Yash-Patil-1/adseckit

## Overview ### Lab Architecture ┌─────────────────────────────────────────────────┐ │ Host-Only Network │ │ 172.16.0.0/24 │ │ │ │ ┌──────────────────────┐ ┌──────────────────┐ │ │ │ DC01 │ │ WS01 │ │ │ │ Windows Server 2022 │ │ Windows 11 Pro │ │ │ │ Domain Controller │ │ Domain Joined │ │ │ │ IP: 172.16.0.10 │ │ IP: 172.16.0.20 │ │ │ │ RAM: 3GB / 2 vCPU │ │ RAM: 2GB / 2 vCPU│ │ │ │ │ │ │ │ │ │ adseclab.local │ │ Vulns injected: │ │ │ │ │ │ - Local admin │ │ │ │ Vulns injected: │ │ - AlwaysElevate │ │ │ │ - Kerberoastable │ │ - Unquoted paths │ │ │ │ - AS-REP roastable │ │ - Stored creds │ │ │ │ - Weak ACLs │ │ - Weak perms │ │ │ │ - Unconst deleg │ │ │ │ │ └──────────────────────┘ └──────────────────┘ │ └─────────────────────────────────────────────────┘ ### Built-in Vulnerabilities | Vulnerability | Target | Attack Phase | |--------------|--------|-------------| | Kerberoastable SPN | `sql_svc`, `web_svc` | Kerberos Attacks (P3) | | AS-REP Roastable | `bob_jones` | Kerberos Attacks (P3) | | Weak ACL (GenericAll) | `alice_smith` on Admins OU | ACL Abuse (P5) | | Unconstrained Delegation | `dc01` computer | Delegation Abuse (P3) | | DCSync Path | `sql_svc` in Domain Admins | Credential Attacks (P4) | | LAPS Misconfig | WS01 extensionAttribute | Credential Attacks (P4) | | AlwaysInstallElevated | WS01 registry | Privilege Escalation (P7) | | Unquoted Service Path | `VulnSvc` on WS01 | Privilege Escalation (P7) | | Saved Credentials | Windows Credential Manager | Credential Attacks (P4) | | Weak File Permissions | `db_config.ini` on WS01 | Privilege Escalation (P7) | ## Quick Start ### Prerequisites ### Installation #### Step 2: Install system dependencies (Vagrant + VirtualBox) ### Provision the Lab # Start the full lab (DC01 + WS01) adseckit provision up # Or start individual VMs adseckit provision up dc01 adseckit provision up ws01 # Check status adseckit provision status # Show configuration adseckit config ### Teardown # Stop VMs (preserves state) adseckit provision down # Destroy VMs (deletes everything) adseckit provision destroy ## Lab Users | Username | Password | Type | Notes | |----------|----------|------|-------| | `Administrator` | `ADSecKitP@ss2026!` | Domain Admin | Built-in DA | | `dave_admin` | `Admin@2026!` | Domain Admin | Privileged user | | `sql_svc` | `Service@2026!` | Service Account | **Kerberoastable** — SPN: MSSQLSvc | | `web_svc` | `Svc@dmin2026` | Service Account | **Kerberoastable** — SPN: HTTP | | `alice_smith` | `Password123!` | Standard User | **GenericAll** on Admins OU | | `bob_jones` | `Password123!` | Standard User | **No Pre-Auth** — AS-REP roastable | | `charlie_brown` | `Password123!` | Standard User | Normal user | | `svc_backup` | `Backup@2026!` | Local Admin (WS01) | Fallback local admin | ## Attack Modules | Phase | Module | Status | |-------|--------|--------| | **1** | Lab Provisioning | ✅ **Complete** | | **2** | **BloodHound Automation** | ✅ **Complete** | | **3** | **Kerberos Attacks** | ✅ **Complete** | | **4** | Credential Attacks | ✅ **Complete** | | **5** | ACL Abuse | ✅ **Complete** | | **6** | Lateral Movement | ✅ **Complete** | | **7** | Privilege Escalation | ✅ **Complete** | | **8** | Detection Mapping | ✅ **Complete** | | **9** | Reporting | ✅ **Complete** | ## CLI Reference ### Provisioning Commands ### BloodHound Automation Commands (Phase 2) ### Kerberos Attack Commands (Phase 3) # Install impacket (one-time) adseckit kerberos install-deps # LDAP enumeration adseckit kerberos find-spns # Find Kerberoastable accounts adseckit kerberos find-asrep # Find AS-REP roastable accounts # Roasting adseckit kerberos roast # Kerberoast all SPN accounts adseckit kerberos roast --target sql_svc # Kerberoast specific user adseckit kerberos asrep # AS-REP roast all vulnerable accounts adseckit kerberos asrep --target bob_jones # AS-REP roast specific user # BloodHound-targeted attacks adseckit kerberos targeted-roast # Kerberoast using BH findings adseckit kerberos targeted-asrep # AS-REP roast using BH findings # Hash cracking adseckit kerberos crack kerberos_data/kerberoast_*.txt adseckit kerberos crack kerberos_data/asrep_*.txt --wordlist /path/to/wordlist.txt # Full pipeline adseckit kerberos pipeline # Enumerate → Roast → Report adseckit kerberos pipeline --crack # Include hash cracking adseckit kerberos pipeline --skip-enum # Skip LDAP enumeration **Hash Formats:** - Kerberoast: `$krb5tgs$23$*user$realm$service/spn*...` (hashcat mode **13100**) - AS-REP Roast: `$krb5asrep$23$user@realm:...` (hashcat mode **18200**) ### Configuration ### BloodHound Pipeline Walkthrough # 1. Install dependencies (one-time) adseckit bloodhound install-deps # 2. Run the full pipeline adseckit bloodhound pipeline # Or run step-by-step: adseckit bloodhound collect # Collect AD data adseckit bloodhound start # Start Neo4j adseckit bloodhound import # Import data into Neo4j adseckit bloodhound analyze # Find attack paths adseckit bloodhound report # Generate report **Output:** - Collected data: `bh_data/bh_collect/*.json` - Neo4j data: `bh_data/neo4j_data/` (persistent) - Reports: `bh_data/bh_report_*.md` **Neo4j Credentials (local lab only):** - Bolt: `localhost:7687` - HTTP: `http://localhost:7474` (BloodHound CE / Neo4j Browser) - Auth: `neo4j` / `bloodhound` ## Project Structure ## Security Notes - **This lab is intentionally vulnerable** — never expose it to your local network - VMs are configured on a **Host-Only network** — isolated from your LAN - Default credentials are documented above and should not be used in production - Always destroy the lab when not in use: `adseckit provision destroy` ## Author **Yash Patil** — Cybersecurity Analyst | Penetration Tester - 📧 yashpatil7714@gmail.com - 🔗 [LinkedIn](https://www.linkedin.com/in/yash-patil-997357330) - 🐙 [GitHub](https://github.com/Yash-Patil-1) ## License MIT License — see [LICENSE](LICENSE) for details.