ADExplorerSnapshot.py is an AD Explorer snapshot ingestor for BloodHound.

Last update: Dec 23, 2022

Overview

ADExplorerSnapshot.py

ADExplorerSnapshot.py is an AD Explorer snapshot ingestor for BloodHound.

AD Explorer allows you to connect to a DC and browse LDAP data. It can also create snapshots of the server you are currently attached to. This tool allows you to convert those snapshots to BloodHound-compatible JSON files.

Limitations

The ingestor only supports offline information collection from the snapshot file and won't interact with systems on the network. That means features like session and localadmin collection are not available. GPO/OU collection is missing. The ingestor processes all data it possibly can from the snapshot (including ACLs). You will only have the data available of the LDAP/DC that you ran the snapshot against.

Installation

git clone https://github.com/c3c/ADExplorerSnapshot.py.git
cd ADExplorerSnapshot.py
pip3 install --user .

Usage

usage: ADExplorerSnapshot.py [-h] snapshot

ADExplorer snapshot ingestor for BloodHound

positional arguments:
  snapshot

optional arguments:
  -h, --help  show this help message and exit

Notes

Making snapshots in AD Explorer is more network-intensive than the traditional BloodHound ingestors as it attempts to retrieve all objects it can from the LDAP.

ADExplorerSnapshot.py will create caches of information for quicker lookups while processing the data. Especially when processing larger snapshots (e.g. 4GB+) you will also need to have sufficient RAM available. In my tests, about half of the snapshot file size was required in RAM.

The library was tested with a number of data sets, please create an issue report if you run into problems.

The AD Explorer snapshot parser is implemented as its own module, which could also be used individually.

The format in which snapshots are stored by AD Explorer is proprietary and led to a fun reverse engineering journey. A 010 editor template is included in this repository, which I used for iteratively mapping out the contents of the snapshot into structs.

License and credits

This code is licensed under the MIT license and makes use of code that is also licensed under the MIT license.

ADExplorerSnapshot.py relies on the following projects:

BloodHound.py (the Python BloodHound ingestor); for processing LDAP data.
dissect.cstruct (C-style binary struct parser): for parsing the binary snapshot data.

Credits:

Cedric Van Bockhaven (Deloitte) for implementation
Marat Nigmatullin (Deloitte) for the idea

ADExplorerSnapshot.py is an AD Explorer snapshot ingestor for BloodHound.

Related tags

Overview

ADExplorerSnapshot.py

Limitations

Installation

Usage

Notes

License and credits

Owner

Log4j2 intranet scan

Brainly-Scrambler - Brainly Scrambler With Python

ONT Analysis Toolkit (OAT)

A curated list of amazingly awesome Cybersecurity datasets

Mr.Holmes is a information gathering tool (OSINT)

Apache Solr SSRF(CVE-2021-27905)

An ARP Spoofer attacker for windows to block away devices from your network.

AMC- Automatic Media Access Control [MAC] Address Spoofing Tool

Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr

A Superfast SMS & Call bomber for Linux And Termux !

CamOver is a camera exploitation tool that allows to disclosure network camera admin password.

LittleBrother is a simple parental control application monitoring specific processes on Linux hosts to monitor and limit the play time of children.

VMware vCenter earlier v(7.0.2.00100) unauthorized arbitrary file read

Open Source Tool - Cybersecurity Graph Database in Neo4j

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

Log4j2 CVE-2021-44228 revshell

User-friendly reference finder in IDA

Grafana-POC(CVE-2021-43798)

labsecurity is a framework and its use is for ethical hacking and computer security

Set the draft security HTTP header Permissions-Policy (previously Feature-Policy) on your Django app.