zBang v1.2.1 releases: a risk assessment tool

zBang is a special risk assessment tool that detects potential privileged account threats in the scanned network.

Organizations and red teamers can utilize zBang to identify potential attack vectors and improve the security posture of the network. The results can be analyzed with the graphics interface or by reviewing the raw output files.

More details on zBang could be found in the Big zBang Theory blog post by @Hechtov here.

The tool is built from five different scanning modules:

1. ACLight scan – discovers the most privileged accounts that must be protected, including suspicious Shadow Admins.
2. Skeleton Key scan – discovers Domain Controllers that might be infected by Skeleton Key malware.
3. SID History scan – discovers hidden privileges in domain accounts with secondary SID (SID History attribute).
4. RiskySPNs scan – discovers risky configuration of SPNs that might lead to credential theft of Domain Admins
5. Mystique scan – discovers risky Kerberos delegation configuration in the network.

Use

1. Download and run the release version from this GitHub repository link or compile it with your favorite compiler.
   • Sometimes, when downloading it through the browser, you will need to “unblock” the downloaded zBang.exe file.
2. In the opening screen, choose what scans you wish to execute.
   In the following example, all five scans are chosen:

3. To view demo results, click “Reload.”
   zBang tool comes with built-in initiating demo data; you can view the results of the different scans and play with the graphics interface.
4. To initiate new scans in your network, click “Launch.” A new window will pop up and will display the status of the different scans.

5. When the scans are completed, there will be a message saying the results were exported to an external zip file.

6. The results zip file will be in the same folder of zBang and will have a unique name with the time and the date of the scans. You can also import previous results into the zBang GUI without the need of rerunning the scans.
   To import previous results, click “Import” in the zBang’s opening screen.

Changelog v1.2.1

• SIDHistory script modification: improvement in memory utilization and some logics

Tutorial

Copyright (c) 2018-2019 CyberArk Software Ltd.