Visualizing ACLs with Adalanche

I was always a fan of trying new tools in order to create a personal arsenal for edged cases. Recently, I found a tool called Adalanche, which is capable of enumerating and visualizing ACLs between entities in the scope of the Active Directory.
我一直很喜欢尝试新工具,以便为边缘案例创建个人武器库。最近,我发现了一个名为 Adalanche 的工具,它能够枚举和可视化 Active Directory 范围内实体之间的 ACL。

Usually, Active Directory misconfigurations can be found within the ACLs, and they can often lead to obtaining domain administrative privileges by chaining various lateral movement or privilege escalation techniques together. A very simple example for that can be a vulnerable ADCS server to ESC1 attack. Another example could be finding out that the current owned user is local administrator on some machine and after data exfiltration, you find domain admin credentials.
通常,可以在 ACL 中找到 Active Directory 错误配置,并且它们通常可以通过将各种横向移动或权限提升技术链接在一起来获取域管理权限。一个非常简单的例子是易受 ESC1 攻击的 ADCS 服务器。另一个示例可能是发现当前拥有的用户是某些计算机上的本地管理员,并且在数据外泄后,你会找到域管理员凭据。

Mapping such attack vectors can be complicated without such tools, and while you should not be dependant of them, they are here to help, and they certainly do!

While BloodHound is my rank #1 tool for enumerating and visualizing the Active Directory, I was also thrilled to try Adalanche, mainly because of curiosity in terms of UI, practical use and evasiveness. Turned out that this tool might be a hidden gem!
虽然 BloodHound 是我用于枚举和可视化 Active Directory 的排名 #1 工具,但我也很高兴尝试 Adalanche,主要是因为对 UI、实际使用和规避方面的好奇心。原来这个工具可能是一个隐藏的宝石!

If you prefer watching a video instead of reading, I already deployed a video about the topic on my channel:

Also make sure to join my Discord where we share experience, knowledge and doing CTF together.
另外,请务必加入我的 Discord,在那里我们分享经验、知识和一起做 CTF。

#Why not just use BloodHound?

Now here comes the question, why bother with Adalanche when I have BloodHound?
现在问题来了,当我拥有 BloodHound 时,为什么要打扰 Adalanche?

The answer is very simple, it is always a good idea to have alternatives for specific tools. Also, alternatives creates competition and this is a fundamental process of improving both of the sides, so its a win = win situation.

Additionally, as you might already know, SharpHound (The data collector for BloodHound) is extremely signatured by various security mechanisms. I am aware that the signatures and the behavioral detections can be bypassed but sometimes its not a trivial process. For Instance, it is possible to land into an environment that is extremely well network segmented, so that you cannot get a C2 implant to run and you should rely on some kind of workarounds such as bind shells on specific ports, which not all C2 framework actually supports. Additionally, its possible that the network is restricted in such way, that you cannot just execute the python collector. On top of that, if the segmentation is combined with enforced endpoint protection, it can become even more challenging. This just makes the things more complicated and can effectively lose a day or two into just getting the basic AD enumeration.
此外,您可能已经知道,SharpHound(BloodHound 的数据收集器)具有各种安全机制的高度签名。我知道可以绕过签名和行为检测,但有时这不是一个微不足道的过程。例如,有可能进入一个网络分段非常好的环境,这样你就无法运行 C2 植入物,你应该依赖某种解决方法,例如在特定端口上绑定 shell,并非所有 C2 框架实际上都支持。此外,网络可能受到限制,您不能只执行 python 收集器。最重要的是,如果将分段与强制的端点保护相结合,它可能会变得更具挑战性。这只会使事情变得更加复杂,并且可能会浪费一两天的时间来获取基本的 AD 枚举。

On the other hand, Adalanche is a tool that can work as both a collector and a visualizer at the same time, while it is extremely evasive. Imagining the previous restricted scenario, if Adalanche is execute from a compromised machine with network access to the LDAP server, it is less likely to get detected and blocked.
另一方面,Adalanche 是一种既可以作为收集器又可以作为可视化工具的工具,同时它非常规避。想象一下之前受限制的场景,如果 Adalanche 是从具有对 LDAP 服务器的网络访问权限的受感染计算机执行的,则不太可能被检测到和阻止。

[BIG DISCLAIMER] I am aware that there are always various workarounds for all scenarios. The goal of this blog is not to question them, but to discuss and analyze the Adalanche tool.
[大免责声明]我知道所有方案总是有各种解决方法。本博客的目的不是质疑他们,而是讨论和分析 Adalanche 工具。

Now, let’s get an idea of what Adalanche actually looks like.
现在,让我们了解一下 Adalanche 的实际样子。

#Adalanche Overview Adalanche概览

Adalanche is go-written tool for collecting and analyzing data from Active Directory. It is capable of extracting potential attack vectors such as unconstrained delegation, ESC1, outdated servers, users with administrative privileges and more. It is extremely fast and compatible with each modern Operating System (OS).
Adalanche是用于从Active Directory收集和分析数据的编写工具。它能够提取潜在的攻击媒介,例如不受约束的委派、ESC1、过时的服务器、具有管理权限的用户等。它速度极快,并且与每个现代操作系统 (OS) 兼容。

One of the coolest features about Adalanche is that it is self-sufficient, which means, you do not need:
Adalanche 最酷的功能之一是它是自给自足的,这意味着您不需要:

  • Database (like Neo4j) 数据库(如 Neo4j)
  • Specific engine or runtime installed (like dotnet runtime)
    已安装的特定引擎或运行时(如 dotnet 运行时)
  • Additional software (like a web server)
    其他软件(如 Web 服务器)

All you need is the compiled binary and luck that you are in a vulnerable environment. Since the Adalanche is go-written, the same code can be compiled for both windows and *nix systems.
您所需要的只是编译好的二进制文件和运气,您处于易受攻击的环境中。由于 Adalanche 是 go-written 的,因此可以为 windows 和 *nix 系统编译相同的代码。

Adalanche can be run directly, with no arguments if it is launched from a domain joined windows machine. On the other hand it can also mimic, scraping the LDAP from a machine with network access to the Domain Controller. It then stores the gathered data into a folder called data, which can be analyzed in the future. Now let’s analyze the different methods on how to get it running!
Adalanche 可以直接运行,如果它是从已加入域的 Windows 计算机启动的,则没有参数。另一方面,它还可以模拟,从具有域控制器网络访问权限的计算机中抓取 LDAP。然后,它将收集到的数据存储到一个名为 data 的文件夹中,以便将来进行分析。现在让我们分析一下如何让它运行的不同方法!

#Case 1: I am operating from a domain joined Windows computer
案例 1:我正在使用已加入域的 Windows 计算机进行操作

Adalanche is capable of detecting the context of the current user. In case you are operating from a domain joined machine, and from the context of a domain user, you do not need to supply any arguments! In this scenario it is enough to just download and execute the binary.

This will perform all the scraping automatically, then Adalanche will automatically analyze the collected data and finally, it will host the results on while navigating your default browser to the web view.
这将自动执行所有抓取,然后 Adalanche 将自动分析收集的数据,最后,它将在将默认浏览器导航到 Web 视图 时托管结果。

If everything went smooth, you should see something like this:

Visualizing ACLs with Adalanche

Entry screen of adalanche

#Case 2: I am operating from a host with VPN access and AD credentials
案例 2:我正在使用具有 VPN 访问权限和 AD 凭据的主机进行操作

Adalanche is also capable of scanning and extracting data from the Active Directory remotely. In this scenario, it is required to have network visibility to the LDAP servers as well as a valid pair of credentials for the Active Directory.
Adalanche 还能够远程扫描和提取 Active Directory 中的数据。在此方案中,需要对 LDAP 服务器具有网络可见性以及 Active Directory 的有效凭据对。

The Adalanche binary can now be used in 2 modes:
Adalanche 二进制文件现在可以在 2 种模式下使用:

  • collect 收集
  • analyze 分析

The first mode will perform the data collection via querying the LDAP service. After completion, again, all of the results will be stored in a folder called data unless you specify something different. All of the needed options can be found on the docs or by running:
第一种模式将通过查询LDAP服务来执行数据收集。同样,完成后,所有结果都将存储在一个名为 data 的文件夹中,除非您指定了其他内容。所有需要的选项都可以在文档中找到,也可以通过运行以下命令:

./adalanche help collect activedirectory

11:24:06.425 INFORMA Adalanche Open Source v2024.1.11 (commit 0161570), (c) 2020-2024 Lars Karlslund, This program comes with ABSOLUTELY NO WARRANTY
Collects information from Active Directory

adalanche collect activedirectory [flags]

–adexplorerboost Boost ADexplorer performance by using loading the binary file into RAM before decoding it (default true)
–adexplorerfile string Import AD objects from SysInternals ADexplorer dump
–attributes string Comma seperated list of attributes to get, * = all, or a comma seperated list of attribute names (expert) (default “*”)
–authdomain string domain for authentication, if using ntlm auth
–authmode string Bind mode: unauth/anonymous, basic/simple, digest/md5, kerberoscache, ntlm, ntlmpth (password is hash), negotiate/sspi (default “ntlm”)
–autodetect Try to autodetect as much as we can, this will use environment variables and DNS to make this easy (default true)
–configuration string Collect Active Directory Configuration (default “auto”)
–domain string domain suffix to analyze (contoso.local, auto-detected if not supplied)
–gpopath string Override path to GPOs, useful for non Windows OS’es with mounted drive (/mnt/policies/ or similar), but will break ACL feature
–gpos string Collect Group Policy file contents (default “auto”)
-h, –help help for activedirectory
–ignorecert Disable certificate checks
–ldapdebug Enable LDAP debugging
–nosacl Request data with NO SACL flag, allows normal users to dump ntSecurityDescriptor field (default true)
–objects string Collect Active Directory Objects (users, groups etc) (default “auto”)
–other string Collect other Active Directory contexts (typically integrated DNS zones) (default “auto”)
–pagesize int Number of objects per request to collect (increase for performance, but some DCs have limits) (default 1000)
–password string password to connect with ex. –password hunter42 (use ! for blank password)
–port int LDAP port to connect to (389 or 636 typical, -1 for auto based on tlsmode) (default -1)
–purgeolddata Purge existing data from the datapath if connection to DC is successfull
–schema string Collect Active Directory Schema (default “auto”)
–server stringArray DC to connect to, use IP or full hostname ex. -dc=”dc.contoso.local”, random DC is auto-detected if not supplied
–tlsmode string Transport mode (TLS, StartTLS, NoTLS) (default “NoTLS”)
–username string username to connect with ([email protected])

Global Flags:
–cpuprofile Save CPU profile from start to end of processing in datapath
–cpuprofiletimeout int32 CPU profiling timeout in seconds (0 means no timeout)
–datapath string folder to store and read data (default “data”)
–embeddedprofiler Start embedded Go profiler on localhost:6060
–fgtrace Save CPU trace start to end of processing in datapath
–logfile string File to log to
–logfilelevel string Log file log level (default “info”)
–loglevel string Console log level (default “info”)
–logzerotime Logged timestamps start from zero when program launches
11:24:06.436 INFORMA Terminating successfully

By following the options, this exemplary command can collect the data from the Active Directory:
通过遵循这些选项,此示例性命令可以从 Active Directory 收集数据:

./adalanche collect activedirectory --tlsmode tls --ignorecert --domain domain.local --authdomain DOMAIN --username joe --password joepass --server DCIP

After this command finishes, the data folder will be present in your current working directory.
此命令完成后,该 data 文件夹将出现在当前工作目录中。

When you are ready to analyze the results and generate a web view, you can do so by running:
当您准备好分析结果并生成 Web 视图时,可以通过运行以下命令来执行此操作:

./adalanche analyze

If everything is running as expected, you should again see the initial screen of Adalanche:
如果一切按预期运行,您应该再次看到 Adalanche 的初始屏幕:

Visualizing ACLs with Adalanche

Entry screen of adalanche

#Adalanche Usage Adalanche 用法

Adalanche UI is divided into 3 parts:
Adalanche UI 分为 3 个部分:

  • Object explorer on the left
  • Nodes visualization settings on the right
  • LDAP querying tool centered on the bottom.

On the Object explorer you can observe and analyze various objects, including present users, their groups, machines, Active Directory configurations and more.
在对象资源管理器上,您可以观察和分析各种对象,包括当前用户、其组、计算机、Active Directory 配置等。

Visualizing ACLs with Adalanche

Object explorer 对象资源管理器

On the right, you can tweak how the Adalanche should look like, but I personally did not spend much time on it since I was happy with the defaults.
在右侧,您可以调整 Adalanche 的外观,但我个人并没有花太多时间在上面,因为我对默认值感到满意。

Visualizing ACLs with Adalanche

Adalanche visual options Adalanche 视觉选项

It is in the LDAP querying tool where it gets interesting.

Visualizing ACLs with Adalanche

LDAP query section LDAP 查询部分

Compared to BloodHound, Adalanche is not using any database engines for storing the results. It is based entirely on LDAP to perform any visualization and analysis over the collected data (which is purely stored on the local file system). To visualize the results, Adalanche uses web view, which can be configured with the option --bind 'IP:PORT'.
与 BloodHound 相比,Adalanche 不使用任何数据库引擎来存储结果。它完全基于LDAP,可以对收集的数据(完全存储在本地文件系统上)执行任何可视化和分析。为了可视化结果,Adalanche 使用 Web 视图,可以使用选项 --bind 'IP:PORT' 进行配置。

This behavior has its pros and cons such as :

Pros 优点 Cons 缺点
Extremely easy to migrate and share
Extremely easy to lose the data
No dependencies other then the Adalanche binary
除 Adalanche 二进制文件外没有其他依赖项
Storing files on the local FS can lead to super easy signatures
将文件存储在本地 FS 上可以导致超级简单的签名
No collector / db engine version incompatibility
No Internet Explorer support, wont run smooth on old machines
不支持 Internet Explorer,在旧机器上无法流畅运行

Adalanche comes with the following predefined LDAP queries for visualizing nodes and searching for attack paths:
Adalanche 附带以下预定义的 LDAP 查询,用于可视化节点和搜索攻击路径:

Visualizing ACLs with Adalanche

Builtin LDAP queries 内置 LDAP 查询

From these, you may notice that a lot of the queries are actually familiar from BloodHound (such as Kerberoastable users, DC Sync users and so on).
从这些中,您可能会注意到很多查询实际上是 BloodHound 熟悉的(例如 Kerberoastable 用户、DC Sync 用户等)。

One of the coolest parts about Adalanche, is that when you execute one of the queries, you get its raw syntax inside the LDAP querying section, from where you can modify and update the query to suit your needs.

Visualizing ACLs with Adalanche

Query showing Unconstrained Delegation non-DC machines
显示无约束委派非 DC 计算机的查询

Additionally, the Start QueryMiddle Query and End Query are query separators, which means, that you can implement your own custom nested queries for finding various attack paths, misconfigurations and vulnerabilities.
此外,和 是 End Query 查询分隔符,这意味着您可以实现自己的自定义嵌套查询,以查找各种攻击路径、错误配置 Start Query 和 Middle Query 漏洞。

Of course, one negative aspect would be that you need to be doing good with LDAP in order to implement anything custom and to get the most out of Adalanche, but on the other hand, I found out that the default queries are working pretty nice. While I find the output from some of them confusing, others like Who can change GPOsESC1 vulnerable certificate templates and Who can dump SAM/SYSTEM can be extremely easy to understand and useful.
当然,一个消极的方面是,你需要对LDAP做得很好,以便实现任何自定义并充分利用Adalanche,但另一方面,我发现默认查询工作得很好。虽然我发现其中一些的输出令人困惑,但其他的则喜欢 Who can change GPOs , ESC1 vulnerable certificate templates 并且 Who can dump SAM/SYSTEM 非常容易理解和有用。

Lets analyze the above executed query: (&(type=Computer)(userAccountControl:1.2.840.113556.1.4.803:=524288)(!userAccountControl:1.2.840.113556.1.4.803:=8192)) which is designed to show all computers which are marked for Unconstrained Delegation, and are not Domain Controllers. While at first the output can be a little messy, it makes sense when you start reading the lines.
让我们分析上面执行的查询: (&(type=Computer)(userAccountControl:1.2.840.113556.1.4.803:=524288)(!userAccountControl:1.2.840.113556.1.4.803:=8192)) 该查询旨在显示标记为“无约束委派”且不是域控制器的所有计算机。虽然一开始输出可能有点混乱,但当你开始阅读这些行时,它是有道理的。

Similar to BloodHound, when you click on the paths between objects, you can get additional details about various attributes and relationships. It is not as informative as BloodHound(the path does not give exploitation guides), but still can be quite useful when you are already aware of the most common AD attacks. For example, when you see a red link between nodes, Adalanche claims that there are dangerous permissions between them.
与BloodHound类似,当你点击对象之间的路径时,你可以获得关于各种属性和关系的更多细节。它不像 BloodHound 那样提供信息量(该路径不提供漏洞利用指南),但当您已经了解最常见的 AD 攻击时,它仍然非常有用。例如,当您看到节点之间的红色链接时,Adalanche 声称它们之间存在危险的权限。

Visualizing ACLs with Adalanche

Ann Rogers has AllExtendedRights permissions over SQL02 machine
Ann Rogers 对 SQL02 计算机具有 AllExtendedRights 权限

By following the same logic, we can understand that the SQL02 is marked for Unconstrained Delegation, because its node is bigger and marked in red, compared to other machine accounts in the graph:
通过遵循相同的逻辑,我们可以理解 标记为 SQL02 Unconstrained Delegation,因为与图中的其他计算机帐户相比,它的节点更大并标记为红色:

Visualizing ACLs with Adalanche

Exact query match in red, in this case SQL02 is allowed for Unconstrained Delegation
红色的精确查询匹配,在本例中,SQL02 允许用于无约束委派

Additionally, the orange links most of the times mean that the object is a member of specific group, while the white usually means that there is some form of connection between objects which is not dangerous or exploitable.

Visualizing ACLs with Adalanche

User admin is a member of the Administrators group, visualized with orange link
用户 admin 是 Administrators 组的成员,使用橙色链接进行可视化

With that, Adalanche has everything needed to find misconfigurations and vulnerabilities in the scope of the Active Directory. I know that there are a lot of features that are missing, compared to BloodHound, but still the essentials are here. One of the features I think Adalanche is lacking, is the exploitation docs on the node paths. Additionally, I found Adalanche hard to navigate and analyze specific single objects. Compared to BloodHound, where you can just type the object into the search box, here you would need to use LDAP queries. For example, in order to find a specific user, you can use the following LDAP query: (&(objectCategory=person)(objectClass=user)(sAMAccountName=username))
这样一来,Adalanche就拥有了在Active Directory范围内查找错误配置和漏洞所需的一切。我知道与 BloodHound 相比,缺少很多功能,但基本要素仍然存在。我认为 Adalanche 缺乏的功能之一是节点路径上的利用文档。此外,我发现 Adalanche 很难导航和分析特定的单个对象。与BloodHound相比,您只需在搜索框中输入对象即可,而BloodHound则需要使用LDAP查询。例如,为了查找特定用户,您可以使用以下 LDAP 查询: (&(objectCategory=person)(objectClass=user)(sAMAccountName=username))

Visualizing ACLs with Adalanche

Querying the user emma, visualizing all objects that can directly influence her.
查询用户 emma,可视化所有可以直接影响她的对象。

Other features such as what can this node pwn and what can pwn this node I found to be extremely useful and practical. These options can be utilized into setting up a target or a starting point.
其他功能,例如 what can this node pwn what can pwn this node 我发现非常有用和实用。这些选项可用于设置目标或起点。

Visualizing ACLs with Adalanche

The whole idea of these options is to find attack paths to or from specific objects.

In this scenario, our user emma does not have direct dangerous and abusable ACLs toward any object in the domain.
在这种情况下,我们的用户 emma 对域中的任何对象都没有直接的危险和可滥用的 ACL。

Visualizing ACLs with Adalanche

Results from What can this node pwn? query
What can this node pwn? 查询结果

However, various objects can effectively influence and control emma:

Visualizing ACLs with Adalanche

Results from Who can pwn this node? query
Who can pwn this node? 查询结果

Additionally, the options Set as route target and Route to target can be used to effectively display the attack path:
此外,这些选项 Set as route target Route to target 可用于有效地显示攻击路径:

Visualizing ACLs with Adalanche

Results from setting emma as a target and running Route to target from Enterprise Admins group node
将 emma 设置为目标并从 Enterprise Admins 组节点运行 Route to target 的结果

#Conclusion 结论

Now it is your turn to try out the tool and decide for yourself if it is worth it or not! In my opinion, compared to BloodHound, Adalanche is worst at visuals but still can present useful information and real attack paths.
现在轮到您试用该工具并自己决定是否值得了!在我看来,与 BloodHound 相比,Adalanche 在视觉效果方面最差,但仍然可以提供有用的信息和真实的攻击路径。

While it can be initially confusing I think it is a great alternative which has its own pros and cons. I personally find the architecture pretty amazing and well done! The ability to be that flexible and evasive is something that must be credited, and we also need to acknowledge that the project is actively being developed and supported!

Visualizing ACLs with Adalanche

Metadefender scan results
Metadefender 扫描结果

I highly encourage you to try it out on your own and decide whether it is useful in your cases.

原文始发于Carlos Vieira:Visualizing ACLs with Adalanche

版权声明:admin 发表于 2024年2月4日 下午1:19。
转载请注明:Visualizing ACLs with Adalanche | CTF导航