Cable: .NET post-exploitation toolkit for Active Directory reconnaissance and exploitation
Cable
Cable is a simple post-exploitation tool used for enumeration and further exploitation of Active Directory environments. This tool was primarily created to learn more about .NET offensive development in an Active Directory context, while hoping to expand my current knowledge and understanding of Active Directory focused offensive security.
Cable has a few primary features currently, with high hopes at feature expansion:
- The ability to request service tickets from accounts registered with a
servicePrincipalNameand place them in a crackable format as part of a Kerberoasting attack. - The ability to write and remove the value of the
msDs-AllowedToActOnBehalfOfOtherIdentityattribute on desired objects, as part of a Resource-Based Constrained Delegation (RBCD) attack. - The ability to read and write Discretionary Access Control List (DACL) Access Control Entries (ACE)s
- Enumeration of Active Directory Certificate Services (ADCS) CA’s and certificate templates.
- Enumeration of domain and forest trusts.
- Enumeration of domain controllers in the current domain.
- General LDAP enumeration with pre-created queries, the ability to specify custom queries, and the ability to specify returned attributes.
- The ability to perform password changes.
- The ability to set and remove the value of the
servicePrincipalNameattribute on an object, making it kerberoastable and non-kerberoastable respectfully. - The ability to set and remove the
DONT_REQ_PREAUTHflag on an objectsuserAccountControlattribute, making it ASREP-Roastable and non ASREP-Roastable respectfully. - Enumeration of group membership for users.
- The ability to create and delete computer objects
- Enumeration of user membership for groups.
- The ability to add and remove accounts from groups.
