• Stars
    star
    239
  • Rank 168,763 (Top 4 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 5 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Network Enumeration and Attack Toolset for Windows Active Directory Environments.

ActiveReign

⚠️ Thank you for your support. This project is no longer publicly maintained.


      follow on Twitter

Background

A while back I was challenged to write a discovery tool with Python3 that could automate the process of finding sensitive information on network file shares. After writing the entire tool with pysmb, and adding features such as the ability to open and scan docx an xlsx files, I slowly started adding functionality from the awesome Impacket library; just simple features I wanted to see in an internal penetration testing tool. The more I added, the more it looked like a Python3 rewrite of CrackMapExec created from scratch.

If you are doing a direct comparison, CME is an amazing tool that has way more features than currently implement here. However, I added a few new features and modifications that may come in handy during an assessment.

For more documentation checkout the project wiki

Operational Modes

  • db - Query or insert values in to the ActiveReign database
  • enum - System enumeration & module execution
  • shell - Spawn a simulated shell on the target system and perform command execution
  • spray - Domain password spraying and brute force
  • query - Perform LDAP queries on the domain

Key Features

  • Automatically extract domain information via LDAP and incorporate into network enumeration.
  • Perform Domain password spraying using LDAP to remove users close to lockout thresholds.
  • Local and remote command execution, for use on multiple starting points throughout the network.
  • Simulated interactive shell on target system, with file upload and download capabilities.
  • Data discovery capable of scanning xlsx and docx files.
  • Various modules to add and extend capabilities.

Acknowledgments

There were many intended and unintended contributors that made this project possible. If I am missing any, I apologize, it was in no way intentional. Feel free to contact me and we can make sure they get the credit they deserve ASAP!

Final Thoughts

Writing this tool and testing on a variety of networks/systems has taught me that execution method matters, and depends on the configuration of the system. If a specific module or feature does not work, determine if it is actually the program, target system, configuration, or even network placement before creating an issue.

To help this investigation process, I have created a test_execution module to run against a system with known admin privileges. This will cycle through all all execution methods and provide a status report to determine the best method to use:

$ activereign enum -u administrator -p Password123 --local-auth -M test_execution 192.168.1.1
[*] Lockout Tracker             Threshold extracted from database: 5
[*] Enum Authentication         \administrator (Password: P****) (Hash: False)
[+] DC01                        192.168.1.1     ENUM             Windows Server 2008 R2 Standard 7601 Service Pack 1    (Domain: DEMO)   (Signing: True)  (SMBv1: True) (Adm!n) 
[*] DC01                        192.168.1.1     TEST_EXECUTION   Testing execution methods                              
[*] DC01                        192.168.1.1     TEST_EXECUTION   Execution Method: WMIEXEC    Fileless: SUCCESS   Remote (Default): SUCCESS
[*] DC01                        192.168.1.1     TEST_EXECUTION   Execution Method: SMBEXEC    Fileless: SUCCESS   Remote (Default): SUCCESS
[*] DC01                        192.168.1.1     TEST_EXECUTION   Execution Method: ATEXEC     Fileless: SUCCESS   Remote (Default): SUCCESS
[*] DC01                        192.168.1.1     TEST_EXECUTION   Execution Method: WINRM      Fileless: N/A       Remote (Default): SUCCESS

More Repositories

1

CrossLinked

LinkedIn enumeration tool to extract valid employee names from an organization through search engine scraping
Python
806
star
2

subscraper

Perform subdomain enumeration through various techniques and retrieve detailed output to aid in further testing.
Python
665
star
3

nullinux

Internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB.
Python
515
star
4

pymeta

Pymeta will search the web for files on a domain to download and extract metadata. This technique can be used to identify: domains, usernames, software/version numbers and naming conventions.
Python
382
star
5

enumdb

Relational database brute force and post exploitation tool for MySQL and MSSQL
Python
211
star
6

ldap_search

Python3 script to perform LDAP queries and enumerate users, groups, and computers from Windows Domains. Ldap_Search can also perform brute force/password spraying to identify valid accounts via LDAP.
Python
91
star
7

taser

Python resource library for creating security related tooling
Python
79
star
8

CVE-2021-34527

PrintNightmare (CVE-2021-34527) PoC Exploit
Python
74
star
9

SubWalker

Simultaneously execute various subdomain enumeration tools and aggregate results.
Shell
33
star
10

OffsecDev

Working repo used to experiment with various languages as it relates to offensive security & evasion.
Python
23
star
11

transportc2

PoC Command and Control Server. Interact with clients through a private web interface, add new users for team sharing and more.
Python
22
star
12

EAPrimer

C# project that Reflectively loads .Net assemblies in memory.
PowerShell
13
star
13

ipparser

Python module to parse IPv4 addresses / target information and return a single list for iteration. Useful when creating security or network related tools.
Python
9
star
14

m8sec.github.io

https://m8sec.dev
HTML
2
star