AutoAD
This tool was created on my spare time to help fellow penetration testers in automating the basic enumeration steps that they would do on their daily-basis job and can be useful in AD labs (CRTP/CRTE/CRTO/Offshore..etc)
(Spoiler: this tool is far from being perfect.)
Installation
git clone https://github.com/M-Arman/AutoAD.git
cd AutoAD
chmod +x install.sh
sudo ./install.sh
Usage
█████╗ ██╗ ██╗████████╗ ██████╗ █████╗ ██████╗
██╔══██╗██║ ██║╚══██╔══╝██╔═══██╗ ██╔══██╗██╔══██╗
███████║██║ ██║ ██║ ██║ ██║ ███████║██║ ██║
██╔══██║██║ ██║ ██║ ██║ ██║ ██╔══██║██║ ██║
██║ ██║╚██████╔╝ ██║ ╚██████╔╝ ██║ ██║██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═════╝
by M-Arman
usage: AutoAD.py [-h] -user USERNAME -pass PASSWORD -dc-ip DC_IP -dns-mode DNS_MODE
AutoAD - Simple python script for AD enumeration
optional arguments:
-h, --help show this help message and exit
-user USERNAME Username for the account that will be used for
authentication. (format: [email protected])
-pass PASSWORD Password for the account that will be used for
authentication.
-dc-ip DC_IP The IP address for the domain controller that will be
queried for results.
-dns-mode DNS_MODE 1= Use DC-IP as DNS server.(default)
2= Use system default DNS configurations.(proxychains/joined machine)
Features
- [x] List Domain Controllers, Domain SID, Domain Admins.
- [x] Check for printer spool on domain controllers to be abused with printer-bug.
- [x] List Group Policy Objects (GPO).
- [x] List Domain trusts.
- [x] List Kerberoastable users.
- [x] List Unconstrained delegation enabled computers.
- [x] List Constrained delegation enabled computers/users.
- [x] Find readable LAPS credentials.
- [x] Checks for local administrator access on all domain computers as the querying user.
- [x] Output domain users, users with description, computers, groups.
- [x] Output hashes from TGS and ASREP roasting for offline cracking. (Impacket)
Example
./AutoAD.py -user [email protected] -pass N0tActuallyaPassw0rd -dc-ip 192.168.110.145
Screenshot
Future work
- [ ] Use OOP.
- [ ] Use hash authentication.
- [ ] Replace impacket hashes dumping method.
- [ ] Exchange Servers enumeration
- [ ] MSSQL enumeration.