy

Scripts for deploying DAP followers to Kubernetes and OpenShift given an existing DAP master cluster
Shell
14
star
57

Symda

Python
13
star
58

summon-s3

AWS S3 provider for Summon
Shell
13
star
59

KDSnap

C++
12
star
60

ansible-role-conjur

Grants Conjur machine identity to hosts
Python
12
star
61

conjur-credentials-plugin

Conjur plugin for securely providing credentials to Jenkins jobs
Java
12
star
62

conjur-openapi-spec

OpenAPI v3 specification for Conjur / DAP v10+
Mustache
11
star
63

conjur-authn-k8s-client

Authentication sidecar for Conjur Kubernetes integration.
Shell
11
star
64

dev-flow

Opinionated CLI that standardizes and automates common development tasks
Go
11
star
65

ark-sdk-python

CyberArk's Official SDK and CLI - https://cyberark.github.io/ark-sdk-python/
Python
10
star
66

ansible-conjur-host-identity

This project encapsulates the functionality of our `cyberark.conjur-host-identity role for Ansible
Shell
8
star
67

conjur-api-python

Python client for the CyberArk Conjur API
Python
8
star
68

conjur-oss-suite-release

Under development - Latest stable releases of the Conjur OSS suite
Go
7
star
69

community

Information for the CyberArk contributor community
7
star
70

cyberark-aim-chef

Chef custom resource for CyberArk AIM
Ruby
7
star
71

homebrew-tools

Homebrew formulas for different CyberArk tooling.
Shell
7
star
72

cacookiecleaner

C#
7
star
73

conjur-policy-generator

Tools to create sample Conjur policies for testing, etc.
Ruby
7
star
74

atyourservice

The atyourservice project is intended to provide highly-customizable utilities for troubleshooting issues.
Python
7
star
75

identity-aws-verified-permissions-demo

Python
7
star
76

summon-chefapi

Summon provider for Chef encrypted data bags
Go
6
star
77

conjur-puppet

Official Puppet module for CyberArk Conjur
Ruby
6
star
78

sample-siem-dashboards

6
star
79

escape-the-cloud

Web Application for CyberArk Cloud Escape Room CTF challenge
JavaScript
5
star
80

helm-charts

CyberArk Helm charts repository.
Shell
5
star
81

psmp-deploy-ansible-role

Ansible role to deploy Cyberark Privileged Session Manager SSH Proxy (PSM-SSH)
Shell
5
star
82

ansible-conjur-collection

Ansible Collection for Conjur
Python
5
star
83

conjur-spring-boot-sdk

Java
5
star
84

SafeNet

5
star
85

conjur-azure-devops-extension

Azure DevOps Extension for retrieving secrets from CyberArk Conjur
JavaScript
5
star
86

conjur-api-ruby

Ruby client for the CyberArk Conjur API
Ruby
4
star
87

conjur-base-image

Base Docker images for CyberArk Conjur
Shell
4
star
88

conjur-cli-go

CyberArk Conjur command line interface (Go)
Go
4
star
89

conjur-aws

[DEPRECATED] - AWS CloudFormation templates for Conjur
Shell
4
star
90

conjur-google-cloud-marketplace

[DEPRECATED] Conjur application for Google Cloud Marketplace
Shell
4
star
91

conjur-service-broker

Implementation of the Open Service Broker API for Conjur
Ruby
4
star
92

identity-demo-android

This is to demonstrate CyberArk Identity capabilities of Android SDK in a sample app.
Kotlin
3
star
93

pas-reporter-dataprocessing

C#
3
star
94

conjur-inspect

Go
3
star
95

dap-web-utility

DAP web utility to simplify DAP/Conjur deployment & operations
JavaScript
3
star
96

urbancode-conjur-aim

A plugin which allows UrbanCode Deploy to get credentials from EPV via AIM, and to get secrets from Conjur for setting up a CI/CD workflow
Groovy
3
star
97

psmp-activate-ansible-role

Ansible role to activate Cyberark Privileged Session Manager SSH Proxy (PSM-SSH)
Shell
3
star
98

conjur-tutorials

A repository for tutorials related to Conjur
Shell
2
star
99

conjur-authn-iam-client-python

Python client for using Conjur with authn-iam
Python
2
star
100

aim-puppet

Ruby
2
star