Categories
tech

ActiveReign – A Community Enumeration And Assault Toolset

Background
Some time again I used to be challenged to put in writing a discovery software with Python3 that might automate the method of discovering delicate data on community document stocks. After writing all of the software with pysmb, and including options akin to the power to open and scan docx an xlsx information, I slowly began including capability from the superior Impacket library; simply easy options I sought after to peer in an inside penetration checking out software. The extra I added, the extra it gave the look of a Python3 rewrite of CrackMapExec made out of scratch.
If you’re doing an instantaneous comparability, CME is an important software that has far more options than these days enforce right here. Then again, I added a couple of adjustments that can turn out to be useful all through an overview.
wiki

Operational Modes

  • db – Question or insert values in to the ActiveReign database
  • enum – Device enumeration & module execution
  • shell – Spawn an emulated shell on a goal gadget
  • spray – Area password spraying and brute pressure
  • question – Carry out LDAP queries at the area

Key Options

  • Mechanically extract area data by means of LDAP and incorporate into community enumeration.
  • Carry out Area password spraying the use of LDAP to take away customers on the subject of lockout thresholds.
  • Native and far flung command execution, to be used on more than one beginning issues during the community.
  • Emulated interactive shell not off course gadget
  • Knowledge discovery able to scanning xlsx and docx information.
  • More than a few modules so as to add and prolong functions.

Acknowledgments
There have been many supposed and unintentional individuals that made this challenge imaginable. If I’m lacking any, I make an apology, it was once on no account intentional. Be at liberty to touch me and we will be able to make certain they get the credit score they deserve ASAP!

  • @byt3bl33d3rCrackMapExec
  • @SecureAuthCorpImpacket
  • @the-useless-onepywerview
  • @dirkjanmldapdomaindump

Ultimate Ideas
Penning this software and checking out on numerous networks/programs has taught me that execution approach issues, and is determined by the configuration of the gadget. If a selected module or function does no longer paintings, decide whether it is in fact this system, goal gadget, configuration, and even community placement earlier than developing a subject matter.
To lend a hand this investigation procedure, I’ve created a test_execution module to run towards a gadget with recognized admin privileges. This may occasionally cycle thru all all execution strategies and supply a standing report back to decide the most productive approach to make use of:

$ activereign enum -u administrator -p password --local-auth -M test_execution 192.168.3.20
[*] Lockout Tracker The use of default lockout threshold: 3
[*] Enum Authentication administrator (Password: p****) (Hash: False)
[+] WIN-T460 192.168.3.20 ENUM Home windows 7 Final 7601 Carrier Pack 1 (Area: ) (Signing: False) (SMBv1: True) (Adm!n)
[*] WIN-T460 192.168.3.20 TEST_EXECUTION Execution Approach: WMIEXEC Fileless: SUCCESS Far off (Defualt): SUCCESS
[*] WIN-T460 192.168.3.20 TEST_EXECUTION Execution Approach: SMBEXEC Fileless: SUCCESS Far off (Defualt): SUCCESS
Obtain ActiveReign