skelsec/jackdaw skelsec/jackdaw

  • Stars
    star
    556
  • Rank 79,499 (Top 2 %)
  • Language
    Python
  • Created over 5 years ago
  • Updated 6 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
skelsec/jackdaw
github

skelsec

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

gather gather gather

jackdaw

gather gather gather jackdaw_card

What is this?

Jackdaw is here to collect all information in your domain, store it in a SQL database and show you nice graphs on how your domain objects interact with each-other an how a potential attacker may exploit these interactions. It also comes with a handy feature to help you in a password-cracking project by storing/looking up/reporting hashes/passowrds/users.

Quick usage info

  • If not using automatic collection (eg. not on Windows) you will need to create an initial empty database via dbinit
  • First you need to perform enum. This can be done automatically on windows by double-clicking on the executable, or typing jackdaw.exe auto.
  • Second you will need to run nest to get the web interface. By default it is served under http://127.0.0.1:5000/nest there is a SWAGGER documented API under http://127.0.0.1:5000/ui.
  • Web interface, you will need to go to the domain view and click on Generate graph cache only once to get the edge information in a cache file. it might take a while but in the command line you will see a progress bar.
  • After graph cache is done, you can play with the graph on the graph view but don't forget to select the corrrect cache number on the top left.

Performance tricts/tips

This section will be regurarly updated based on user feedback.

Data gathering

No advice here, while some improvements can be done in code there is nothing that a generic can do.

Graph data cache file generation

Graph data cache file generation must be done on each graph once (and only once) which can take a while using the default sqlalchemy tool.
Performance and speed can be significantly (over 50x more speed and 20x less memory) if you use the sqlite backend AND put the "sqlite3" command line utility somewhere in the PATH. I'd recommend this to every user.

Path calulcation and Graph data load

Now here comes the big tradeoff part. Early implementation of Jackdaw used the networkx module as the graph backend since it is completely written in Python. But this came at a really significant memory and speed cost. To have Jackdaw pure Python, this option still exists however using the igraph backend is now the default.
Note: igraph is a C++ library with Python bindings. It has precompiled wheels for Windows and major linux distros but if you use Jackdaw on something else (embedded systems/mobile phones/web browsers) you will either need to switch back to networkx or suffer with the hours long compilation time.

Example commands

Automatic enumeration - windows only, with domain-joined user -

No need to pre-initialise the database, it will be done automatically. Using the distributed binary you can just double-click on jackdaw.exe
Using as a python script jackdaw auto

DB init

jackdaw --sql sqlite:///<full path here>/test.db dbinit
ON LINUX SYSTEMS <full path here> includes the firest / so you will have //// four (4) dashes before the file name. Don't get freaked out.

Enumeration

Full enumeration with integrated sspi - windows only

jackdaw --sql sqlite:///test.db enum 'ldap+sspi-ntlm://<domain>\<placeholder>@10.10.10.2' 'smb+sspi-ntlm://<domain>\<placeholder>@10.10.10.2'

Full enumeration with username and password - platform independent

The passowrd is Passw0rd!
jackdaw --sql sqlite:///test.db enum 'ldap+ntlm-password://TEST\victim:[email protected]' 'smb+ntlm-password://TEST\victim:[email protected]'

LDAP-only enumeration with username and password - platform independent

The passowrd is Passw0rd!
jackdaw --sql sqlite:///test.db ldap 'ldap+ntlm-password://TEST\victim:[email protected]'

Start interactive web interface to plot graph and access additional features

jackdaw --sql sqlite:///<FULL PATH TO DB> nest

Open http://127.0.0.1:5000/ui for the API

Please see the Building the UI section further down to learn how to build the UI. Once built:

Open http://127.0.0.1:5000/nest for the graph interface (shows the graph, but far from working)

Features

Data acquisition

via LDAP

LDAP enumeration phase acquires data on AD info, User, Machine, OU, Group objects which will be reprezented as a node in the graph, and as a separate table in the DB. Additionally all afforementioned objects' Security Descriptior will be parsed and the ACLs for the DACL added to the DB. This, together with the memebership information will be represented as edges in the garph. Additionally custom SQL queries can be performed on any of the afforementioned data types when needed.

via SMB

SMB enumeration phase acquires data on shares, localgroups, sessions, NTLM data via connecting to each machine in the domain (which is acquired via LDAP)

via Kerberos

Kerberos module does automatic kerberoasting and aspreproasting

via LSASS dumps (optional)

The framework allows users to upload LSASS memory dumps to store credentials and extend the session information table. Both will be used as additional edges in the graph (shared password and session respectively). The framework also uses this information to create a password report on weak/shared/cracked credentials.

via DCSYNC results (optional)

The framework allows users to upload impacket's DCSYNC files to store credentials. This be used as additional edges in the graph (shared password). The framework also uses this information to create a password report on weak/shared/cracked credentials.

via manual upload (optional)

The framework allows manually extending the available DB in every aspect. Example: when user session information on a given computer is discovered (outside of the automatic enumeration) there is a possibility to manually upload these sessions, which will populate the DB and also the result graph

Graph

The framework can generate a graph using the available information in the database and plot it via the web UI (nest). Furthermore the graph generation and path canculations can be invoked programmatically, either by using the web API (/ui endpoint) or the grph object's functions.

Anomlaies detection

The framework can identify common AD misconfigurations without graph generation. Currently only via the web API.

User

User anomalies detection involve detection of insecure UAC permissions and extensive user description values. This feature set is expected to grow in the future as new features will be implemented.

Machine

Machine anomalies detection involve detection of insecure UAC permissions, non-mandatory SMB singing, outdated OS version, out-of-domain machines. This feature set is expected to grow in the future as new features will be implemented.

Password cracking

The framework does not performing any cracking, only organizing the hashes and the cracking results
currently main focus is on impacket and aiosmb's dcsync results !NT and LM hashes only!
Sample porcess is the following:

  1. Harvesting credentials as text file via impacket/aiosmb or as memory dumps of the LSASS process via whatever tool you see fit.
  2. Upload the harvested credentials via the API
  3. Poll uncracked hases via the API
  4. Crack them (hashcat?)
  5. Upload the results to the framework via the API
  6. Generate a report on the cracked/uncracked users and password strength and password sharing

note form author: This feature was implemented for both attackers and defenders. Personally I don't see much added value on either side, since at the point one obtained the NT hash of a user it's just as good as the password... Nonetheless, more and more companies are performing password strength excercises, and this feature would help them. As for attackers: it is just showing off at this point, but be my guest. Maybe scare management for extra points.

Important

This project is in experimental phase! This means multiple things:

  1. it may crash
  2. the controls you are using might change in the future (most likely)
  3. (worst part) The database design is not necessary suitable for future requests so it may change. There will be no effort to maintain backwards compatibility with experimental-phase DB structure!

Technical part

Database backend

Jackdaw uses SQLAlchemy ORM module, which gives you the option to use any SQL DB backend you like. The tests are mainly done on SQLite for ovbious reasons. There will be no backend-specific commands used in this project that would limit you.

Building the UI

THIS IS ONLY NEEDED IF YOU INSTALL VIA GIT AND/OR CHANGE SOMETHING IN THE UI CODE
The UI was written in React. Before first use/installation you have to build it. For this, you will need nodejs and npm installed. Then:

  1. Go to jackdaw/nest/site/nui
  2. Run npm install
  3. Run npm run build

Once done with the above, the UI is ready to play with.

Kudos

"If I have seen further it is by standing on the shoulders of Giants."

For the original idea

BloodHound team

For the ACL edge calculation

@dirkjanm (https://github.com/dirkjanm/)

For the awesome UI

Zsolt Imre (https://github.com/keymandll)

For the data collection parts

please see kudos section in aiosmb and msldap modules

In case I forgot to mention someone pls send a PR

More Repositories

1

pypykatz

Mimikatz implementation in pure Python
Python
2,799
star
2

kerberoast

Kerberoast attack -pure python-
Python
413
star
3

msldap

LDAP library for auditing MS AD
Python
357
star
4

evilrdp

Python
281
star
5

minidump

Python library to parse and read Microsoft minidump file format
Python
271
star
6

minikerberos

Kerberos manipulation library in pure Python
Python
244
star
7

aiosmb

Fully asynchronous SMB library written in pure python
Python
193
star
8

aardwolf

Asynchronous RDP client for Python (headless)
Python
142
star
9

pypykatz_server

Pypykatz server
Python
124
star
10

Responder3

Responder for Python3
Python
95
star
11

pypykatz_agent_dn

Pypykatz agent implemented in .NET
C#
85
star
12

CVE-2017-12542

Test and exploit for CVE-2017-12542
Python
84
star
13

pysnaffler

pysnaffler
Python
82
star
14

PyKerberoast

Implementing Kerberoast attack fully in python
Python
72
star
15

adiskreader

Async Python library to parse local and remote disk images.
Python
70
star
16

asysocks

Socks5 / Socks4 client and server library
Python
66
star
17

aardwolfgui

Asynchronous RDP/VNC client for Python (GUI)
Python
62
star
18

octopwnweb

OctoPwn in your browser
JavaScript
58
star
19

BitErrant

BitErrant
Objective-C
58
star
20

pypykatz_wasm

pypykats in your browser
Python
53
star
21

socksohttp

Socks5 server over Websockets
Python
40
star
22

windows_ad_dos_poc

PoC code for crashing windows active directory
Python
34
star
23

aroadtools

fully async implementation of Dirkjan's ROADTools
Python
31
star
24

pypykatz-volatility3

pypykatz plugin for volatility3 framework
Python
30
star
25

wsnet

wsnet
Python
24
star
26

anfs

Asynchronous NFSv3 client in pure Python
Python
22
star
27

aesedb

async parser for JET
Python
21
star
28

pydesfire

Desfire card library for Python
Python
18
star
29

aiowinreg

Registry hive parsing the async way
Python
18
star
30

winsspi

Windows SSPI wrapper in prue python
Python
15
star
31

winacl

Platform independent library for interfacing windows security descriptors
Python
15
star
32

unicrypto

Unified interface for some crypto algos
Python
12
star
33

wsnet-dotnet

C#
12
star
34

LocalNTLMTest

Tool to acquire netNTLM hashes on a local machine wihtout network traffic
Python
11
star
35

pysecur3

Python communication library for BiSecur devices
Python
11
star
36

HuaweiSMSender

Python script to send SMS using Huawei new[er] USB dongles via the HTTP interface
Python
11
star
37

asyauth

Python
10
star
38

nimwsnetproxy

websockets-tcp proxy in nim
Nim
10
star
39

foscam_stupid_poc

PoC auth bypass for some IP cameras. Vendor unknown
Python
9
star
40

socks5line

Helping tunneling for proxy-unaware scripts
Python
9
star
41

awinrm

Python
8
star
42

amurex

asynchronous SSH client in Python
Python
8
star
43

multiplexor

this will be interesting....
Python
8
star
44

aiosecretsdump

Secretsdump for aiosmb
Python
8
star
45

sprayit

Password spraying toolkit
Python
7
star
46

pyodide-wsnetwork

Websocket to TCP proxy for pyodide
Python
7
star
47

COMP128

initial commit
Python
6
star
48

duckysvc

webscokets service to use usb hid keyboard devices with rubberducky scripts
Python
5
star
49

sslyzedb

Database and reporting backed for sslyze
Python
4
star
50

zipserver

zipserver
C#
4
star
51

mysql_client_libload

PoC for loading arbitrary shared libraries to mysql-client.
Python
3
star
52

jdauto

Auto collection service for JackDaw and Mulitplexor
Python
3
star
53

aiogps

Library to interface with gpsd using asyncio
Python
2
star
54

winrecon

winrecon
Python
2
star
55

responder3-log-discord

Discord logging extension for Responder3
Python
2
star
56

unidns

basic async DNS library
Python
2
star
57

responder3-log-splunk

Splunk HTTP Event Colletor logging extension for Responder3
Python
2
star
58

CubieTruckManager

Framework to manage/control cubietruck board
Python
1
star
59

jdiotclient

C#
1
star
60

secop

2nd OPinion - DB driven scanning
Python
1
star
61

GPSTrackerServer

Server side code for the GPSTracker framework
Python
1
star
62

responder3-log-logstash

Logstash TCP logging extension for Responder3
Python
1
star
63

bucketindex

index.html that allows browsing the gcp bucket
HTML
1
star
64

responder3-log-remote-ws

Responder3 plugin for remote logging over websockets
Python
1
star
65

GPSTracker

Client - Server based tracker with DB and fireworks and everything
Python
1
star
66

guidedog-nmap

Nmap XML script parser for
Python
1
star
67

buildall

Python
1
star
68

GPSTrackerClientWS

Client part of the GPSTracker suite running on websockets
Python
1
star