ADCollector : Tool To Quickly Extract Valuable Information From Active Directory

ADCollector is a lightweight tool that enumerates the Active Directory environment to identify possible attack vectors. It will give you a basic understanding of the configuration/deployment of the environment as a starting point.

Notes:

It is not an alternative to the powerful PowerView, it just automates enumeration to quickly identify juicy information without thinking too much at the early Recon stage.

Functions implemented in ADCollector are ideal for enumeration in a large Enterprise environment with lots of users/computers, without generating lots of traffic and taking a large amount of time.

It only focuses on extracting useful attributes/properties/ACLs from the most valuable targets instead of enumerating all available attributes from all the user/computer objects in the domain. You will definitely need PowerView to do more detailed enumeration later.

The aim of developing this tool is to help me learn more about Active Directory security in a different perspective as well as to figure out what’s behind the scenes of those PowerView functions. I just started learning .NET with C#, the code could be really terrible~

It uses S.DS namespace to retrieve domain/forest information from the domain controller(LDAP server). It also utilizes S.DS.P namespace for LDAP searching.

Enumeration

  • Current Domain/Forest information
  • Domains in the current forest (with domain SIDs)
  • Domain Controllers in the current domain [GC/RODC] (with ~~IP,OS Site and ~~Roles)
  • Domain/Forest trusts as well as trusted domain objects[SID filtering status]
  • Privileged users (currently in DA and EA group)
  • Unconstrained delegation accounts (Excluding DCs)
  • Constrained Delegation (S4U2Self, S4U2Proxy, Resources-based constrained delegation)
  • MSSQL/Exchange/RDP/PS Remoting SPN accounts
  • User accounts with SPN set & password does not expire account
  • Confidential attributes ()
  • ASREQROAST (DontRequirePreAuth accounts)
  • AdminSDHolder protected accounts
  • Domain attributes (MAQ, minPwdLength, maxPwdAge lockoutThreshold, gpLink[group policies that linked to the current domain object])
  • LDAP basic info(supportedLDAPVersion, supportedSASLMechanisms, domain/forest/DC Functionality)
  • Kerberos Policy
  • Interesting ACLs on the domain object, resolving GUIDs (User defined object in the future)
  • Unusual DCSync Accounts
  • Interesting ACLs on GPOs
  • Interesting descriptions on user objects
  • Sensitive & Not delegate account
  • Group Policy Preference cpassword in SYSVOL/Cache
  • Effective GPOs on the current user/computer
  • Restricted groups
  • Nested Group Membership

Also Read – EvilApp : Phishing Attack Using An Android Application

Usage

C:\Users> ADCollector.exe -h

Usage: ADCollector.exe -h
–Domain (Default: current domain)
Enumerate the specified domain
–Ldaps (Default: LDAP)
Use LDAP over SSL/TLS
–Spns (Default: no SPN scanning)
Enumerate SPNs
–Term (Default: ‘pass’)
Term to search in user description field
–Acls (Default: ‘Domain object’)
Interesting ACLs on an object

Example: .\ADCollector.exe –SPNs –Term key –ACLs ‘CN=Domain Admins,CN=Users,DC=lab,DC=local’

Changelog

  • v 1.1.1
    • It now uses S.DS.P namespace to perform search operations, making searches faster and easier to implement. (It also supports paged search. )
    • It now supports searching in other domains. (command line parser is not implemented yet).
    • The code logic is reconstructed, less code, more understandable and cohesive.
  • v 1.1.2
    • Separated into three classes.
    • Dispose ldap connection properly.
    • Enumerations: AdminSDHolder, Domain attributes(MAQ, minPwdLengthm maxPwdAge, lockOutThreshold, GP linked to the domain object), accounts don’t need pre-authentication.
    • LDAP basic info (supportedLDAPVersion, supportedSASLMechanisms, domain/forest/DC Functionality)
    • SPN scanning (SPNs for MSSQL,Exchange,RDP and PS Remoting)
    • Constrained Delegation enumerations (S4U2Self, S4U2Proxy as well as Resources-based constrained delegation)
    • RODC (group that administers the RODC)
  • v 1.1.3
    • Fixed SPN scanning result, privilege accounts group membership
    • Password does not expire accounts; User accounts with SPN set;
    • Kerberos Policy
    • Interesting ACLs enumeration for the domain object, resolving GUIDs
    • DC info is back
  • v 1.1.4
    • Some bugs are killed and some details are improved
    • SPN scanning is now optional
    • GPP cpassword in SYSVOL/Cache
    • Interesting ACLs on GPOs; Interesting descriptions on user objects;
    • Unusual DCSync accounts; Sensitive & not delegate accounts
    • Effective GPOs on user/computer
    • Restricted groups
    • Nested Group Membership
Download
R K

Share
Published by
R K
Tags: Active DirectoryADCollectorMicrosoftwindows
4 years ago

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago