layer8secure/SilentHound

 # 沉默猎犬 通过 LDAP 静默枚举 Active Directory 域，解析用户、管理员、组等信息。由 [Layer 8 Security](https://layer8security.com) 的 [Nick Swink](https://github.com/nickswink) 创建。 ### 安装说明 #### 使用 pipenv（推荐方法） ``` python3 -m pip install --user pipenv git clone https://github.com/layer8secure/SilentHound.git cd silenthound pipenv install ``` #### 通过 requirements.txt（传统方式） 使用 `pip` 安装依赖： ``` python3 -m pip install -r requirements.txt python3 silenthound.py -h ``` ### 使用方法 ``` $ pipenv run python silenthound.py -h usage: silenthound.py [-h] [-u USERNAME] [-p PASSWORD] [--hashes HASHES] [-o OUTPUT] [-g] [-n] [-k] [--kerberoast] [--ssl] TARGET domain Quietly enumerate an Active Directory environment. positional arguments: TARGET Domain Controller IP domain Dot (.) separated Domain name including both contexts e.g. ACME.com | HOME.local | htb.net optional arguments: -h, --help show this help message and exit -u USERNAME, --username USERNAME Supports SIMPLE & NTLM BIND. SIMPLE BIND use username e.g. bobdole | NTLM BIND use domain\\user e.g. HOME.local\\bobdole -p PASSWORD, --password PASSWORD LDAP or Active Directory password --hashes HASHES Uses NTLM BIND to authenticate with NT:LM hashes -o OUTPUT, --output OUTPUT Name for output files. Creates output files for hosts, users, domain admins, and descriptions in the current working directory. -g, --groups Display Group names with user members. -n, --org-unit Display Organizational Units. -k, --keywords Search for a list of key words in LDAP objects. --kerberoast Identify kerberoastable user accounts by their SPNs. --ssl Use a secure LDAP server on default 636 port. ``` ### 示例 ``` $ pipenv run python silenthound.py -u 'svc_tgs' -p 'P@$$w0rd123' 10.10.10.100 active.htb -g -n -k --kerberoast _____ _ _ _ _ _ _ / ____(_) | | | | | | | | | | (___ _| | ___ _ __ | |_| |__| | ___ _ _ _ __ __| | \___ \| | |/ _ \ '_ \| __| __ |/ _ \| | | | '_ \ / _` | ____) | | | __/ | | | |_| | | | (_) | |_| | | | | (_| | |_____/|_|_|\___|_| |_|\__|_| |_|\___/ \__,_|_| |_|\__,_| author: Nick Swink aka c0rnbread company: Layer 8 Security --------------------------------------------------------------------------- [-] Connecting with SIMPLE AUTH to LDAP server 10.10.10.100... [*] Writing cached data to .active-htb.pickle... [+] Hosts [1] DC - 10.10.10.100 [+] Domain Admins [1] CN=Administrator,CN=Users,DC=active,DC=htb [+] Domain Users [4] krbtgt Guest Administrator SVC_TGS@active.htb [+] Descriptions [0] [+] Group Memberships Found [11] CN=Denied RODC Password Replication Group,CN=Users,DC=active,DC=htb CN=Read-only Domain Controllers,CN=Users,DC=active,DC=htb CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb CN=Domain Admins,CN=Users,DC=active,DC=htb CN=Cert Publishers,CN=Users,DC=active,DC=htb CN=Enterprise Admins,CN=Users,DC=active,DC=htb CN=Schema Admins,CN=Users,DC=active,DC=htb CN=Domain Controllers,CN=Users,DC=active,DC=htb CN=krbtgt,CN=Users,DC=active,DC=htb CN=Windows Authorization Access Group,CN=Builtin,DC=active,DC=htb CN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=active,DC=htb CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=active,DC=htb CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=active,DC=htb CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb CN=Administrator,CN=Users,DC=active,DC=htb CN=Domain Admins,CN=Users,DC=active,DC=htb CN=Administrator,CN=Users,DC=active,DC=htb CN=Enterprise Admins,CN=Users,DC=active,DC=htb CN=Administrator,CN=Users,DC=active,DC=htb CN=Schema Admins,CN=Users,DC=active,DC=htb CN=Administrator,CN=Users,DC=active,DC=htb CN=IIS_IUSRS,CN=Builtin,DC=active,DC=htb CN=S-1-5-17,CN=ForeignSecurityPrincipals,DC=active,DC=htb CN=Guests,CN=Builtin,DC=active,DC=htb CN=Domain Guests,CN=Users,DC=active,DC=htb CN=Guest,CN=Users,DC=active,DC=htb CN=Users,CN=Builtin,DC=active,DC=htb CN=Domain Users,CN=Users,DC=active,DC=htb CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=active,DC=htb CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=active,DC=htb CN=Administrators,CN=Builtin,DC=active,DC=htb CN=Domain Admins,CN=Users,DC=active,DC=htb CN=Enterprise Admins,CN=Users,DC=active,DC=htb CN=Administrator,CN=Users,DC=active,DC=htb [+] Organizational Units Found [1] OU=Domain Controllers,DC=active,DC=htb [+] Key Strings [18] CN=Denied RODC Password Replication Group,CN=Users,DC=active,DC=htb Denied RODC Password Replication Group Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain CN=Denied RODC Password Replication Group,CN=Users,DC=active,DC=htb Denied RODC Password Replication Group Denied RODC Password Replication Group Allowed RODC Password Replication Group Members in this group can have their passwords replicated to all read-only domain controllers in the domain CN=Allowed RODC Password Replication Group,CN=Users,DC=active,DC=htb Allowed RODC Password Replication Group [+] Kerberoastable Users [1] ServicePrincipalName Name MemberOf PasswordLastSet LastLogon -------------------- ------------- -------------------------------------------------------- --------------- ---------- active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 2022-11-30 ``` ### 关于 一款轻量级工具，用于快速且静默地枚举 Active Directory 环境。该工具的目标是在尽可能减少网络噪音的情况下摸清环境概况。该工具将执行一次 LDAP 查询用于解析，并创建缓存文件以防止进一步查询/产生网络噪音。如果未传递凭据，它将尝试匿名绑定。 使用 `-o` 标志将为标准输出中的每个部分生成输出文件。使用所有标志创建的文件如下： ``` -rw-r--r-- 1 kali kali 122 Jun 30 11:37 BASENAME-descriptions.txt -rw-r--r-- 1 kali kali 60 Jun 30 11:37 BASENAME-domain_admins.txt -rw-r--r-- 1 kali kali 2620 Jun 30 11:37 BASENAME-groups.txt -rw-r--r-- 1 kali kali 89 Jun 30 11:37 BASENAME-hosts.txt -rw-r--r-- 1 kali kali 1940 Jun 30 11:37 BASENAME-keywords.txt -rw-r--r-- 1 kali kali 66 Jun 30 11:37 BASENAME-org.txt -rw-r--r-- 1 kali kali 529 Jun 30 11:37 BASENAME-users.txt ``` ### 作者 - [Nick Swink](https://github.com/nickswink) - [Layer 8 Security](https://layer8security.com) 安全顾问 ### 路线图 / 更新 :white_check_mark: 支持 ntlm 哈希认证 - 在 --keyword 中使用正则表达式匹配字符串 - 将缓存转换为 bloodhound 兼容文件以减少流量 如有其他功能需求，请提交 [issue](https://github.com/layer8secure/SilentHound/issues/new) 并添加 `enhancement` 标签。

标签：Active Directory, Checkov, Kerberoasting, LDAP, NTLM, Plaso, Python, SPN, 域渗透, 域管理员, 安全测试, 攻击性安全, 无后门, 模拟器, 流量嗅探, 用户枚举, 电子数据取证, 目录服务, 组枚举, 逆向工具