adalanche is a Active Directory security is notoriously difficult. Small organizations generally have no idea what they’re doing, and way too many people are just added to Domain Admins. In large organizations you have a huge number of people with different needs, and they are delegated access to varying degrees of power in the AD. At some point in time, someone makes a mistake, and that can cost you dearly.
Run adalanche on your own infrastructure
You should ensure you have permission before you run this 🙂 Though the software is harmless any only uses the LDAP service to read data any user can access, your infrastructure/SOC team might get real mad at you none the less.
Quick start, choose one of these:
go build
– you will have a binary for your OSbuild
– you will have binaries for Windows, Linux and OSXThe tool tries to autodetect as much as it can, so running it on a Windows domain joined machine should just work without any parameters: adalanche.exe
If no command is given, the tool will run in a dump-analyze mode (dump, then analyze). See program options for other possibilities.
If you’re on a non-domain joined Windows machine or another OS, you’ll need at least the -domain parameter as well.
LDAPS (TLS over port 636) is default. If you’re on a lab, and you haven’t set up CA yet, you will get connection errors because the computer doesn’t trust the AD cert. Switch to LDAP with adalanche -authmode NoTLS -port 389
Create cache file for contoso.local:Â adalanche -domain contoso.local -username joe -password Hunter42 dump
Analyze cache file for contoso.local and launch browser:Â adalanche -domain contoso.local analyze
When launched, you get to see who can pwn “Domain Admins” and “Enterprise Admins”. Query targets are marked with RED. If you get a lot of objects on this one, congratz, you’re running a pwnshop.
The below examples loaded from the included domain beyond.local, which is a synthetic domain, that has been heavy handedly been messed up using BadBlood. You can try the same analysis with: adalanche -domain beyond.local analyze
Your browser should pop up with:
No really exciting results on this synthetic AD. Yes, some users are Domain Admins and Administrators. But let’s expand the search a bit.
Press the “Analysis Methods” tab on the bottom portion of the page, and you get this:
(more methods has been added since this screenshot)
The tool can look for many scenarios, but defaults to fairly simple ones that can get you control of an object. As this yielded nothing, let’s try to expand with all methods enabled. Checking the missing boxes, we submit another query.
When you press the “LDAP Query” tab on the bottom portion of the page, and you get the search interface:
You enter a query for things you want to search for. Optionally you can also add a secondary exclude query, seperating the include and expclude quereries with a comma. Things matching in the exclude query will never get added to the results.
Analyze:
I enabled “Force” as I was warned that the analysis would return more than 1000 objects, and pressed “Analyze / Normal”.
Whoa – that’s a lot. But can all these objects then suddenly do a system takeover? No, not neccesarily, this depends on the analysis methods used. We enabled the CanDelete*, CanCreate* and InheritsSecurity methods.
Let’s investigate what’s going on here – right click on one of your targets, and choose “Set as target”.
Then right-click on someone else, and choose “Route to target”.
Then you’ll get a route, which shows the best way to the target.
So here the problem is just a matter of groups being nested members of other groups, but at the very end you see that someone set the DELETE_CHILD flag on the parent container, yielding the right to delete (or potentially move) the target. That does look wrong, doesn’t it?
If you examine the “Domain Users” object, you will see that it doesn’t have the InheritsSecurity flag, so you can’t really pwn it by moving it around.
So try it out on your own data – see what your user can pwn by searching for (&(objectCategory=Person)(Name=YOURLOGIN)) and do a Reverse search. Maybe you’ll just end up with the groups that you are a member of, maybe you have access to more than you think …
Remember, you might get too many results. Limit the selection of targets with (&(attribute=something)(_limit=10)) to just get 10 random targets (see LDAP queries below)
adalanche works a bit differently than other tools, as it dumps everything it can from an Active Directory server, which it then saves to a highly compressed binary cache file for later use. This dump can be done by any unprivileged user, unless the Active Directory has been hardened to prevent this (almost no one does this).
The analysis phase is done on a cache file, so you do not have to be connected to the systems when doing analysis. This way you can explore different scenarios, and ask questions not easily answered otherwise.
The tool works like an interactive map in your browser, and defaults to a ldap search query that shows you how to become “Domain Admin” or “Enterprise Admin” (i.e. member of said group or takeover of an account which is either a direct or indirect member of these groups.
The tool has its own LDAP query parser, and makes it easy to search for other objects to take over, by using a familiar search language.
The queries support:
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…