cyberark / zbang Goto Github PK

Hi,
at first awesome tool.
I encountered an issue with the skeleton key scan. In an upgraded domain (e.g. from 2003 to 2008) it can happen that systems didn't logged in since the upgrade, hence they don't support Encryption-Type 0x12 (AES-256). As your scan picks an arbitrary system it can lead to false-positives.
A solution could be to check if the system has a lastlogontimestamp < 14 days.

Cheers

fyi,
if i got a remote real time resopne, i think we need a commandline to run it.

When running the RiskySPN in a large Environment, the application zBANG.exe crashes after about 1h. I downloaded the EXE package yesterday and it is only the RiskySPN that crashes.

Operating System: Windows 10 v1809

Event Logs:

Log Name: Application
Source: Application Error
Date: 2019-02-13 08:58:53
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Description:
Faulting application name: Graphviz4Net.WPF.Example.exe, version: 1.0.0.0, time stamp: 0x5bf66241
Faulting module name: KERNELBASE.dll, version: 10.0.17763.134, time stamp: 0xc30ded87
Exception code: 0xe0434352
Fault offset: 0x0011ab32
Faulting process id: 0x3850
Faulting application start time: 0x01d4c3651c98a39c
Faulting application path: ...__tempgui1010951262\System32\bin\release\Graphviz4Net.WPF.Example.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: d0bd1598-adc0-4336-aea9-8aa3d46ffed2
Faulting package full name:
Faulting package-relative application ID:

Log Name: Application
Source: .NET Runtime
Date: 2019-02-13 08:58:52
Event ID: 1026
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Description:
Application: Graphviz4Net.WPF.Example.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.IOException
at System.IO.__Error.WinIOError(Int32, System.String)
at System.IO.FileStream.Init(System.String, System.IO.FileMode, System.IO.FileAccess, Int32, Boolean, System.IO.FileShare, Int32, System.IO.FileOptions, SECURITY_ATTRIBUTES, System.String, Boolean, Boolean, Boolean)
at System.IO.FileStream..ctor(System.String, System.IO.FileMode, System.IO.FileAccess, System.IO.FileShare, Int32, System.IO.FileOptions, System.String, Boolean, Boolean, Boolean)
at System.IO.StreamWriter.CreateFile(System.String, Boolean, Boolean)
at System.IO.StreamWriter..ctor(System.String, Boolean, System.Text.Encoding, Int32, Boolean)
at System.IO.StreamWriter..ctor(System.String, Boolean, System.Text.Encoding)
at System.IO.File.InternalAppendAllText(System.String, System.String, System.Text.Encoding)
at System.IO.File.AppendAllText(System.String, System.String)
at Graphviz4Net.WPF.Example.MainWindow+<>c__DisplayClass46_0.b__0()
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(System.Delegate, System.Object, Int32)
at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)
at System.Windows.Threading.DispatcherOperation.InvokeImpl()
at System.Windows.Threading.DispatcherOperation.InvokeInSecurityContext(System.Object)
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at MS.Internal.CulturePreservingExecutionContext.Run(MS.Internal.CulturePreservingExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Windows.Threading.DispatcherOperation.Invoke()
at System.Windows.Threading.Dispatcher.ProcessQueue()
at System.Windows.Threading.Dispatcher.WndProcHook(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
at MS.Win32.HwndWrapper.WndProc(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
at MS.Win32.HwndSubclass.DispatcherCallbackOperation(System.Object)
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(System.Delegate, System.Object, Int32)
at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)
at System.Windows.Threading.Dispatcher.LegacyInvokeImpl(System.Windows.Threading.DispatcherPriority, System.TimeSpan, System.Delegate, System.Object, Int32)
at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr, Int32, IntPtr, IntPtr)
at MS.Win32.UnsafeNativeMethods.DispatchMessage(System.Windows.Interop.MSG ByRef)
at System.Windows.Threading.Dispatcher.PushFrameImpl(System.Windows.Threading.DispatcherFrame)
at System.Windows.Threading.Dispatcher.PushFrame(System.Windows.Threading.DispatcherFrame)
at System.Windows.Application.RunDispatcher(System.Object)
at System.Windows.Application.RunInternal(System.Windows.Window)
at System.Windows.Application.Run(System.Windows.Window)
at System.Windows.Application.Run()
at Graphviz4Net.WPF.Example.App.Main()
at Graphviz4Net.WPF.Example.Program.Main(System.String[])

Event Xml:



1026
2
0
0x80000000000000

1880
Application
-



Application: Graphviz4Net.WPF.Example.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.IOException
at System.IO.__Error.WinIOError(Int32, System.String)
at System.IO.FileStream.Init(System.String, System.IO.FileMode, System.IO.FileAccess, Int32, Boolean, System.IO.FileShare, Int32, System.IO.FileOptions, SECURITY_ATTRIBUTES, System.String, Boolean, Boolean, Boolean)
at System.IO.FileStream..ctor(System.String, System.IO.FileMode, System.IO.FileAccess, System.IO.FileShare, Int32, System.IO.FileOptions, System.String, Boolean, Boolean, Boolean)
at System.IO.StreamWriter.CreateFile(System.String, Boolean, Boolean)
at System.IO.StreamWriter..ctor(System.String, Boolean, System.Text.Encoding, Int32, Boolean)
at System.IO.StreamWriter..ctor(System.String, Boolean, System.Text.Encoding)
at System.IO.File.InternalAppendAllText(System.String, System.String, System.Text.Encoding)
at System.IO.File.AppendAllText(System.String, System.String)
at Graphviz4Net.WPF.Example.MainWindow+<>c__DisplayClass46_0.<CaptureOutput>b__0()
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(System.Delegate, System.Object, Int32)
at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)
at System.Windows.Threading.DispatcherOperation.InvokeImpl()
at System.Windows.Threading.DispatcherOperation.InvokeInSecurityContext(System.Object)
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at MS.Internal.CulturePreservingExecutionContext.Run(MS.Internal.CulturePreservingExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Windows.Threading.DispatcherOperation.Invoke()
at System.Windows.Threading.Dispatcher.ProcessQueue()
at System.Windows.Threading.Dispatcher.WndProcHook(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
at MS.Win32.HwndWrapper.WndProc(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
at MS.Win32.HwndSubclass.DispatcherCallbackOperation(System.Object)
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(System.Delegate, System.Object, Int32)
at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)
at System.Windows.Threading.Dispatcher.LegacyInvokeImpl(System.Windows.Threading.DispatcherPriority, System.TimeSpan, System.Delegate, System.Object, Int32)
at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr, Int32, IntPtr, IntPtr)
at MS.Win32.UnsafeNativeMethods.DispatchMessage(System.Windows.Interop.MSG ByRef)
at System.Windows.Threading.Dispatcher.PushFrameImpl(System.Windows.Threading.DispatcherFrame)
at System.Windows.Threading.Dispatcher.PushFrame(System.Windows.Threading.DispatcherFrame)
at System.Windows.Application.RunDispatcher(System.Object)
at System.Windows.Application.RunInternal(System.Windows.Window)
at System.Windows.Application.Run(System.Windows.Window)
at System.Windows.Application.Run()
at Graphviz4Net.WPF.Example.App.Main()
at Graphviz4Net.WPF.Example.Program.Main(System.String[])

Note: I have edited out the computername.

The errors are that it can't find key files, based on the paths provided in the error dialogue boxes.

Hello,

I wanted to reach out as we have been testing the zBang tool in our environment. We noticed that the scan duration for the SID History module and the RiskySPNs module are taking a considerable amount of time to complete >8 hours. Is there a way to modify or target a specific area of AD in the scripts or is this tool designed to be run over an extended amount of time?

Any information would be greatly appreciated.

Many thanks,
Michael

Running ACLight suggests "Exchange Recipient Administrators" has generic_all permissions over "Organization Admins" but it does not. Equally I don't think "Organization Admins" provides a route to domain admin.

Reviewing the results, its because (I think) because of generic_all rights on sensitive groups with the object "ms-Exch-Dynamic-Distribution-List". Is this a false positive?

Thank you for a great tool!

In the ACLight.ps1 file on row 3290 in the filter set we have the following:
($_.ObjectType -eq "DS-Replication-Get-Changes")
If I've read the code correctly, this is a part of the result that will be presented in the zBang GUI showing the DCSync Arrow.
From all the documentation that I've read and research done, I don't see that this ACL Permission gives the DCSync ability. Please correct me if I am wrong on this and if possible, something that I can show as proof (if documented).
Currently, it gives a false positive if my assumption is correct and could possibly lead to other users assuming their Environment not secured while in fact it is secured.

Thank you in advance

How would you run zbang on a non-domain joined host?
Have tried runas and then opening zbang from that terminal, but still no luck.