fox-it / aclpwn.py Goto Github PK

Active Directory ACL exploitation with BloodHound

License: MIT License

Python 100.00%

aclpwn.py's Introduction

aclpwn.py

Aclpwn.py is a tool that interacts with BloodHound to identify and exploit ACL based privilege escalation paths. It takes a starting and ending point and will use Neo4j pathfinding algorithms to find the most efficient ACL based privilege escalation path. Aclpwn.py is similar to the PowerShell based Invoke-Aclpwn, which you can read about in our blog.

Dependencies and installation

Aclpwn.py is compatible with both Python 2.7 and 3.5+. It requires the neo4j-driver, impacket and ldap3 libraries. You can install aclpwn.py via pip: pip install aclpwn. For Python 3, you will need the python36 branch of impacket since the master branch (and versions published on PyPI) are Python 2 only at this point.

Usage

For usage and documentation, see the wiki, for example the quickstart page.

Features

aclpwn.py currently has the following features:

Direct integration with BloodHound and the Neo4j graph database (fast pathfinding)
Supports any reversible ACL based attack chain (no support for resetting user passwords right now)
Advanced pathfinding (Dijkstra) to find the most efficient paths
Support for exploitation with NTLM hashes (pass-the-hash)
Saves restore state, easy rollback of changes
Can be run via a SOCKS tunnel
Written in Python (2.7 and 3.5+), so OS independent

Mitigations and detection

aclpwn.py does not exploit any vulnerabilities, but relies on misconfigured (often because of delegated privileges) or insecure default ACLs. To solve these issues, it is important to identify potentially dangerous ACLs in your Active Directory environment with BloodHound. For detection, Windows Event Logs can be used. The relevant event IDs are described in our blog

aclpwn.py's People

Contributors

Stargazers

Watchers

Forkers

topotam jamesshew gavz jermainlaforce rvrsh3ll slooppe f1d094 5up3rc gdraperi jbarcia paulsec firefalc0n jack51706 deeby filipesam security-geeks yeyintminthuhtut killvxk sasqwatch 0patch attackgithub 3453-315h tailoredaccessteam lexus89 keystroke95 nag1bat0r tkid2000 imulmul atropineal notsoethical mygit2014 nvijatov mohinparamasivam ko-kn3t pixelza bcp-infosec-repo splinterxor wwilson83 gnebbia 5l1v3r1 darthsoda avk5718 g43ys3lf superuser5 csoc-mo 411hall yalonso7 ikstream wingslikeeagles conanjun mrtaheramine pbutler6163 avineshwar rajivraj lyhistory chaos-monkey-island shivaaz-fr rogerbergling hartl3y94 roxas-tan nipunsomani andyfeili nosorry aas-n nocomp pwntheworld m00nsh1ne dannymas fdlucifer chengcheng227 hackmycontrolsystem weldingwit sethludwig bigbrobro whitehatvan iamanubhavsaini iamkashz ttuanhung terrorizer1980 sckdev startagain2016 foxhaunt elhadadx retiliator demon-i386 zodius-chtsec a1vinsmith khatcode allanvictor kfdcompiled godylockz red-spect3r bemonolit lowsecurity777 straysheep-dev cmjlove1 iq-scm jtgit4 techris45 testedbud

aclpwn.py's Issues

neo4j.exceptions.CypherSyntaxError: {code: Neo.ClientError.Statement.SyntaxError} {message: The old parameter syntax `{param}` is no longer supported. Please use `$param` instead (line 1, column 22 (offset: 21))

Traceback (most recent call last):
File "/usr/local/bin/aclpwn", line 8, in
sys.exit(main())
File "/usr/local/lib/python3.8/dist-packages/aclpwn/init.py", line 108, in main
fromres = session.run(q % args.from_type.capitalize(), name=from_object)
File "/usr/local/lib/python3.8/dist-packages/neo4j/work/simple.py", line 217, in run
self._autoResult._run(query, parameters, self._config.database, self._config.default_access_mode, self._bookmarks, **kwparameters)
File "/usr/local/lib/python3.8/dist-packages/neo4j/work/result.py", line 101, in _run
self._attach()
File "/usr/local/lib/python3.8/dist-packages/neo4j/work/result.py", line 202, in _attach
self._connection.fetch_message()
File "/usr/local/lib/python3.8/dist-packages/neo4j/io/_bolt4x0.py", line 353, in fetch_message
response.on_failure(summary_metadata or {})
File "/usr/local/lib/python3.8/dist-packages/neo4j/io/_bolt4x0.py", line 552, in on_failure
raise Neo4jError.hydrate(**metadata)
neo4j.exceptions.CypherSyntaxError: {code: Neo.ClientError.Statement.SyntaxError} {message: The old parameter syntax {param} is no longer supported. Please use $param instead (line 1, column 22 (offset: 21))
"MATCH (n:User {name: {name}}) RETURN n"

seems that neo4j need to update! how to fix it!

Neo4j-driver 4+ issues

Attempting to install / run this on current versions of neo4j / neo4j-driver presents a host of issues. Unfortunately its not a super quick fix.

neo4j-driver (python package) has removed the neo4j.v1 package. This is relatively easy to fix. simply change
from neo4j.v1 import GraphDatabase to
from neo4j import GraphDatabase

The next issue is that the {arg} format of passing variables in database queries has been depreciated. We need to use $arg.

This needs to be fixed in multiple places, but as an example (init.py line ~106):

q = "MATCH (n:%s {name: {name}}) RETURN n"
with database.driver.session() as session:
   fromres = session.run(q % args.from_type.capitalize(), name=from_object)

Must change to;

q = "MATCH (n:%s {name: $name}) RETURN n"
with database.driver.session() as session:
   fromres = session.run(q % args.from_type.capitalize(), name=from_object)

Finally, the REST API has been removed. This is the tough one, as I'm not sure how to fix. See pathfinding.py:dijkstra_find()

This is just an FYI for anyone attempting to install using recent packages / versions of things.

Feature Request: Improve Dijkstra performance

Hi @dirkjanm,
The current implementation of the Dijkstra algorithm is not optimal, which is noticeable when dealing with larger graphs. As you mentioned in the wiki, the ShortestPath algorithm is faster than Dijkstra but the performance differences can be greatly reduced with few optimizations.

Neo4j stores relationship's properties values on disk which mean a lot of unnecessary IO overhead which dramatically slowing the process of graph traversal. Because the weight is constant for each ACL, it's better to calculate the cost based on the relationship type (name) which is in-memory (assuming the entire graph can be loaded to RAM and cache is warmed up). You can achieve this by tweaking the neo4j-graph-algorithms plugin to use constant weight values for each ACL instead of looking at the relationship's property. This will also spare the creation of additional properties.

Failed to establish secure connection to 'EOF occurred in violation of protocol (_ssl.c:1123)

Running as root on Kali linux 2019 full dist-upgrade, running neo4j bolt and bloodhound.

Followed your update regarding the drivers:

python -m pip install 'neo4j-driver==1.7.0' --force-reinstall
python -m pip install 'neo4j==1.7.0' --force-reinstall
python -m pip install -U ldap3
python -m pip install aclpwn

However. when I run the correct command I get the following error message. I think it has something to do with this (driver = GraphDatabase.driver(uri="bolt://localhost:7687", auth=("neo4j", "12345"), encrypted=False)) the encrypted=False bit, but do not know where to change this!!

Regards Tez.

ceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/neobolt/direct.py", line 854, in _secure
s = ssl_context.wrap_socket(s, server_hostname=host if HAS_SNI and host else None)
File "/usr/lib/python3.9/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.9/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:1123)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/usr/local/bin/aclpwn", line 8, in
sys.exit(main())
File "/usr/local/lib/python3.9/dist-packages/aclpwn/init.py", line 93, in main
database.init_driver(args.database, args.database_user, args.database_password)
File "/usr/local/lib/python3.9/dist-packages/aclpwn/database.py", line 14, in init_driver
driver = GraphDatabase.driver(uri, auth=(user, password))
File "/usr/local/lib/python3.9/dist-packages/neo4j/init.py", line 108, in driver
return Driver(uri, **config)
File "/usr/local/lib/python3.9/dist-packages/neo4j/init.py", line 147, in new
return subclass(uri, **config)
File "/usr/local/lib/python3.9/dist-packages/neo4j/init.py", line 217, in new
pool.release(pool.acquire())
File "/usr/local/lib/python3.9/dist-packages/neobolt/direct.py", line 715, in acquire
return self.acquire_direct(self.address)
File "/usr/local/lib/python3.9/dist-packages/neobolt/direct.py", line 608, in acquire_direct
connection = self.connector(address, error_handler=self.connection_error_handler)
File "/usr/local/lib/python3.9/dist-packages/neo4j/init.py", line 214, in connector
return connect(address, **dict(config, **kwargs))
File "/usr/local/lib/python3.9/dist-packages/neobolt/direct.py", line 972, in connect
raise last_error
File "/usr/local/lib/python3.9/dist-packages/neobolt/direct.py", line 963, in connect
s, der_encoded_server_certificate = _secure(s, host, security_plan.ssl_context, **config)
File "/usr/local/lib/python3.9/dist-packages/neobolt/direct.py", line 859, in _secure
raise error
neobolt.exceptions.SecurityError: Failed to establish secure connection to 'EOF occurred in violation of protocol (_ssl.c:1123)'

Installation fails due to the conflicting ldap3 version

Hi @dirkjanm, users are unable to run aclpwn due to dependency conflict with ldap3 package. As shown in the following full dependency graph of aclpwn, impacket requires ldap3 ==2.5.1，while aclpwn requires ldap3 >=2.5.

According to pip’s “first found wins” installation strategy, aclpwn 2.6.1 is the actually installed version. However, aclpwn 2.6.1 does not satisfy ==2.5.1.

Dependency tree

aclpwn - 1.0.0
| +- impacket(install version:0.9.20 version range:*)
| | +- flask(install version:1.1.1 version range:>=1.0)
| | | +- click(install version:7.0 version range:>=5.1)
| | | +- itsdangerous(install version:1.1.0 version range:>=0.24)
| | | +- jinja2(install version:2.10.3 version range:>=2.10.1)
| | | | +- markupsafe(install version:1.1.1 version range:>=0.23)
| | | +- werkzeug(install version:0.16.0 version range:>=0.15)
| | +- ldap3(install version:2.5.1 version range:==2.5.1)
| | +- ldapdomaindump(install version:0.9.1 version range:>=0.9.0)
| | | +- dnspython(install version:1.16.0 version range:*)
| | | +- future(install version:0.18.2 version range:*)
| | | +- ldap3(install version:2.5.1 version range:==2.5.1)
| | +- pyasn1(install version:0.4.8 version range:>=0.2.3)
| | +- pycryptodomex(install version:3.9.4 version range:*)
| | +- pyopenssl(install version:19.1.0 version range:>=0.13.1)
| | +- six(install version:1.13.0 version range:*)
| +- ldap3(install version:2.6.1 version range:>=2.5)
| +- neo4j-driver(install version:1.7.6 version range:*)
| +- requests(install version:2.22.0 version range:*)
| | +- certifi(install version:2019.9.11 version range:>=2017.4.17)
| | +- chardet(install version:3.0.4 version range:<3.1.0,>=3.0.2)
| | +- idna(install version:2.8 version range:>=2.5,<2.9)
| | +- urllib3(install version:1.25.7 version range:<1.26,>=1.21.1)

Thanks for your help.
Best,
Neolith

Error when installing

root@kali# pip install aclpwn

DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality.
Collecting aclpwn
Using cached aclpwn-1.0.0-py2-none-any.whl (18 kB)
Requirement already satisfied: requests in /usr/local/lib/python2.7/dist-packages (from aclpwn) (2.18.4)
Requirement already satisfied: ldap3>=2.5 in /usr/local/lib/python2.7/dist-packages (from aclpwn) (2.7)
Collecting neo4j-driver
Using cached neo4j-driver-4.1.1.tar.gz (67 kB)
ERROR: Command errored out with exit status 1:
command: /usr/bin/python -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-Lf6zcC/neo4j-driver/setup.py'"'"'; file='"'"'/tmp/pip-install-Lf6zcC/neo4j-driver/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-8zIcNT
cwd: /tmp/pip-install-Lf6zcC/neo4j-driver/
Complete output (8 lines):
Traceback (most recent call last):
File "", line 1, in
File "/tmp/pip-install-Lf6zcC/neo4j-driver/setup.py", line 25, in
from neo4j.meta import package, version
File "neo4j/init.py", line 123
def driver(cls, uri, *, auth=None, **config):
^
SyntaxError: invalid syntax
----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.

any idea what the issue is and how to fix it so I can install aclpwn? I'm a newbie ..