Giters

CobblePot59 / ADcheck

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ADcheck

Assess the security of your Active Directory with few or all privileges. This tool offers functionalities similar to PingCastle, ORADAD, or even PurpleKnight (with some bonuses).

ADcheck is developed in pure Python to bypass operating system constraints.

Although textual, a simple color scheme is used to navigate through the returned information (🔴 red for really bad, 🟢 green for okay, ⚪ white for purely informative). A sample report is available here.

Note

At present, this tool has 74 checks and more are to come (see the TODO).

The collected information includes :

  • Accounts

    • Admin accounts that can be delegated
    • Admin accounts not in "Protected Users" group
    • Accounts which can use DES authentication
    • Accounts vulnerable to ASRepRoasting attack
    • Accounts with altSecurityIdentities attributes
    • Accounts with userPassword attributes
    • Accounts with unixUserPassword attributes
    • Accounts with unicodePwd attributes
    • Accounts with msDS-HostServiceAccount attribute
    • Accounts with blank password
    • Accounts vulnerable to KerbeRoasting attack
    • Locked accounts
    • Number of accounts which have never expiring passwords
    • Number of accounts with identical passwords
    • Number of inactive accounts
    • Number of accounts in "Schema Admins" group
    • Accounts which have reversible passwords
    • Accounts vulnerable to timeroasting attack
    • Accounts that had admin rights in the past
    • Get Users with description

  • Configuration

    • Get Audit Policy
    • Computers with bitlocker keys
    • Verify if Non-admin users can add up to 10 computer(s) to a domain
    • Verify if User can create dns record
    • Computers with constrained delegation
    • Get Control delegations by container
    • Get Domain Controllers
    • Verify if Force logoff when logon hours expire
    • Get Functional level of domain
    • Get Group Managed Service Accounts
    • Get Group Policy Object by Organizational Unit
    • Name of Group Policy containing a password
    • Get Kerberos config
    • Get Supported Kerberos encryption algorithms
    • Verify if Kerberos password last changed < 40 days
    • Verify if LAPS is installed
    • Verify if LDAP signature was required on target
    • Verify if The native administrator account has been used recently
    • Accounts with password not required
    • Get Default password policy
    • Get Group policy folder/file rights
    • Name of Pre-Windows 2000 Compatible Access group members
    • Get Privilege Rights (SeDebugPrivilege, SeBackupPrivilege, ...)
    • Get List of users in Privesc group
    • Get Password Settings Object
    • Name of Computers with rbac
    • Verify if Recycle Bin is enabled
    • Verify if MSI packages are always installed with elevated privileges
    • Verify if CredentialGuard is enabled
    • Verify if LM hash storage disabled
    • Verify if Authentication limited to NTLMv2 mechanism only
    • Verify if AppLocker rules defined
    • Verify if gpp_autologon is enabled
    • Get Name of AMSI installed
    • Verify if Bitlocker is enabled
    • Verify if Firewall is disabled
    • Verify if IPv4 preferred over IPv6
    • Verify if LLMNR, NetBIOS or mDNS is enabled
    • Verify if Too many logons are kept in the LSA cache
    • Verify if Lsass runs as a protected process
    • Verify if Powershell v2 is enabled
    • Verify if Powershell events are logged
    • Verify if Powershell is configured in Restricted mode
    • Verify if RDP use NLA
    • Verify if RDP is secured over pass the hash attack
    • Verify if RDP session timeout is too short
    • Verify if UAC configuration is secure
    • Verify if WDigest authentication enabled
    • Verify if WPAD is disabled
    • Verify if Windows Script Host is disabled
    • Verify if WSUS server is not used
    • Get Authentication policy silos
    • Verify if SMB signing is required
    • Verify if Spooler service is enabled on remote target
    • Get Supported encryption by Domain Controllers
    • Name of Trust accounts for the delegation
    • Verify if The computer was recently backed up
    • Verify if The computer is up to date

Usage

Warning

Currently, this tool is more geared towards penetration testers than auditors. If you intend to use it on Windows, it's necessary to exclude the project from the antivirus or Endpoint Detection and Response solution, as it utilizes Impacket, which is detected by these systems.

  1. Clone the ADcheck repository from GitHub :
git clone https://github.com/CobblePot59/ADcheck.git
  1. Navigate to the ADcheck directory :
cd ADcheck
  1. Create a virtual environment :
python -m venv ADcheck
  1. Activate the virtual environment (on Windows) :
.\ADcheck\Scripts\activate

(Note: On Linux/macOS, the command is source ADcheck/bin/activate)

  1. Install dependencies from the requirements.txt file :
python -m pip install -r .\requirements.txt
  1. Run the ADcheck.py script, specifying the necessary parameters :
python ADcheck.py -d 'adcheck.int' -u 'Administrator' -p 'Password1' --dc-ip '192.168.1.1'

ADcheck.gif

TODO

  • Registry access rights
  • Trusts
  • Azure (Entra ID)
  • Weak certificate cipher
  • Persistent attack trace (mimikatz, pywhisker, ticket, dsrm, acl)

About

Languages

Language:Python 85.1%Language:HTML 14.9%