dev-2null/ADCollector

GitHub: dev-2null/ADCollector

一款轻量级 Active Directory 环境侦察工具，用于快速枚举域环境中的高价值信息以识别潜在攻击向量。

Stars: 634 | Forks: 78

# ADCollector ADCollector 是一款轻量级工具，用于枚举 Active Directory 环境以识别可能的攻击向量。它将为您提供对环境配置/部署的基本了解，作为起点。 #### 注意事项： ADCollector 并非强大的 PowerView 的替代品，它只是在早期侦察阶段自动化枚举，以便无需过多思考即可快速识别有价值的信息。ADCollector 中实现的功能非常适合在拥有大量用户/计算机的大型企业环境中进行枚举，而不会产生大量流量或花费大量时间。它只专注于从最有价值的目标中提取有用的属性/特性/ACL，而不是枚举域中所有用户/计算机对象的所有可用属性。~~稍后您肯定需要 PowerView 进行更详细的枚举。~~ 您可以使用 ADSI 代替 PowerView 来枚举域，只要您知道要枚举什么，请参阅。开发此工具的目的是帮助我从不同的角度了解更多关于 Active Directory 安全性的知识，并弄清楚那些 PowerView 函数背后的原理。它使用 S.DS 命名空间从域控制器（LDAP 服务器）检索域/林信息。它还利用 S.DS.P 命名空间进行 LDAP 搜索。 _**此工具仍在开发中。可在此处查看将要实现的功能：[project page](https://github.com/dev-2null/ADCollector/projects/1)**_ 如果您从非域加入的主机运行此工具，请确保您有权访问 SYSVOL。如果应用了加固的 UNC 策略，您可能需要运行以下命令： ``` reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\SYSVOL" /d "RequireMutualAuthentication=0" /t REG_SZ ``` ## 枚举 * 当前域/林信息 * 当前林中的域（包含域 SID） * 当前域中的域控制器 \[GC/RODC] * 域/林信任以及受信任的域对象[SID 过滤状态] * 特权用户（当前位于 DA 和 EA 组中） * 非约束委派账户（不包括 DC） * 约束委派 (S4U2Self, S4U2Proxy) * 基于资源的约束委派 * MSSQL/Exchange(/RDP/PS) 远程 SPN 账户 * 设置了 SPN 且密码不过期的用户账户 * 受保护用户 * 机密属性 * ASREQROAST（DontRequirePreAuth 账户） * AdminSDHolder 受保护账户 * 域属性（MAQ, minPwdLength, maxPwdAge lockoutThreshold, gpLink[链接到当前域对象的组策略]） * LDAP 基本信息（supportedLDAPVersion, supportedSASLMechanisms, 域/林/DC 功能级别） * Kerberos 策略 * 域对象上的有趣 ACL，解析 GUID（将来支持用户定义对象） * GPO 上的有趣 ACL * 用户对象上的有趣描述 * 敏感且不可委派账户 * SYSVOL 中的组策略首选项 cpassword * 应用于当前用户/计算机的有效 GPO * 嵌套组成员身份 * 受限组 * LAPS 密码查看权限 * ADCS 配置 * 证书模板 * Machine Owner * ACL 扫描 * 组策略中定义的权限 * 存储在 LDAP 中的用户凭据 ## 用法 ``` PS C:\> .\ADCollector.exe --help _ ____ ____ _ _ _ / \ | _ \ / ___|___ | | | ___ ___ _| |_ ___ _ __ / _ \ | | | | | / _ \| | |/ _ \/ __|_ __/ _ \| '__| / ___ \| |_| | |__| (_) | | | __/ (__ | || (_) | | /_/ \_\____/ \____\___/|_|_|\___|\___| |__/\___/|_| v3.0.1 by dev2null --Domain Domain to enumerate --LDAPS (Default: false) LDAP over SSL/TLS --DisableSigning (Default: false) Disable Kerberos Encryption (with -LDAPS flag) --UserName Alternative UserName --Password Alternative Credential --DC Alternative Domain Controller (Hostname/IP) to connect to --OU Perform the Search under a specific Organizational Unit --LDAPONLY Only Enumearte Objects in LDAP --ACLScan Perform ACL scan for an Identity --ADCS (Default: false) Only Perform AD Certificate Service Check --TEMPLATES (Default: false) Only Enumerate All Certificate Templates with their DACL --SCHEMA (Default: false) Count Schema Attributes in the default naming context --ADIDNS (Default: false) Only Collect ADIDNS Records --NGAGP Only enumerate Nested Group Membership and Applied Group Policies on the target object --DACL Enumerate DACL on the target object (with DistinguishedName) --SessionEnum (Default: false) Enumerate session information on the target host --UserEnum (Default: false) Enumerate user information on the target host --LocalGMEnum (Default: false) Enumerate local group members on the target host --Host (Default: Localhost) Hostname for Session/User/Groupmember Enumeration --Group (Default: Administrators) Local Group Name for Local GroupMember Enumeration --Debug (Default: false) Debug Mode --help Display this help screen. Example: .\ADCollector.exe .\ADCollector.exe --LDAPs --DisableSigning .\ADCollector.exe --OU IT .\ADCollector.exe --OU OU=IT,DC=domain,DC=local .\ADCollector.exe --ADCS .\ADCollector.exe --TEMPLATES .\ADCollector.exe --LDAPOnly .\ADCollector.exe --SCHEMA .\ADCollector.exe --ADIDNS .\ADCollector.exe --NGAGP samaccountname .\ADCollector.exe --DACL DC=domain,DC=net .\ADCollector.exe --ACLScan user --OU OU=IT,DC=domain,DC=local .\ADCollector.exe --SessionEnum --Host targetHost .\ADCollector.exe --UserEnum --Host targetHost .\ADCollector.exe --LocalGMEnum --Host targetHost --Group 'Remote Desktop Users' .\ADCollector.exe --Domain domain.local --Username user --Password pass .\ADCollector.exe --Domain domain.local --DC 10.10.10.1 ``` ## 更新日志 ##### v 3.0.1： ``` 1. Added enumeration for certificate templates, schema and user credentials 2. Added a few flags ``` ##### v 3.0.0： ``` 1. Code Refactoring & Bug fix 2. Added privielge rights and object DACL enumeration 3. Added Debug mode 4. Merged interactive menu into command line and removed some simple LDAP enum (use ADSI, see [ADSI Enum](https://dev-2null.github.io/Easy-Domain-Enumeration-with-ADSI/)) ``` ##### v 2.1.2： ``` 1. Bug fix with some improvements 2. New implementation logic for LAPS & Restricted Group enum 3. Use Task to handle some heavy enumeration functions (much faster for large domain) 4. Remove GPP cache and DCSync accounts enumeration ``` ##### v 2.1.1： ``` 1. Search under a specific OU 2. LAPS detailed view 3. Machine Owners 4. Restricted Groups 5. ADCS Configurations 6. ACL Scan 7. Bug Fix: SYSVOL access, Nested Group Membership 8. Replace external readINF dependency with custom implementation 9. Protected Users ``` ##### v 2.0.0： ``` 1. Complete Rewrite (more extensible) 2. Add Interactive Menu with command line choice 3. Use direct API call to enumerate Trust relationship 4. Update Applied GPO Enumeration with Security Filtering and WMI Filtering (WMIFilter needs to be checked manually) 5. Add LDAP DNS Record Enumeration 6. RunAs: Run ADCollector under another user context 7. Flexiable SPN Scan, DNS Records, Nested Group Membership, ACL Enumeration 8. Add NetSessionEnum, NetLocalGroupGetMembers and NetWkstaUserEnum ``` ##### v 1.1.4： ``` 1. Some bugs are killed and some details are improved 2. SPN scanning is now optional 3. GPP cpassword in SYSVOL/Cache 4. Interesting ACLs on GPOs; Interesting descriptions on user objects; 5. Unusual DCSync accounts; Sensitive & not delegate accounts 6. Effective GPOs on user/computer 7. Restricted groups 8. Nested Group Membership 9. LAPS Password View Access ``` ##### v 1.1.3： ``` 1. Fixed SPN scanning result, privilege accounts group membership 2. Password does not expire accounts; User accounts with SPN set; 3. Kerberos Policy 4. Interesting ACLs enumeration for the domain object, resolving GUIDs 5. DC info is back ``` ##### v 1.1.2： ``` 1. Separated into three classes. 2. Dispose ldap connection properly. 3. Enumerations: AdminSDHolder, Domain attributes(MAQ, minPwdLengthm maxPwdAge, lockOutThreshold, GP linked to the domain object), accounts don't need pre-authentication. 4. LDAP basic info (supportedLDAPVersion, supportedSASLMechanisms, domain/forest/DC Functionality) 5. SPN scanning (SPNs for MSSQL,Exchange,RDP and PS Remoting) 6. Constrained Delegation enumerations (S4U2Self, S4U2Proxy as well as Resources-based constrained delegation) 7. RODC (group that administers the RODC) ``` ##### v 1.1.1： ``` 1. It now uses S.DS.P namespace to perform search operations, making searches faster and easier to implement. (It also supports paged search. ) 2. It now supports searching in other domains. (command line parser is not implemented yet). 3. The code logic is reconstructed, less code, more understandable and cohesive. ``` ## 项目有关此工具的更多信息（当前进度/待办事项列表/等），您可以访问我的 [project page](https://github.com/dev-2null/ADCollector/projects/1)

标签：AD, Checkov, LDAP, 企业安全, 域控制器, 域环境, 多人体追踪, 攻击向量分析, 攻击预警, 数据展示, 权限管理, 枚举, 模型越狱, 活动目录, 端点可见性, 红队, 网络安全, 网络资产管理, 隐私保护