Given the prevalence of Microsoft Active Directory domains as the primary means of managing large corporate networks both globally and in South Africa specifically; one of the common first goals of many internal penetration tests is to get Domain Administrator (DA) level access. A plethora of tools and techniques exist to assist with this, from the initial "in" through to elevation of privilege and eventually extracting and cracking all domain credentials.
However, the processes followed are still manual and time consuming. This detracts from potentially more dangerous attacks that may be specific to the organisation under assessment. In particular, networks that require pivoting across several internal hosts results in an analyst engaging in sometimes time-consuming "lateral movement".
Observing both the time consuming nature of these "common tasks" and that they appeared easily automatable, we decided to construct a framework for automating such activities; Automatic Domain Administrator & Network Exploitation (autoDANE) This framework orchestrates the industry's currently favoured tools for Active Directory exploitation.
The goal for the project is to get DA rights as quickly as possible, relying on automation, so that analysts can start an internal assessment as a privileged user (or at least rule out the common approaches), rather than finishing as one. The goal is to allow analysts to spend time on engagements emulating real life hacking scenarios, such as going after business critical applications instead of chasing DA.
The tool was originally released as a proof-of-concept at ZaCon 2015. After a lot of on-site testing, and getting feedback from some early adopters, it was reworked into an extensible framework, and released again at BSides Cape Town 2015.
The heart of the project is an event-driven task manager, which runs small plugins, normalizes their output, and passes that as input to other plugins based on predefined rules. For example, when a host is identified (either manually, or through running standard host enumeration techniques), the host's net block is port scanned. Open ports are passed to other plugins, which run further fingerprinting or vulnerability scanning tasks.
Plugins are categorised as follows:
Plugins in this category run through standard techniques to quickly find hosts, such as assembling an initial scope based on the IP addresses of the DHCP assigned gateway and DNS resolvers, or trying to run a zone transfer against the Domain Controller
These plugins look for useful information about hosts found in the first step. These do things such as portscanning hosts, saving host names, and taking screenshots and saving the HTML of websites for offline analysis.
These check open ports identified in the fingerprinting phase for "low hanging fruit", or simple vulnerabilities which can be exploited to get local command execution. The three bundled are common enough, and at least one instance is found nearly everywhere, but the list is nowhere near exhaustive, and will be expanded on over time. You can bring your own favourite exploit and feed it into the next step as an alternative.
These exploit vulnerabilities found in the previous phase, and gather as much information as possible from the hosts, such as impersonation tokens, local user hashes, credentials stored by the Windows Local Secret Authority, and credentials stored in memory. The primary focus of this phase is to collect credentials, however, you can always feed autoDANE your own creds if you prefer.
Currently, this is achieved by using the Metasploit Framework, however we're looking at using ImPacket backed techniques in future.
This section is the primary focus of the project. It takes both the local and domain credentials found on other hosts, and retries them across the footprint. When credentials are found to allow access to new hosts, Metasploit's PsExec module is used to gather password hashes, credentials and impersonation tokens. New credentials are fed back into the process, and it is repeated until autoDANE has escalated itself as far as it can.
Running this blindly would run the risk of locking out domain accounts, so care is taken to prevent that. When domain accounts are pulled from memory, they're verified by checking them against the SMB service on a relevant domain controller. Invalid credentials are never used again, and valid credentials are checked against the RDP service of other hosts, to check where they can be used to gain remote access.
These gather as much information as they can about any domains compromised, such as querying which users belong to which groups, and extracting all domain user's password hashes from domain controllers.
While the details can get quite technical, the entire process comes pre-configured. Running it is as simple as giving the scan a name, and using the slider to show how far along the process you'd like to go. Logically. each category listed above relies on plugins in previous categories to have run (you can't vuln scan hosts unless the Host Enumeration plugins give you hosts to vuln scan), so choosing an option on the slider will run plugins up until the category you choose.
You can follow the scans progress by watching the Task List.
You can also see the raw output of each task by looking at the logs, you shouldn't be guessing what it's doing.
After the tool has been running for a while, you can view a summary of what it's found:
Host data is grouped logically.
Together with valid credentials.
As well as exploit logs.
Websites are catalogued separately, so you can look through them for interesting business-related applications offline.
However, the real value comes from the Domain Credentials Map, which shows where different sets of credentials can be used.
A separate list is maintained for which credentials work on which domain controllers
Along with a list of Domain Groups, and which users are in them
There is also a collection of Maltego transforms, which let you visualise the information in different ways. For example, this graph shows the route taken from "having access to the network" to "having creds which can remotely log into a domain controller"
To summarise, the project orchestrates the common tasks security analysts perform when on an internal security assessment. It makes use of the same tools, and applies the same techniques that are taught and used in the industry. This allows analysts to cover these relatively simple bases, while simultaneously going after business critical applications, and demonstrating other, more technically difficult avenues of attack.
Setting it up is super simple. Most of the tools it leverages come pre-installed on Kali linux, and there's an installer which fetches the rest. Pull a copy from GitHub, and run the ./install.sh script
- Kali Linux 2.0
Starting a new project
Navigate to the folder where you extracted the tool, and run ./autodane.py. You will be shown the Footprint Options screen shown above,
There are several tabs, each with various options. However, the default settings will usually work just fine. The options which will likely change per footprint are under the following tabs:
Here you give your project a name, and choose how far you want the testing to go via the slider. The options are described in detail above
This tab lists all the plugins the tool can use to find hosts by querying standard infrastructure. You can disable them here if you provide a scope in the next section, and want the tool to exclude everything else.
While the tool queries standard infrastructure to enumerate hosts, sometimes you'll want it to be a bit more targeted. The scope tab accepts the following as input:
- Known hosts - Hosts provided here will be port scanned. If they're found to be live, then the class C net ranges that they fall in will also be port scanned
- Known ranges - these ranges will also be checked for live hosts
- Exclude list - Any hosts given here will be excluded from everything, even if they're also added to the Known Hosts or Known Ranges fields