BlackMarlinExec | Strikes | Enumeration tool | NTA tool | BME | Admin Domain Controller
About Active Directory BlackMarlinExec, find the right attack path for pentesting and security researchs, it's ability to use graph theory to reveal
the hidden and often unintended relationships within an online environments.
BlackMarlinExec uses graph and analysis theory to reveal the hidden and unintended relationships within an Active Directory or Active Environment. CS can use BlackMarlinExec to easily identify highly complex attack paths that would otherwise be impossible to quickly
identify. It also has it's own attack path management that continuously maps and quantifies Active Directory attack paths. CS can see thousand, even millions
of attack paths within your existing architecture.
BlackMarlinExec Kerberos Attack Performance
BlackMarlinExec incorporates a specialized Kerberos attack module, empowering CS to effectively test and exploit weaknesses within the Kerberos authentication protocol. This module is designed to enhance the enumeration and analysis
capabilities by focusing on potential vulnerabilities in Kerberos implementations.
- AS-REP Roasting by automates the extraction of AS-REP responses for accounts that do not require pre-authentication.
- And kerberoasting to identifies and extracts service tickets (TGS) for services that leverage Kerberos.
By integrating advanced Kerberos attack techniques with BME powerful enumeration and network traffic analysis capabilities, CS would gain a holistic view of the network's security posture.
Small Demonstration for Roasting
During an enumeration attack, CS verify records stored in a storage
using brute-force methods. These CS occur on storage
that interact with web server databases after a user submits a form. The two most commonly targeted web app pages in enumeration attacks are login pages and password
reset pages.
Intro About Barracuda Attack
Barracuda is a utility to kill all TCP connections on a network. It works by intercepting network traffic, and forging RST packets of existing connections to cause hangups. Works for both IPv4 connections and IPv6. Barracuda ( TCPkiller ) is a sneaky way to kill network connections. Any targeted system will appear to work when examined through typical diagnostics - DNS will resolve, ICMP's will go through, and the network card will be able to connect ( slow ) to the network-but no TCP connections will be sustained.
- Shows a list of processes, and tcp ports they are listening to
- The list can by filtered by port number
- You can select a process, and terminate it
- Resolve the application name of every processes ( if
jps
is available ) - For IANA registered ports you can hover over the port number, and it will show additional information
- On windows, will show the names of services running as children of
ABAMB.exe
Shuts down a TCP connection on Linux, macOS, and Windows. Local and remote endpoint arguments can be copied from the output of netstat_lanW.
The functionality offered by TCP_killer is intended to mimic TCPView's "Close Connection" functionality and TCPdrop's functionality on Linux and macOS.
BME_barracuda.py [-pS] <local endpoint> <remote endpoint>
[x] Initialized DNS Poisoning on eth0 in quiet mode. Press Ctrl-C to exit.
...
BME_barracuda.py -i eth0
[*] Initialized TCPkiller on eth0 in quiet mode, targeting all. Press Ctrl-C to exit.
...
-a, --allow
find source or destination-t, --target
allow all other connections-ts, --target-source
but only if it's the source-td, --target-destination
actively target this ip address-o, --allow-port
checking any connections involving-p, --target-port
actively target any connections-pS, --target-source-port
finding port sources-pd, --target-destination-port
finding port destination-r, --randomize [half,all]
target SOME of the matching-i, --interface
specify interface-s, --silent
silences all terminal-v, --verbose
verbose output-h, --help
prints usage-i, --tcp && eth0
net
-pS ( Show poisoning output )
<local endpoint> Connection's local IP address and port
<remote endpoint> Connection's remote IP address and port
BME_barracuda.py 10.31.33.7:50246 93.184.216.34:443
BME_barracuda.py 2001:db8:85a3::8a2e:370:7334.93 2606:2800:220:1:248:1893:25c8:1946.80
BME_barracuda.py -verbose [2001:4860:4860::8888]:46820 [2607:f8b0:4005:807::200e]:80
kali@kali:~$ # Create a server to listen on TCP port 12345
kali@kali:~$ nc -d -l -p 4444 &
[1] 135578
kali@kali:~$ # Connect to the local server on TCP port 12345
kali@kali:~$ nc -v -d localhost 4444 &
[2] 135579
Connection to localhost 4444 port [tcp/*] succeeded!
kali@kali:~$ # Find the connection endpoints
kali@kali:~$ netstat -lanW | grep 12345.*ESTABLISHED
tcp 0 0 127.0.0.1:33994 127.0.0.1:12345 ESTABLISHED
tcp 0 0 127.0.0.1:12345 127.0.0.1:33994 ESTABLISHED
kali@kali:~$ # Kill the connection by copying and pasting the output of netstat
kali@kali:~$ python BME_barracuda.py 127.0.0.1:33994 127.0.0.1:4444
TCP connection was successfully shutdown.
[1]- Done nc -d -l -p 4444
[2]+ Done nc -v -d localhost 4444
LDAP & Kerberos Protocol Potential Attacks
Using BlackMarlinExec to get benefits of integration. Firstly find a significant risk. A CS would try to "steal" user credentials through malware or AD Attacks using BME, enabling them to obtain
a Ticket Granting Ticket (TGT) and access network services. Man-in-the-Middle (MITM) attacks pose another threat, where an attacker intercepts communication using BME to get access between the user and the Key Distribution Center (KDC) or between services and the LDAP directory, potentially stealing
or modifying
data.
Important
CS might steal user credentials through phishing, allowing them to get a Ticket Granting Ticket (TGT) and access network services. Another risk is ticket forgery, where an attacker creates fake tickets to impersonate users.
Warning
Security can intercept communications between users and the Key Distribution Center (KDC) or between services and the LDAP directory to steal or alter data. LDAP injection is another potential attack, where CS manipulate directory queries to access or change data illegally.
Biggest lose was the assumption of secure time system, and resolution of synchronization required.
Users authenticate once with Kerberos and can access
multiple services without re-entering credentials, thanks to the TGT. Haha this is the time when the CS could use this privileges for testing.
LDAP Automatic Injections
Using BME to automate the process of detecting and exploiting LDAP injection vulnerabilities in AD scenario. With BME, CS researcher can quickly identify and exploit LDAP injection flaws, allowing CS to assess the security posture of the applications more effectively.
- Automated detection of LDAP injection vulnerabilities.
- Exploitation of LDAP injection vulnerabilities to extract sensitive information.
- Customizable payloads for fine-tuning injection attacks.
Replace `<target_url>` with the URL of the web application you want to scan.
For any questions or inquiries, feel free to contact the developers
@pxcs
-
Information Gathering:
Find-DomainTarget (-p-) (-sV-) (-Pn-) (-Al-) (-more-)
-
Get Domain Controllers:
Get-DomainController Get-DomainController -Domain <DomainName>
-
Enumerate Domain Users:
Get-DomainUser | Out-File -FilePath .\DomainUsers.txt
-
Enumerate Shares:
Find-DomainShare Find-DomainShare -CheckShareAccess Find-InterestingDomainShareFile -Include *passwords*
-
Enum Group Policies:
Get-DomainGPO -Properties DisplayName | Sort-Object -Property DisplayName #Enumerate specific computer Get-DomainGPO -ComputerIdentity <ComputerName> -Properties DisplayName | Sort-Object -Property DisplayName #Get users that are local Admin group Get-DomainGPOComputerLocalGroupMapping -ComputerName <ComputerName>
-
Results Filtering:
#grep #invert #etc 0.0.0.0 | grep '' #grep with attackers .txt 0.0.0.0 | grep 5 (-c-)(-Pn-) 'List.txt'
usage: BME [-h] [--command COMMAND] [--output OUTPUT] [--interface INTERFACE] [--port PORT]
options:
-h, --help show this help message and exit
--command COMMAND, -c COMMAND
command to run on the target (default: calc)
--output OUTPUT, -o OUTPUT
output maldoc file (default: BME)
--interface INTERFACE, -i INTERFACE
network interface or IP address to host the HTTP server (default: eth0)
--port PORT, -p PORT port to serve the HTTP server (default: 8000)
Now, that you know how to start DNSChef let's configure it to fake all replies to point to 127.0.0.1 using the --fakeip parameter:
# ./BME --fakeip 127.0.0.1 -q
[*] BME started on interface: 127.0.0.1
[*] Using the following nameservers: x-x-x-x
[*] Cooking all A replies to point to 127.0.0.1
[23:55:57] 127.0.0.1: cooking the response of type 'A' for x-x-x-x.com to 127.0.0.1
[23:55:57] 127.0.0.1: proxying the response of type 'AAAA' for x-x-x-x.com
[23:55:57] 127.0.0.1: proxying the response of type 'MX' for x-x-x-x.com
In the above output you an see that BME was configured to proxy all requests to 127.0.0.1. The first line of log at 08:11:23 shows that we have "cooked" the "A" record response to point to 127.0.0.1. However, further requests for 'AAAA' and 'MX' records are simply proxied from a real DNS server. Let's see the output from requesting program:
$ host google.com localhost
x-x-x-x.com has address 127.0.0.1
x-x-x-x.com has IPv6 address 2001:4860:4001:803::1001
x-x-x-x.com mail is handled by 10 aspmx.l.x-x-x-x.com.
x-x-x-x.com mail is handled by 40 alt3.aspmx.l.x-x-x-x.com.
x-x-x-x.com mail is handled by 30 alt2.aspmx.l.x-x-x-x.com.
As you can see the program was tricked to use 127.0.0.1 for the IPv4 address. However, the information obtained from IPv6 (AAAA) and mail (MX) records appears completely legitimate. The goal of DNSChef is to have the least impact on the correct operation of the program, so if an application relies on a specific mailserver it will correctly obtain one through this proxied request.
Let's fake one more request to illustrate how to target multiple records at the same time:
# ./BME --fakeip 127.0.0.1 --fakeipv6 ::1 -q
[*] BME started on interface: 127.0.0.1
[*] Using the following nameservers: x-x-x-x
[*] Cooking all A replies to point to 127.0.0.1
[*] Cooking all AAAA replies to point to ::1
[00:02:14] 127.0.0.1: cooking the response of type 'A' for x-x-x-x.com to 127.0.0.1
[00:02:14] 127.0.0.1: cooking the response of type 'AAAA' for x-x-x-x.com to ::1
[00:02:14] 127.0.0.1: proxying the response of type 'MX' for x-x-x-x.com
In addition to the --fakeip flag, I have now specified --fakeipv6 designed to fake 'AAAA' record queries. Here is an updated program output:
$ host x-x-x-x.com localhost
x-x-x-x.com has address 127.0.0.1
x-x-x-x.com has IPv6 address ::1
x-x-x-x.com mail is handled by 10 aspmx.l.x-x-x-x.com.
x-x-x-x.com mail is handled by 40 alt3.aspmx.l.x-x-x-x.com.
x-x-x-x.com mail is handled by 30 alt2.aspmx.l.x-x-x-x.com.
Once more all of the records not explicitly overriden by the application were proxied and returned from the real DNS server. However, IPv4 (A) and IPv6 (AAAA) were both faked to point to a local machine.
DNSChef supports multiple record types:
Record | Description | Argument | Example |
---|---|---|---|
A | IPv4 address | --fakeip | --fakeip 127.0.0.1 |
AAAA | IPv6 address | --fakeipv6 | --fakeipv6 2001:db8::1 |
MX | Mail server | --fakemail | --fakemail mail.x-x-x-x.com |
CNAME | CNAME record | --fakealias | --fakealias www.x-x-x-x.com |
NS | Name server | --fakens | --fakens ns.x-x-x-x.com |
Pop results BME.exe
:
$ BME.exe
[+] copied staging doc ./
[+] finalizing payload doc ./
[x] created maldoc ./
[x] serving payload on :8000 (Example)
- Output
- Compromising Kerberos
- Kerberos
Compromised!
BlackMarlinExec | Submarine project-75:
BlackMarlinExec is a cutting edge CS tool. Designed for comprehensive network traffic analysis and sophisticated enumeration, akin to the functionalities provided by harpoonhound. Developed for CS and penetration testers, BlackMarlinExec offers a robust suite of features tailored to identify, assess, and scan security vulnerabilities within complex network environments.
This is a research project for classifying network traffic. We collected more than 300000 flows from some network. After that, we used nDPI to analyze the flows. We got more than 100 types of applications. Then we group that application into 10 classes. After that, we tried different ML algorithms to classify them.
- Decision Tree
95.8%
accuracy - Random Forest
96.69%
accuracy - Regression
92.1%
accuracy - Boosting
95.8%
accuracy - Neural Net
97.5%
accuracy - KNN
97.24%
accuracy - PAA
99.29%
accuracy - SVM
94.7%
accuracy
To get the dataset check out the instructions in the dataset folder.
CS can use used Wireshark or BlackMarlinExec to collect the packets. Since for the project we wanted to use lab environment data, we first redirected the lab network to one personal computer(pc) and in that pc we used Wireshark. After collecting the packets, we used ndpi to analyze the packets and get extract flow info and then we export that data as an note file. The data.csv
contains information on all parameters. However, for this project, we only used most important parameters as features.
The dataset used in this demo is: Malware_Capture.
- It is part of Aposemat_Dataset.
- A labeled dataset with malicious IoT network traffic.
- This dataset was created as part of the Avast AIC laboratory with the funding of Avast Software.
The project is implemented in several distinct steps simulating the essential data processing and analysis phases.
- Each step is represented in a corresponding notebook inside notebooks.
- Intermediary data files are stored inside the data path.
- Trained models are stored inside models.
Pre note: Data_reading
Implemented data exploration and cleaning tasks:
- Loading the raw dataset file into pandas DataFrame.
- Exploring dataset summary and statistics.
- Fixing combined columns.
- Dropping irrelevant columns.
- Fixing unset values and validating data types.
- Checking the cleaned version of the dataset.
- Storing the cleaned dataset to a csv file.
Corresponding note: Data_preprocessing
Implemented data processing and transformation tasks:
- Loading dataset file into pandas DataFrame.
- Exploring dataset summary and statistics.
- Analyzing the target attribute.
- Encoding the target attribute using LabelEncoder.
- Handling outliers using IQR (Inter_quartile_Range).
- Handling missing values:
- Impute missing categorical features using KNeighborsClassifier.
- Impute missing numerical features using KNNImputer.
- Scaling numerical attributes using MinMaxScaler.
- Encoding categorical features: handling rare values and applying One_Hot_Encoding.
- Checking the processed dataset and storing it to a csv file.
Trained and analyzed classification models:
- Naive Bayes: ComplementNB
- Decision Tree: DecisionTreeClassifier
- Logistic Regression: LogisticRegression
- Random Forest: RandomForestClassifier
- Support Vector Classifier: SVC
- K-Nearest Neighbors: KNeighborsClassifier
- XGBoost: XGBClassifier
Evaluation method:
- Cross-Validation Technique: Cross_Validator
- Folds number: Anon
- Shuffled: Enabled
Results were analyzed and compared for each model.
Trust Kerberos Attack: Kerberos
Model tuning details:
- Tuned model: Support Vector Classifier - SVC
- Tuning method: GridSearch
- Results were analyzed before/after tuning.
Publicly share you guys about my red teaming experiments tested on several environments/infrastructures that involve playing with various tools and techniques used by penetration testers and redteamers.
- Project in progress
- Contributions needed
Ability
- Pivoting
- Domain Enumeration
- Auto
grep
results - Credential Harvesting
- Network Identification
Warning
This library is in beta, if something breaks don't blame me ( but feel free to open an issue or even better open a pull request )
I'm striving for 1 to 1 feature parity with the official library ( with the exception of Swarm-related functionality ). As of writing this is beta software, take a look at the tests and the examples folder for to get a clear idea of what works.
Note
The existence of tests doesn't imply that they're all currently passing
Connect to Docker using the default socket or the configuration in your environment:
from BME import ****
client = await AsyncDocker.from_env()
You can run containers:
>>> await client.containers.run("ubuntu:latest", "echo compromising")
- Requires Python 3.11+
- Supports staging files over DNS (only over
A
,AAAA
,TXT
for now...) - Config file is now TOML
- Optional HTTP API (allows you to query logs and update config remotely)
- Fully async for increased performance (uses AsyncIO)
- Structured logging and a number of QOL improvements
- Is now a Python package
- Dockerized
Refer to BUILD.md for instructions on how to build BME from source.
Tests:
Travis | Coverity | GitHub Actions |
---|---|---|
BlackMarlinExec is designed primarily for research, identification, and authorized testing scenarios. This tool is to provide professionals and researchers with a tool to understand and identify vulnerabilities of the security systems. It is fundamentally imperative that users ensure they have obtained explicit, mutual consent from all involved parties before applying this tool on any system, or network. Note: Every time I mention CS, it's a Cyber_Security professional.
- If you want to report a problem, open un Issue
- If you want to contribute, open a Pull Request
- If you want to discuss, open a Discussion
( Inspired by )
This project was inspired by:
Check out the ORG repo for more tools like this at SuttonProgram
- Allah and pxcs p3xsouger
- Our Offsec team GangstaCrew
- People in Offensive Security
- Some credit to U.G people
- And several Github repo.