ActiveReign – A Community Enumeration And Assault Toolset

(*1*)

Background
A while once more I was challenged to write a discovery instrument with Python3 that would possibly automate the process of finding (*3*)refined information on group file shares. After writing all the instrument with pysmb, and together with choices comparable to the ability to open and scan docx an xlsx knowledge, I slowly started together with capacity from the awesome Impacket library; merely simple choices I wanted to look in an inside of (*4*)penetration testing instrument. The additional I added, the additional it looked like a Python3 rewrite of (*7*)CrackMapExec made from scratch.
If you are doing a right away comparison, CME is a very powerful instrument that has way more choices than at the moment put in force proper right here. Alternatively, I added a few changes that may transform helpful right through an summary.
wiki

Operational Modes

  • db – Query or insert values in to the ActiveReign database
  • enum – Instrument enumeration & module execution
  • shell – Spawn an emulated shell on a objective system
  • spray – Space password spraying and brute power
  • query – Perform LDAP queries on the house

Key Choices

  • Automatically extract house information by the use of LDAP and incorporate into group enumeration.
  • Perform Space password spraying using LDAP to remove shoppers in terms of lockout thresholds.
  • Local and a ways flung command execution, for use on greater than one starting problems all through the group.
  • Emulated interactive shell on course system
  • Wisdom discovery ready to scanning xlsx and docx knowledge.
  • Quite a lot of modules with the intention to upload and extend purposes.

Acknowledgments
There were many intended and unintended folks that made this problem conceivable. If I am missing any, I express regret, it used to be as soon as certainly not intentional. Be happy to the touch me and we will ensure they get the credit score ranking they deserve ASAP!

  • @byt3bl33d3rCrackMapExec
  • @SecureAuthCorpImpacket
  • @the-useless-onepywerview
  • @dirkjanmldapdomaindump

Final Concepts
Scripting this instrument and testing on a lot of networks/techniques has taught me that execution manner problems, and is decided through the configuration of the system. If a decided on module or serve as does now not art work, make a decision if it is if truth be told the program, objective system, configuration, or even group placement previous than creating a topic.
To have the same opinion this investigation process, I have created a test_execution module to run against a system with identified admin privileges. This may increasingly now and again cycle through all all execution methods and provide a status report to make a decision the most efficient manner to use:

$ activereign enum -u administrator -p password --local-auth -M test_execution 192.168.3.20
[*] Lockout Tracker The usage of default lockout threshold: 3
[*] Enum Authentication administrator (Password: p****) (Hash: False)
[+] WIN-T460 192.168.3.20 ENUM House home windows 7 Ultimate 7601 Provider Pack 1 (Space: ) (Signing: False) (SMBv1: True) (Adm!n)
[*] WIN-T460 192.168.3.20 TEST_EXECUTION Execution Way: WMIEXEC Fileless: SUCCESS A long way off (Defualt): SUCCESS
[*] WIN-T460 192.168.3.20 TEST_EXECUTION Execution Way: SMBEXEC Fileless: SUCCESS A long way off (Defualt): SUCCESS
Download ActiveReign

(*20*)