BlackMarlinExec | Strikes | Enumeration tool | NTA tool | BME | Admin Domain Controller

About Active Directory BlackMarlinExec, find the right attack path for pentesting and security researchs, it's ability to use graph theory to reveal the hidden and often unintended relationships within an online environments.

About BlackMarlinExec

BlackMarlinExec uses graph and analysis theory to reveal the hidden and unintended relationships within an Active Directory or Active Environment. CS can use BlackMarlinExec to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. It also has it's own attack path management that continuously maps and quantifies Active Directory attack paths. CS can see thousand, even millions of attack paths within your existing architecture.

BlackMarlinExec Kerberos Attack Performance

BlackMarlinExec incorporates a specialized Kerberos attack module, empowering CS to effectively test and exploit weaknesses within the Kerberos authentication protocol. This module is designed to enhance the enumeration and analysis capabilities by focusing on potential vulnerabilities in Kerberos implementations.

Ticket Harvesting by:

• AS-REP Roasting by automates the extraction of AS-REP responses for accounts that do not require pre-authentication.
• And kerberoasting to identifies and extracts service tickets (TGS) for services that leverage Kerberos.

By integrating advanced Kerberos attack techniques with BME powerful enumeration and network traffic analysis capabilities, CS would gain a holistic view of the network's security posture.

---

Small Demonstration for Roasting

During an enumeration attack, CS verify records stored in a storage using brute-force methods. These CS occur on storage that interact with web server databases after a user submits a form. The two most commonly targeted web app pages in enumeration attacks are login pages and password reset pages.

Intro About Barracuda Attack

TCP Killer

Barracuda is a utility to kill all TCP connections on a network. It works by intercepting network traffic, and forging RST packets of existing connections to cause hangups. Works for both IPv4 connections and IPv6. Barracuda ( TCPkiller ) is a sneaky way to kill network connections. Any targeted system will appear to work when examined through typical diagnostics - DNS will resolve, ICMP's will go through, and the network card will be able to connect ( slow ) to the network-but no TCP connections will be sustained.

Main Features:

• Shows a list of processes, and tcp ports they are listening to
• The list can by filtered by port number
• You can select a process, and terminate it

There are many tools that implement this functionality. This tool will additionally:

• Resolve the application name of every processes ( if jps is available )
• For IANA registered ports you can hover over the port number, and it will show additional information
• On windows, will show the names of services running as children of ABAMB.exe

Shuts down a TCP connection on Linux, macOS, and Windows. Local and remote endpoint arguments can be copied from the output of netstat_lanW.

The functionality offered by TCP_killer is intended to mimic TCPView's "Close Connection" functionality and TCPdrop's functionality on Linux and macOS.

Basic Usage

BME_barracuda.py [-pS] <local endpoint> <remote endpoint>
[x] Initialized DNS Poisoning on eth0 in quiet mode. Press Ctrl-C to exit.
...

BME_barracuda.py -i eth0
[*] Initialized TCPkiller on eth0 in quiet mode, targeting all. Press Ctrl-C to exit.
...

Options:

• -a, --allow find source or destination
• -t, --target allow all other connections
• -ts, --target-source but only if it's the source
• -td, --target-destination actively target this ip address
• -o, --allow-port checking any connections involving
• -p, --target-port actively target any connections
• -pS, --target-source-port finding port sources
• -pd, --target-destination-port finding port destination
• -r, --randomize [half,all] target SOME of the matching
• -i, --interface specify interface
• -s, --silent silences all terminal
• -v, --verbose verbose output
• -h, --help prints usage
• -i, --tcp && eth0 net

Arguments:

-pS ( Show poisoning output )
<local endpoint>   Connection's local IP address and port
<remote endpoint>  Connection's remote IP address and port

Examples:

BME_barracuda.py 10.31.33.7:50246 93.184.216.34:443
BME_barracuda.py 2001:db8:85a3::8a2e:370:7334.93 2606:2800:220:1:248:1893:25c8:1946.80
BME_barracuda.py -verbose [2001:4860:4860::8888]:46820 [2607:f8b0:4005:807::200e]:80

Full Example

kali@kali:~$ # Create a server to listen on TCP port 12345
kali@kali:~$ nc -d -l -p 4444 &
[1] 135578

kali@kali:~$ # Connect to the local server on TCP port 12345
kali@kali:~$ nc -v -d localhost 4444 &
[2] 135579
Connection to localhost 4444 port [tcp/*] succeeded!

kali@kali:~$ # Find the connection endpoints
kali@kali:~$ netstat -lanW | grep 12345.*ESTABLISHED
tcp        0      0 127.0.0.1:33994         127.0.0.1:12345         ESTABLISHED
tcp        0      0 127.0.0.1:12345         127.0.0.1:33994         ESTABLISHED

kali@kali:~$ # Kill the connection by copying and pasting the output of netstat
kali@kali:~$ python BME_barracuda.py 127.0.0.1:33994         127.0.0.1:4444
TCP connection was successfully shutdown.
[1]-  Done                    nc -d -l -p 4444
[2]+  Done                    nc -v -d localhost 4444

LDAP & Kerberos Protocol Potential Attacks

Using BlackMarlinExec to get benefits of integration. Firstly find a significant risk. A CS would try to "steal" user credentials through malware or AD Attacks using BME, enabling them to obtain a Ticket Granting Ticket (TGT) and access network services. Man-in-the-Middle (MITM) attacks pose another threat, where an attacker intercepts communication using BME to get access between the user and the Key Distribution Center (KDC) or between services and the LDAP directory, potentially stealing or modifying data.

Important

CS might steal user credentials through phishing, allowing them to get a Ticket Granting Ticket (TGT) and access network services. Another risk is ticket forgery, where an attacker creates fake tickets to impersonate users.

Warning

Security can intercept communications between users and the Key Distribution Center (KDC) or between services and the LDAP directory to steal or alter data. LDAP injection is another potential attack, where CS manipulate directory queries to access or change data illegally.

What is the Flaws in Kerberos?

Biggest lose was the assumption of secure time system, and resolution of synchronization required.

Users authenticate once with Kerberos and can access multiple services without re-entering credentials, thanks to the TGT. Haha this is the time when the CS could use this privileges for testing.

LDAP Automatic Injections

Using BME to automate the process of detecting and exploiting LDAP injection vulnerabilities in AD scenario. With BME, CS researcher can quickly identify and exploit LDAP injection flaws, allowing CS to assess the security posture of the applications more effectively.

"More" Features

• Automated detection of LDAP injection vulnerabilities.
• Exploitation of LDAP injection vulnerabilities to extract sensitive information.
• Customizable payloads for fine-tuning injection attacks.

Replace `<target_url>` with the URL of the web application you want to scan.

For any questions or inquiries, feel free to contact the developers @pxcs

---

• Information Gathering:

  Find-DomainTarget (-p-) (-sV-) (-Pn-) (-Al-) (-more-)

• Get Domain Controllers:

  Get-DomainController
  Get-DomainController -Domain <DomainName>

• Enumerate Domain Users:

  Get-DomainUser | Out-File -FilePath .\DomainUsers.txt
  

• Enumerate Shares:

  Find-DomainShare
  
  Find-DomainShare -CheckShareAccess
  
  Find-InterestingDomainShareFile -Include *passwords*

• Enum Group Policies:

  Get-DomainGPO -Properties DisplayName | Sort-Object -Property DisplayName
  
  #Enumerate specific computer
  Get-DomainGPO -ComputerIdentity <ComputerName> -Properties DisplayName | Sort-Object -Property DisplayName
  
  #Get users that are local Admin group
  Get-DomainGPOComputerLocalGroupMapping -ComputerName <ComputerName>

• Results Filtering:

  #grep #invert #etc
  0.0.0.0 | grep ''
  
  #grep with attackers .txt
  0.0.0.0 | grep 5 (-c-)(-Pn-) 'List.txt'

---

Main Usage

usage: BME [-h] [--command COMMAND] [--output OUTPUT] [--interface INTERFACE] [--port PORT]

options:
  -h, --help            show this help message and exit
  --command COMMAND, -c COMMAND
                        command to run on the target (default: calc)
  --output OUTPUT, -o OUTPUT
                        output maldoc file (default: BME)
  --interface INTERFACE, -i INTERFACE
                        network interface or IP address to host the HTTP server (default: eth0)
  --port PORT, -p PORT  port to serve the HTTP server (default: 8000)

Intercept all responses

Now, that you know how to start DNSChef let's configure it to fake all replies to point to 127.0.0.1 using the --fakeip parameter:

# ./BME --fakeip 127.0.0.1 -q
[*] BME started on interface: 127.0.0.1 
[*] Using the following nameservers: x-x-x-x
[*] Cooking all A replies to point to 127.0.0.1
[23:55:57] 127.0.0.1: cooking the response of type 'A' for x-x-x-x.com to 127.0.0.1
[23:55:57] 127.0.0.1: proxying the response of type 'AAAA' for x-x-x-x.com
[23:55:57] 127.0.0.1: proxying the response of type 'MX' for x-x-x-x.com

In the above output you an see that BME was configured to proxy all requests to 127.0.0.1. The first line of log at 08:11:23 shows that we have "cooked" the "A" record response to point to 127.0.0.1. However, further requests for 'AAAA' and 'MX' records are simply proxied from a real DNS server. Let's see the output from requesting program:

$ host google.com localhost
x-x-x-x.com has address 127.0.0.1
x-x-x-x.com has IPv6 address 2001:4860:4001:803::1001
x-x-x-x.com mail is handled by 10 aspmx.l.x-x-x-x.com.
x-x-x-x.com mail is handled by 40 alt3.aspmx.l.x-x-x-x.com.
x-x-x-x.com mail is handled by 30 alt2.aspmx.l.x-x-x-x.com.

As you can see the program was tricked to use 127.0.0.1 for the IPv4 address. However, the information obtained from IPv6 (AAAA) and mail (MX) records appears completely legitimate. The goal of DNSChef is to have the least impact on the correct operation of the program, so if an application relies on a specific mailserver it will correctly obtain one through this proxied request.

Let's fake one more request to illustrate how to target multiple records at the same time:

# ./BME --fakeip 127.0.0.1 --fakeipv6 ::1 -q
[*] BME started on interface: 127.0.0.1 
[*] Using the following nameservers: x-x-x-x
[*] Cooking all A replies to point to 127.0.0.1
[*] Cooking all AAAA replies to point to ::1
[00:02:14] 127.0.0.1: cooking the response of type 'A' for x-x-x-x.com to 127.0.0.1
[00:02:14] 127.0.0.1: cooking the response of type 'AAAA' for x-x-x-x.com to ::1
[00:02:14] 127.0.0.1: proxying the response of type 'MX' for x-x-x-x.com

In addition to the --fakeip flag, I have now specified --fakeipv6 designed to fake 'AAAA' record queries. Here is an updated program output:

$ host x-x-x-x.com localhost
x-x-x-x.com has address 127.0.0.1
x-x-x-x.com has IPv6 address ::1
x-x-x-x.com mail is handled by 10 aspmx.l.x-x-x-x.com.
x-x-x-x.com mail is handled by 40 alt3.aspmx.l.x-x-x-x.com.
x-x-x-x.com mail is handled by 30 alt2.aspmx.l.x-x-x-x.com.

Once more all of the records not explicitly overriden by the application were proxied and returned from the real DNS server. However, IPv4 (A) and IPv6 (AAAA) were both faked to point to a local machine.

DNSChef supports multiple record types:

Record	Description	Argument	Example
A	IPv4 address	--fakeip	--fakeip 127.0.0.1
AAAA	IPv6 address	--fakeipv6	--fakeipv6 2001:db8::1
MX	Mail server	--fakemail	--fakemail mail.x-x-x-x.com
CNAME	CNAME record	--fakealias	--fakealias www.x-x-x-x.com
NS	Name server	--fakens	--fakens ns.x-x-x-x.com

Examples

Pop results BME.exe :

$ BME.exe   
[+] copied staging doc ./
[+] finalizing payload doc ./
[x] created maldoc ./
[x] serving payload on :8000 (Example)

• Output
• Compromising Kerberos
• Kerberos Compromised!

Vulnerability Report

BlackMarlinExec | Submarine project-75:
BlackMarlinExec is a cutting edge CS tool. Designed for comprehensive network traffic analysis and sophisticated enumeration, akin to the functionalities provided by harpoonhound. Developed for CS and penetration testers, BlackMarlinExec offers a robust suite of features tailored to identify, assess, and scan security vulnerabilities within complex network environments.

Network traffic analysis

Network Traffic Classification

This is a research project for classifying network traffic. We collected more than 300000 flows from some network. After that, we used nDPI to analyze the flows. We got more than 100 types of applications. Then we group that application into 10 classes. After that, we tried different ML algorithms to classify them.

Our current results

• Decision Tree 95.8% accuracy
• Random Forest 96.69% accuracy
• Regression 92.1% accuracy
• Boosting 95.8% accuracy
• Neural Net 97.5% accuracy
• KNN 97.24% accuracy
• PAA 99.29% accuracy
• SVM 94.7% accuracy

To get the dataset check out the instructions in the dataset folder.

How did we collect Data

CS can use used Wireshark or BlackMarlinExec to collect the packets. Since for the project we wanted to use lab environment data, we first redirected the lab network to one personal computer(pc) and in that pc we used Wireshark. After collecting the packets, we used ndpi to analyze the packets and get extract flow info and then we export that data as an note file. The data.csv contains information on all parameters. However, for this project, we only used most important parameters as features.

Network traffic lesson.

Data Set

The dataset used in this demo is: Malware_Capture.

• It is part of Aposemat_Dataset.
• A labeled dataset with malicious IoT network traffic.
• This dataset was created as part of the Avast AIC laboratory with the funding of Avast Software.

Data Classification Details

The project is implemented in several distinct steps simulating the essential data processing and analysis phases.

• Each step is represented in a corresponding notebook inside notebooks.
• Intermediary data files are stored inside the data path.
• Trained models are stored inside models.

PHASE 1 - Initial Data Analysis

Pre note: Data_reading

Implemented data exploration and cleaning tasks:

1. Loading the raw dataset file into pandas DataFrame.
2. Exploring dataset summary and statistics.
3. Fixing combined columns.
4. Dropping irrelevant columns.
5. Fixing unset values and validating data types.
6. Checking the cleaned version of the dataset.
7. Storing the cleaned dataset to a csv file.

PHASE 2 - Data Processing

Corresponding note: Data_preprocessing

Implemented data processing and transformation tasks:

1. Loading dataset file into pandas DataFrame.
2. Exploring dataset summary and statistics.
3. Analyzing the target attribute.
4. Encoding the target attribute using LabelEncoder.
5. Handling outliers using IQR (Inter_quartile_Range).
6. Handling missing values:
   1. Impute missing categorical features using KNeighborsClassifier.
   2. Impute missing numerical features using KNNImputer.
7. Scaling numerical attributes using MinMaxScaler.
8. Encoding categorical features: handling rare values and applying One_Hot_Encoding.
9. Checking the processed dataset and storing it to a csv file.

PHASE 3 - Report Analysis

BME: Data_Attack_and _exploit

Trained and analyzed classification models:

1. Naive Bayes: ComplementNB
2. Decision Tree: DecisionTreeClassifier
3. Logistic Regression: LogisticRegression
4. Random Forest: RandomForestClassifier
5. Support Vector Classifier: SVC
6. K-Nearest Neighbors: KNeighborsClassifier
7. XGBoost: XGBClassifier

Evaluation method:

• Cross-Validation Technique: Cross_Validator
• Folds number: Anon
• Shuffled: Enabled

Results were analyzed and compared for each model.

PHASE 4 - Tuning and Enumeration

Trust Kerberos Attack: Kerberos

Model tuning details:

• Tuned model: Support Vector Classifier - SVC
• Tuning method: GridSearch
• Results were analyzed before/after tuning.
  

Publicly share you guys about my red teaming experiments tested on several environments/infrastructures that involve playing with various tools and techniques used by penetration testers and redteamers.

• Project in progress
• Contributions needed

Ability

• Pivoting
• Domain Enumeration
• Auto grep results
• Credential Harvesting
• Network Identification

---

Building

Warning

This library is in beta, if something breaks don't blame me ( but feel free to open an issue or even better open a pull request )

What works and how well?

I'm striving for 1 to 1 feature parity with the official library ( with the exception of Swarm-related functionality ). As of writing this is beta software, take a look at the tests and the examples folder for to get a clear idea of what works.

Note

The existence of tests doesn't imply that they're all currently passing

Usage

Connect to Docker using the default socket or the configuration in your environment:

from BME import ****
client = await AsyncDocker.from_env()

You can run containers:

>>> await client.containers.run("ubuntu:latest", "echo compromising")

• Requires Python 3.11+
• Supports staging files over DNS (only over A,AAAA,TXT for now...)
• Config file is now TOML
• Optional HTTP API (allows you to query logs and update config remotely)
• Fully async for increased performance (uses AsyncIO)
• Structured logging and a number of QOL improvements
• Is now a Python package
• Dockerized

Refer to BUILD.md for instructions on how to build BME from source.

Tests:

Travis	Coverity	GitHub Actions

Disclaimer

BlackMarlinExec is designed primarily for research, identification, and authorized testing scenarios. This tool is to provide professionals and researchers with a tool to understand and identify vulnerabilities of the security systems. It is fundamentally imperative that users ensure they have obtained explicit, mutual consent from all involved parties before applying this tool on any system, or network. Note: Every time I mention CS, it's a Cyber_Security professional.

Educational purposes only.

• If you want to report a problem, open un Issue
• If you want to contribute, open a Pull Request
• If you want to discuss, open a Discussion

Acknowledgments

( Inspired by )

This project was inspired by:

• BloodHound/AD
• SharpHound
• Wireshark
• CrackMapExec
• CredCrack
• SMBexec

Sutton_Program Organization

Check out the ORG repo for more tools like this at SuttonProgram

Thanks to

• Allah and pxcs p3xsouger
• Our Offsec team GangstaCrew
• People in Offensive Security
• Some credit to U.G people
• And several Github repo.