ActiveReign : A Network Enumeration & Attack Toolset

ActiveReign is a network enumeration and attack toolset.A while back I was challenged to write a discovery tool with Python3 that could automate the process of finding sensitive information on network file shares. After writing the entire tool with pysmb, and adding features such as the ability to open and scan docx an xlsx files.

We slowly started adding functionality from the awesome Impacket library; just simple features I wanted to see in an internal penetration testing tool. The more I added, the more it looked like a Python3 rewrite of CrackMapExec created from scratch.

If you are doing a direct comparison, CME is an amazing tool that has way more features than currently implement here. However, I added a few modifications that may come in handy during an assessment.

Also Read – PyFuscation : Obfuscate Powershell Scripts By Replacing Function Names, Variables & Parameters

Operational Modes

  • db – Query or insert values in to the ActiveReign database
  • enum – System enumeration & module execution
  • shell – Spawn an emulated shell on a target system
  • spray – Domain password spraying and brute force
  • query – Perform LDAP queries on the domain

Key Features

  • Automatically extract domain information via LDAP and incorporate into network enumeration.
  • Perform Domain password spraying using LDAP to remove users close to lockout thresholds.
  • Local and remote command execution, for use on multiple starting points throughout the network.
  • Emulated interactive shell on target system
  • Data discovery capable of scanning xlsx and docx files.
  • Various modules to add and extend capabilities.

Final Thoughts

Writing this tool and testing on a variety of networks/systems has taught me that execution method matters, and depends on the configuration of the system. If a specific module or feature does not work, determine if it is actually the program, target system, configuration, or even network placement before creating an issue.

To help this investigation process, I have created a test_execution module to run against a system with known admin privileges. This will cycle through all all execution methods and provide a status report to determine the best method to use:

$ activereign enum -u administrator -p password –local-auth -M test_execution 192.168.3.20
[*] Lockout Tracker Using default lockout threshold: 3
[*] Enum Authentication \administrator (Password: p****) (Hash: False)
[+] WIN-T460 192.168.3.20 ENUM Windows 7 Ultimate 7601 Service Pack 1 (Domain: ) (Signing: False) (SMBv1: True) (Adm!n)
[*] WIN-T460 192.168.3.20 TEST_EXECUTION Execution Method: WMIEXEC Fileless: SUCCESS Remote (Defualt): SUCCESS
[*] WIN-T460 192.168.3.20 TEST_EXECUTION Execution Method: SMBEXEC Fileless: SUCCESS Remote (Defualt): SUCCESS

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

3 days ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

3 days ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

5 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

1 week ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago