TruffleSnout: Iterative AD discovery toolkit for offensive operations
TruffleSnout
Iterative AD discovery toolkit for offensive operators. Situational awareness and targeted low noise enumeration. Preference for OpSec.
Discover:
- Forests and Trusts
- Domains and Trusts
- GCs/DCs
Search and Query AD:
- For objects and data
- Limits to avoid triggering defensive circuit breakers
- Granular raw LDAP queries with assisted attribute culling.
Utilities, Helpers and converters
TruffleSnout is designed to help operators in a targeted discovery of immediate and adjacent AD infrastructure, query AD objects. It is designed to work in an iterative fashion and provides granular control of the types of queries the operator can issue. This helps to preserve a degree of operational security where the operator can limit and vary queries to match the perceived defenses and avoid triggering alerts or generate excessive logging.
The tool follows the natural discovery workflow many operators execute on the internal networks and helps answer precise questions like:
- Which forest am I in
- What domains exist in this forest
- What properties and components does a domain have
- What types of trusts do forest and domains have
- What is the first and primary domain in the forest
- Where are the Global catalogs
- What are sites and links
- Can I connect and ask the same of the remote domain
- Can I be flexible with the method connection?
- Can I query objects via AD LDAP?
- Can I query a specific attribute or a list of the object
- Can I search for patterns in the returned result?
A few initial utilities to analyze the returned information is provided. By being flexible on the LDAP queries operators are not restricted in their exploration of AD objects to commonly used sets like groups, users, computers. Operators can query DNS, Certificates, and other types of resources stored in the hierarchy.
