{"id":20098025,"url":"https://github.com/garrettfoster13/aced","last_synced_at":"2025-04-05T01:05:28.084Z","repository":{"id":37569044,"uuid":"476857932","full_name":"garrettfoster13/aced","owner":"garrettfoster13","description":null,"archived":false,"fork":false,"pushed_at":"2024-11-08T00:21:42.000Z","size":99,"stargazers_count":158,"open_issues_count":1,"forks_count":20,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-29T00:09:08.250Z","etag":null,"topics":["active-directory","enumeration","pentesting"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/garrettfoster13.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-04-01T20:19:51.000Z","updated_at":"2025-03-12T08:08:34.000Z","dependencies_parsed_at":"2024-12-06T02:32:16.720Z","dependency_job_id":"d83aa077-50aa-4678-be2d-e67dafb8ad4b","html_url":"https://github.com/garrettfoster13/aced","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garrettfoster13%2Faced","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garrettfoster13%2Faced/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garrettfoster13%2Faced/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garrettfoster13%2Faced/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/garrettfoster13","download_url":"https://codeload.github.com/garrettfoster13/aced/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247271522,"owners_count":20911587,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","enumeration","pentesting"],"created_at":"2024-11-13T17:01:48.680Z","updated_at":"2025-04-05T01:05:28.046Z","avatar_url":"https://github.com/garrettfoster13.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# Aced\n\nAced is a tool to parse and resolve a single targeted Active Directory principal's DACL. Aced will identify interesting inbound access allowed privileges against the targeted account, resolve the SIDS of the inbound permissions, and present that data to the operator. Additionally, the logging features of [pyldapsearch](https://github.com/fortalice/pyldapsearch) have been integrated with Aced to log the targeted principal's LDAP attributes locally which can then be parsed by pyldapsearch's companion tool [BOFHound](https://github.com/fortalice/bofhound) to ingest the collected data into BloodHound.\n\n# Use case?\n\nI wrote Aced simply because I wanted a more targeted approach to query ACLs. Bloodhound is fantastic, however, it is extremely noisy. Bloodhound collects all the things while Aced collects a single thing providing the operator more control over how and what data is collected. The case for detection is reduced by only querying for what LDAP wants to tell you and by not performing an action known as [\"expensive ldap queries\"](http://directoryadmin.blogspot.com/2019/10/hunting-bad-ldap-queries-on-your-dc.html). Aced has the option to forego SMB connections for hostname resolution. You have the option to prefer LDAPS over LDAP. With the additional integration with BloodHound, the collected data can be stored in a familiar format that can be shared with a team. Privilege escalation attack paths can be built by walking backwards from the targeted goal.\n\n# References\nThanks to the below for all the code I stole:\n\u003cbr\u003e\n[@_dirkjan](https://twitter.com/_dirkjan)\n\u003cbr\u003e\n[@fortaliceLLC](https://twitter.com/FortaliceLLC)\n\u003cbr\u003e\n[@eloygpz](https://twitter.com/eloypgz)\n\u003cbr\u003e\n[@coffeegist](https://twitter.com/coffeegist)\n\u003cbr\u003e\n[@tw1sm](https://twitter.com/Tw1sm)\n\n\n## Usage\n\n```\n└─# python3 aced.py -h                             \n\n\n          _____\n         |A .  | _____\n         | /.\\ ||A ^  | _____\n         |(_._)|| / \\ ||A _  | _____\n         |  |  || \\ / || ( ) ||A_ _ |\n         |____V||  .  ||(_'_)||( v )|\n                |____V||  |  || \\ / |\n                       |____V||  .  |\n                              |____V|\n                                     v1.0\n\n        Parse and log a target principal's DACL.\n                                    @garrfoster\n\nusage: aced.py [-h] [-ldaps] [-dc-ip DC_IP] [-k] [-no-pass] [-hashes LMHASH:NTHASH] [-aes hex key] [-debug] [-no-smb] target\n\nTool to enumerate a single target's DACL in Active Directory\n\noptional arguments:\n  -h, --help            show this help message and exit\n\nAuthentication:\n  target                [[domain/username[:password]@]\u003caddress\u003e\n  -ldaps                Use LDAPS isntead of LDAP\n\nOptional Flags:\n  -dc-ip DC_IP          IP address or FQDN of domain controller\n  -k, --kerberos        Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid\n                        credentials cannot be found, it will use the ones specified in the command line\n  -no-pass              don't ask for password (useful for -k)\n  -hashes LMHASH:NTHASH\n                        LM and NT hashes, format is LMHASH:NTHASH\n  -aes hex key          AES key to use for Kerberos Authentication (128 or 256 bits)\n  -debug                Enable verbose logging.\n  -no-smb               Do not resolve DC hostname through SMB. Requires a FQDN with -dc-ip.\n```\n\n# Demo\n\nIn the below demo, we have the credentials for the corp.local\\lowpriv account. By starting enumeration at Domain Admins, a potential path for privilege escalation is identified by walking backwards from the high value target. \n\u003cbr\u003e\n![demo](https://user-images.githubusercontent.com/82191679/173691957-c136e4ee-b988-4586-9877-949cac9b359e.gif)\n\u003cbr\u003e\nAnd here's how that data looks when transformed by bofhound and ingested into BloodHound.\n\n![image](https://user-images.githubusercontent.com/82191679/173692260-39777e8c-339a-44d0-bfd9-1d82c092a149.png)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgarrettfoster13%2Faced","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgarrettfoster13%2Faced","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgarrettfoster13%2Faced/lists"}