ADCollector

Is a lightweight tool that enumerates the Active Directory environment to identify possible attack vectors. It will give you a basic understanding of the configuration/deployment of the environment as a starting point

Enumeration

  • Current Domain/Forest information
  • Domains in the current forest (with domain SIDs)
  • Domain Controllers in the current domain [GC/RODC]
  • Domain/Forest trusts as well as trusted domain objects[SID filtering status]
  • Privileged users (currently in DA and EA group)
  • Unconstrained delegation accounts (Excluding DCs)
  • Constrained Delegation (S4U2Self, S4U2Proxy)
  • Resources-based constrained delegation
  • MSSQL/Exchange(/RDP/PS) Remoting SPN accounts
  • User accounts with SPN set & password does not expire account
  • Protected Users
  • Confidential attributes
  • ASREQROAST (DontRequirePreAuth accounts)
  • AdminSDHolder protected accounts
  • Domain attributes (MAQ, minPwdLength, maxPwdAge lockoutThreshold, gpLink[group policies that linked to the current domain object])
  • LDAP basic info(supportedLDAPVersion, supportedSASLMechanisms, domain/forest/DC Functionality)
  • Kerberos Policy
  • Interesting ACLs on the domain object, resolving GUIDs (User defined object in the future)
  • Unusual DCSync Accounts
  • Interesting ACLs on GPOs
  • Interesting descriptions on user objects
  • Sensitive & Not delegate account
  • Group Policy Preference cpassword in SYSVOL/Cache
  • Effective GPOs on the current user/computer
  • Nested Group Membership
  • Restricted Group
  • LAPS Password View Access
  • ADCS Configurations
  • Machine Owner
  • ACL Scan

Installation

Usage

ADCollector.exe [OPTIONS]

Flags

      _    ____   ____      _ _             _
     / \  |  _ \ / ___|___ | | | ___  ___ _| |_ ___  _ __
    / _ \ | | | | |   / _ \| | |/ _ \/ __|_  __/ _ \| '__|
   / ___ \| |_| | |__| (_) | | |  __/ (__  | || (_) | |
  /_/   \_\____/ \____\___/|_|_|\___|\___| |__/\___/|_|

  v2.1.1  by dev2null

Usage: ADCollector.exe -h

    --Domain (Default: current domain)
            Enumerate the specified domain
    --Ldaps (Default: LDAP)
            Use LDAP over SSL/TLS
    --DiableSigning (Default: Enabled)
            With --Ldaps
    --DC (IP Address of the Domain Controller)
    --OU (Search under an Organizational Unit)
    --ADCS (Only enumerate certificate services)
    --ACLScan (Perform ACL scan against all objects in Domain/Configuration/Schema partitions if no OU is provided)
    --Identity (The Identity used for ACL Scan)
    --UserName (Alternative UserName to Connect LDAP)
    --Password (Alternative LDAP Credential)
    --Interactive (Enter Interactive Menu)
    --Choice (Command Line Option For Interactive Menu)
    --Param (Parameter Value For Options in Interactive Menu)
Example: .\ADCollector.exe
         .\ADCollector.exe --LDAPs --DisableSigning
         .\ADCollector.exe --OU IT
         .\ADCollector.exe --OU OU=IT,DC=domain,DC=local
         .\ADCollector.exe --ADCS
         .\ADCollector.exe --ACLScan --Identity user --OU OU=IT,DC=domain,DC=local
         .\ADCollector.exe --Domain domain.local --Username user --Password pass
         .\ADCollector.exe --Domain domain.local --DC 10.10.10.1
         .\ADCollector.exe --Domain domain.local --Choice 1
         .\ADCollector.exe --Domain domain.local --Choice 3 --Param mssql*

Interactive Menu:
    ===================================
                Interative Menu
    0.  - EXIT
    1.  - Collect LDAP DNS Records
    2.  - Find Single LDAP DNS Record
    3.  - SPN Scan
    4.  - Find Nested Group Membership
    5.  - Search Interesting Term on User Description Fields
    6.  - Enumerate Interesting ACLs on an Object
    7.  - NetSessionEnum
    8.  - NetLocalGroupGetMembers
    9.  - NetWkstaUserEnum
    ===================================

Examples

PS > .\ADCollector_new.exe

      _    ____   ____      _ _             _
     / \  |  _ \ / ___|___ | | | ___  ___ _| |_ ___  _ __
    / _ \ | | | | |   / _ \| | |/ _ \/ __|_  __/ _ \| '__|
   / ___ \| |_| | |__| (_) | | |  __/ (__  | || (_) | |
  /_/   \_\____/ \____\___/|_|_|\___|\___| |__/\___/|_|

   v2.1.1  by dev2null
[-] Current Domain:        OFFSEC.NL
[-] Current Forest:        OFFSEC.NL
[-] LDAP basic Info:
    serverName:              CN=DC01,CN=Servers,CN=OFFSEC,CN=Sites,CN=Configuration,DC=offsec,DC=local
    isSynchronized:          TRUE
    isGlobalCatalogReady:    TRUE
    dnsHostName:             DC01.OFFSEC.NL
    ldapServiceName:         OFFSEC.NL:[email protected]

    supportedLDAPVersion:    3
    supportedLDAPVersion:    2

    supportedSASLMechanisms:    GSSAPI
    supportedSASLMechanisms:    GSS-SPNEGO
    supportedSASLMechanisms:    EXTERNAL
    supportedSASLMechanisms:    DIGEST-MD5

    namingContexts:    DC=offsec,DC=local
    namingContexts:    CN=Configuration,DC=offsec,DC=local
    namingContexts:    CN=Schema,CN=Configuration,DC=offsec,DC=local

    domainFunctionality:              DS_BEHAVIOR_WIN2016
    forestFunctionality:              DS_BEHAVIOR_WIN2016
    domainControllerFunctionality:    DS_BEHAVIOR_WIN2016
[-] Domain Controllers:
  * DN: CN=DC02,OU=Domain Controllers,DC=offsec,DC=local
    whencreated :              05/06/2018 09:40:42
    logoncount :               68
    whenchanged :              11/10/2021 20:54:01
    cn :                       DC02
    operatingsystem :          Windows Server 2016 Standard
    operatingsystemversion :   10.0 (14393)
    name :                     DC02
    dnshostname :              DC02.OFFSEC.NL
[...]

URL list