├── README.md
├── adPEAS-Light.ps1
├── adPEAS.ps1
└── images
    ├── adPEAS.png
    ├── adPEAS_large.jpg
    └── adPEAS_small.jpg


/README.md:
--------------------------------------------------------------------------------
  1 | # adPEAS
  2 | 
  3 | ![](https://github.com/61106960/adPEAS/raw/main/images/adPEAS_large.jpg)
  4 | 
  5 | adPEAS is a Powershell tool to automate Active Directory enumeration.
  6 | In fact, adPEAS is like a wrapper for different other cool projects like PowerView, PoshADCS, BloodHound stuff and some own written lines of code.
  7 | 
  8 | As said, adPEAS is a wrapper for other tools. They are almost all written in pure Powershell but some of them are included as C# code in a compressed binary blob.
  9 | 
 10 | adPEAS-Light is a version without Bloodhound and it is more likely that it will not be blocked by an AV solution.
 11 | 
 12 | # How It Works
 13 | 
 14 | adPEAS can be run simply by starting the script via _invoke-adPEAS_ if it is started on a domain joined computer.
 15 | If the system you are running adPEAS from is not domain joined or you want to enumerate another domain, use a certain domain controller to connect to, use different credentials or just to enumerate for credential exposure only, you can do it by using defined parameters.
 16 | 
 17 | ## adPEAS Modules
 18 | 
 19 | adPEAS consists of the following enumeration modules:
 20 | * Domain - Searching for basic Active Directory information, like Domain Controllers, Sites und Subnets, Trusts and Password/Kerberos policy
 21 | * Rights - Searching for specific Active Directory rights and permissions, like LAPS, DCSync and adding computer to domain
 22 | * GPO -  Searching for basic GPO related things, like local group membership on domain computer
 23 | * ADCS - Searching for basic Active Directory Certificate Services information, like CA Name, CA Server and vulnerable Templates
 24 | * Creds - Searching for different kind of credential exposure, like ASREPRoast, Kerberoasting, GroupPolicies, Netlogon scripts, LAPS, gMSA, certain legacy attributes, e.g. UnixPassword, etc.
 25 | * Delegation - Searching for delegation issues, like 'Constrained Delegation', 'Unconstrained Delegation' and 'Resource Based Constrained Delegation', for computer and user accounts
 26 | * Accounts - Searching for non-disabled high privileged user accounts in predefined groups and account issues like e.g. old passwords
 27 | * Computer - Enumerating Domain Controllers, Certificate Services, Exchange Server and outdated OS versions like Windows Server 2008R2, etc.
 28 | * BloodHound - Enumerating Active Directory with the SharpHound collector for BloodHound Community Edition or BloodHound-Legacy
 29 | 
 30 | # Some How To Use Examples
 31 | ## Simple usage with generic program parameters
 32 | First you have to load adPEAS in Powershell...
 33 | ```
 34 | Import-Module .\adPEAS.ps1
 35 | ```
 36 | or
 37 | ```
 38 | . .\adPEAS.ps1
 39 | ```
 40 | or
 41 | ```
 42 | gc -raw .\adPEAS.ps1 | iex
 43 | ```
 44 | or
 45 | ```
 46 | IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/61106960/adPEAS/main/adPEAS.ps1')
 47 | ```
 48 | 
 49 | Start adPEAS with all enumeration modules and enumerate the domain the logged-on user and computer is connected to.
 50 | ```
 51 | Invoke-adPEAS
 52 | ```
 53 | 
 54 | Start adPEAS with all enumeration modules and enumerate the domain 'contoso.com'. In addition it writes all output without any ANSI color codes to a file.
 55 | ```
 56 | Invoke-adPEAS -Domain 'contoso.com' -Outputfile 'C:\temp\adPEAS_outputfile' -NoColor
 57 | ```
 58 | 
 59 | Start adPEAS with all enumeration modules, enumerate the domain 'contoso.com' and use the domain controller 'dc1.contoso.com' for almost all enumeration requests.
 60 | ```
 61 | Invoke-adPEAS -Domain 'contoso.com' -Server 'dc1.contoso.com'
 62 | ```
 63 | 
 64 | Start adPEAS with all enumeration modules, enumerate the domain 'contoso.com' and use the passed PSCredential object during enumeration.
 65 | ```
 66 | $SecPassword = ConvertTo-SecureString 'Passw0rd1!' -AsPlainText -Force
 67 | $Cred = New-Object System.Management.Automation.PSCredential('contoso\johndoe', $SecPassword)
 68 | Invoke-adPEAS -Domain 'contoso.com' -Cred $Cred
 69 | ```
 70 | 
 71 | Start adPEAS with all enumeration modules, enumerate the domain 'contoso.com' by using the domain controller 'dc1.contoso.com' and use the username 'contoso\johndoe' with password 'Passw0rd1!' during enumeration. If, due to DNS issues Active Directory detection fails, the switch -Force forces adPEAS to ignore those issues and try to get still as much information as possible.
 72 | ```
 73 | Invoke-adPEAS -Domain 'contoso.com' -Server 'dc1.contoso.com' -Username 'contoso\johndoe' -Password 'Passw0rd1!' -Force
 74 | ```
 75 | 
 76 | ## Usage with a single enumeration module
 77 | ### All modules below can be combined with all generic program parameters explained above.
 78 | 
 79 | Enumerates basic Active Directory information, like Domain Controllers, Password Policy, Sites and Subnets and Trusts.
 80 | ```
 81 | Invoke-adPEAS -Module Domain
 82 | ```
 83 | 
 84 | Enumerates specific Active Directory rights and permissions, like LAPS, DCSync and adding computer to domain.
 85 | ```
 86 | Invoke-adPEAS -Module Rights
 87 | ```
 88 | 
 89 | Enumerates basic GPO information, like set local group membership on domain computer.
 90 | ```
 91 | Invoke-adPEAS -Module GPO
 92 | ```
 93 | 
 94 | Enumerates basic Active Directory Certificate Services information, like CA Name, CA Server and common Template vulnerabilities.
 95 | ```
 96 | Invoke-adPEAS -Module ADCS
 97 | ```
 98 | 
 99 | Enumerates credential exposure issues, like ASREPRoast, Kerberoasting, Linux/Unix password attributes, gMSA, LAPS (if your account has the rights to read it), Group Policies, Netlogon scripts.
100 | ```
101 | Invoke-adPEAS -Module Creds
102 | ```
103 | 
104 | Enumerates delegation issues, like 'Unconstrained Delegation', 'Constrained Delegation', 'Resource Based Constrained Delegation' for user and computer objects.
105 | ```
106 | Invoke-adPEAS -Module Delegation
107 | ```
108 | 
109 | Enumerates users in high privileged groups which are NOT disabled, like Administrators, Domain Admins, Enterprise Admins, Group Policy Creators, DNS Admins, Account Operators, Server Operators, Printer Operators, Backup Operators, Hyper-V Admins, Remote Management Users und CERT Publishers.
110 | ```
111 | Invoke-adPEAS -Module Accounts
112 | ```
113 | 
114 | Enumerates installed Domain Controllers, Active Directory Certificate Services, Exchange Server and outdated OS versions like Windows Server 2008R2.
115 | ```
116 | Invoke-adPEAS -Module Computer
117 | ```
118 | 
119 | Starts Bloodhound enumeration for BloodHound Community Edition (>= version 5.0) with the scope DCOnly. Output ZIP files are stored in the same directory adPEAS is started from.
120 | ```
121 | Invoke-adPEAS -Module Bloodhound
122 | ```
123 | 
124 | Starts Bloodhound enumeration for BloodHound-Legacy (up to version 4.3.1) with the scope DCOnly. Output ZIP files are stored in the same directory adPEAS is started from.
125 | ```
126 | Invoke-adPEAS -Module Bloodhound -BloodHoundLegacy
127 | ```
128 | 
129 | Starts Bloodhound enumeration with the scope All. With this option the SharpHound collector will contact each member computer of the domain. Output ZIP files are stored in the same directory adPEAS is started from.
130 | ```
131 | Invoke-adPEAS -Module Bloodhound -Scope All
132 | ```
133 | 
134 | ## Special thanks go to...
135 | * Will Schroeder @harmjoy, for his great PowerView
136 | * Charlie Clark @exploitph, for his ongoing work on PowerView
137 | * Christoph Falta @cfalta, for his inspiring work on PoshADCS
138 | * Dirk-jan @_dirkjan, for his great AD and Windows research
139 | * SpecterOps, for their fantastic BloodHound
140 | * and all the people who inspired me on my journey...


--------------------------------------------------------------------------------
/images/adPEAS.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/61106960/adPEAS/0f95f050d0b9eb5d1762fea92af8aa9e88ab6f45/images/adPEAS.png


--------------------------------------------------------------------------------
/images/adPEAS_large.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/61106960/adPEAS/0f95f050d0b9eb5d1762fea92af8aa9e88ab6f45/images/adPEAS_large.jpg


--------------------------------------------------------------------------------
/images/adPEAS_small.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/61106960/adPEAS/0f95f050d0b9eb5d1762fea92af8aa9e88ab6f45/images/adPEAS_small.jpg


--------------------------------------------------------------------------------