Search the Community

What is this? Jackdaw is here to collect all information in your domain, store it in a SQL database and show you nice graphs on how your domain objects interact with each-other an how a potential attacker may exploit these interactions. It also comes with a handy feature to help you in a password-cracking project by storing/looking up/reporting hashes/passowrds/users. [hide][Hidden Content]]

Token-Hunter Collect OSINT for GitLab groups and members and search the group and group members’ snippets, issues, and issue discussions for sensitive data that may be included in these assets. The information gathered is intended to compliment and inform the use of additional tools such as TruffleHog or GitRob, which search git commit history using a similar technique of regular expression matching. How the tool works Start by providing a group ID for a specific group on GitLab. You can find the group ID underneath the group name in the GitLab UI. Token-Hunter will use the GitLab group ID to find all associated projects for that group and, optionally, the groups members personal projects. Configure the tool to look for sensitive data in assets related to the projects it finds. Token-Hunter uses the same set of regular expressions as TruffleHog with a few additions for GitLab specific tokens. Token-Hunter depends on these easily configurable regular expressions for accuracy and effectiveness. Currently, the tool supports GitLab snippets, issues, and issue discussions with plans for future expansion to other assets. The tool is intended to be very configurable to allow for efficient discovery of sensitive data in the assets you’re specifically interested in. [hide][Hidden Content]]

jackdaw Jackdaw is here to collect all information in your domain, store it in a SQL database and show you nice graphs on how your domain objects interact with each-other a how a potential attacker may exploit these interactions. It also comes with a handy feature to help you in a password-cracking project by storing/looking up/reporting hashes/passwords/users. Features Data acquisition via LDAP LDAP enumeration phase acquires data on AD info, User, Machine, OU, Group objects which will be represented as a node in the graph, and as a separate table in the DB. Additionally, all aforementioned objects’ Security Description will be parsed and the ACLs for the DACL added to the DB. This, together with the membership information will be represented as edges in the graph. Additionally, custom SQL queries can be performed on any of the aforementioned data types when needed. via SMB SMB enumeration phase acquires data on shares, localgroups, sessions, NTLM data via connecting to each machine in the domain (which is acquired via LDAP) via LSASS dumps (optional) The framework allows users to upload LSASS memory dumps to store credentials and extend the session information table. Both will be used as additional edges in the graph (shared password and session respectively). The framework also uses this information to create a password report on weak/shared/cracked credentials. via DCSYNC results (optional) The framework allows users to upload impacket’s DCSYNC files to store credentials. This is used as additional edges in the graph (shared password). The framework also uses this information to create a password report on weak/shared/cracked credentials. via manual upload (optional) The framework allows manually extending the available DB in every aspect. Example: when user-session information on a given computer is discovered (outside of the automatic enumeration) there is a possibility to manually upload these sessions, which will populate the DB and also the resulting graph Graph The framework can generate a graph using the available information in the database and plot it via the web UI (nest). Furthermore, the graph generation and path calculations can be invoked programmatically, either by using the web API (/ui endpoint) or the graph object’s functions. Anomalies detection The framework can identify common AD misconfigurations without graph generation. Currently only via the web API. User User anomalies detection involves the detection of insecure UAC permissions and extensive user description values. This feature set is expected to grow in the future as new features will be implemented. Machine Machine anomalies detection involves detection of insecure UAC permissions, non-mandatory SMB singing, outdated OS version, out-of-domain machines. This feature set is expected to grow in the future as new features will be implemented. Password cracking The framework is not performing any cracking, only organizing the hashes and the cracking results currently main focus is on impacket and aiosmb’s dcsync results !NT and LM hashes only! Sample process is the following: Harvesting credentials as a text file via impacket/aiosmb or as memory dumps of the LSASS process via whatever tool you see fit. Upload the harvested credentials via the API Poll uncracked hashes via the API Crack them (hashcat?) Upload the results to the framework via the API Generate a report on the cracked/uncracked users and password strength and password sharing note from the author: This feature was implemented for both attackers and defenders. Personally I don’t see much-added value on either side since at the point one obtained the NT hash of a user it’s just as good as the password… Nonetheless, more and more companies are performing password strength exercises, and this feature would help them. As for attackers: it is just showing off at this point, but be my guest. Maybe scare management for extra points. Changelog v0.2.24 new release, lot of fixes, even more features [hide][Hidden Content]]