autoDANE: Automatic Domain Admin & Network Exploitation

autoDANE is a tool to automate the process of mapping and compromising internal networks. Given the prevalence of Microsoft Active Directory domains as the primary means of managing large corporate networks globally; one of the first goals of any internal penetration test is to get Domain Administrator (DA) level access. In a demonstration of how common a goal and practise this is, a plethora of tools and techniques exist to assist with this process, from the initial “in” through to elevation of privilege and eventually extracting and cracking all domain credentials.

However, the overall process followed is still manual and time-consuming. Even where tools exist, the orchestration from one to the next is manual. The time required both detracts from potentially more dangerous attacks that may be specific to the organisation under assessment, as well as limits those who know of their organisation’s vulnerabilities to those with offensive security skills or willing to pay for an assessment. Observing this, we decided to construct a framework for automating such activities. This framework orchestrates the industries currently favoured tools to get DA on internal networks.

The goal of the project is to get Domain Admin rights as quickly as possible, so that analysts can start an internal assessment as a privileged user, rather than finishing as one. This will allow analysts to spend time on engagements emulating real-life hacking scenarios, such as going after business-critical applications, while still comprehensively assessing the internal network. Combining the software vulnerabilities, as well as a realistic idea of how people with malicious or criminal intent might reach them, will provide organisations with the information they need to actually improve their defensive posture.

For Arsenal, several updates have been made and will be released:

• Detailed scope definition and proportionality limits 
• Support for adding hosts/ranges during runtime 
• Domain pivot tables – a list of which credentials worked where and which users are in which groups 
• Detailed filtering and full-text searching across tool-run logs 
• One click RDP to hosts with confirmed credentials 
• SQL Server discovery 
• Basic password cracking when hashes are pulled

Installation

git clone https://github.com/sensepost/autoDANE.git
cd autoDANE
./install.sh

Usage

./autodane.py

Source: https://github.com/sensepost/