## https://sploitus.com/exploit?id=BC23CDA6-3480-5DEE-8F09-A82AD9A0F8A9
# Active Directory Attack Path Suggestion Engine


An **interactive educational tool** for authorized Active Directory penetration testing that acts as an attack-path suggestion engine. This script intelligently suggests relevant attack paths, tools, and methodologies based on your current access state without performing any actual exploitation.
> โ ๏ธ **WARNING**: This tool is for **authorized security assessments and educational purposes only**. It does NOT perform attacks, send network traffic, or execute exploits. Always obtain proper authorization before conducting security assessments.
## ๐ Table of Contents
- [Overview](#overview)
- [Features](#features)
- [Installation](#installation)
- [How It Works](#how-it-works)
- [Usage](#usage)
- [Parameters and Input](#parameters-and-input)
- [Attack Path Categories](#attack-path-categories)
- [Example Scenarios](#example-scenarios)
- [Output Format](#output-format)
- [Knowledge Base](#knowledge-base)
- [Legal Disclaimer](#legal-disclaimer)
- [Contributing](#contributing)
## ๐ฏ Overview
The Active Directory Attack Path Suggestion Engine is a Python-based interactive tool designed to help security professionals and penetration testers identify potential attack vectors in Active Directory environments. Based on established resources like **InternalAllTheThings** and the **Orange Cyberdefense AD Mindmap v2025.03**, the tool provides:
- **Contextual attack path suggestions** based on your current access level
- **Tool recommendations** with example commands
- **Prerequisites** for each attack technique
- **Reference materials** for further research
- **Phase-based organization** (Reconnaissance, Enumeration, Credential Access, etc.)
## โจ Features
- **Interactive questionnaire** to gather your current access state
- **Smart filtering** that suggests only applicable attacks based on your situation
- **50+ attack paths** covering modern AD exploitation techniques
- **Color-coded terminal output** for easy reading
- **Organized by attack phase** (Reconnaissance โ Persistence)
- **No exploitation** - purely educational and planning-focused
- **Comprehensive tool references** with exact command syntax
- **Cross-platform support** (Windows, Linux, macOS)
## ๐ง Installation
### Prerequisites
- Python 3.6 or higher
- Terminal with ANSI color support (most modern terminals)
### Setup
1. **Clone or download the script:**
```bash
git clone
cd "Active Directory Exploit Suggestor"
```
2. **Ensure Python 3 is installed:**
```bash
python3 --version
```
3. **Make the script executable (Linux/macOS):**
```bash
chmod +x ad_suggestor.py
```
4. **Run the script:**
```bash
python3 ad_suggestor.py
```
or
```bash
./ad_suggestor.py
```
No additional dependencies are required - the script uses only Python standard library modules.
## ๐ How It Works
The tool operates through a simple workflow:
1. **Information Gathering**: Interactively asks about your current access state
2. **State Analysis**: Analyzes what you have (IPs, credentials, access level, etc.)
3. **Path Matching**: Filters the knowledge base to match your situation
4. **Suggestion Output**: Displays relevant attack paths organized by phase
The engine uses an access level hierarchy:
- **Unauthenticated** (level 0): External attacker with network access
- **Low-Priv** (level 1): Standard domain user credentials
- **Domain-Joined** (level 2): Compromised workstation or elevated privileges
## ๐ Usage
### Basic Usage
Simply run the script and answer the interactive prompts:
```bash
python3 ad_suggestor.py
```
### Interactive Prompts
The tool will ask you a series of questions to understand your current state:
1. **Do you have any target IP addresses?** (y/n)
- If yes, enter one or more IP addresses
2. **Do you have a domain name?** (y/n)
- Example: `corp.local`, `contoso.com`
3. **Do you have any usernames?** (y/n)
- Enter discovered or compromised usernames
4. **Do you have credentials?**
- **Plaintext password?** (y/n)
- **NTLM hash?** (y/n)
- **Kerberos ticket?** (y/n)
5. **What is your current access level?**
- Unauthenticated
- Low-priv (standard user)
- Domain-joined (machine/admin)
## ๐ Parameters and Input
### State Parameters
The tool tracks the following information about your current access:
| Parameter | Type | Description | Example |
|-----------|------|-------------|---------|
| **IPs** | List[str] | Target IP addresses or DC IPs | `192.168.1.10`, `10.0.0.5` |
| **Domain** | str | Target domain name | `corp.local`, `contoso.com` |
| **Usernames** | List[str] | Discovered or compromised usernames | `jdoe`, `administrator` |
| **Has Password** | bool | Do you have plaintext password(s)? | `True` / `False` |
| **Has NTLM Hash** | bool | Do you have NTLM hash(es)? | `True` / `False` |
| **Has Kerberos Ticket** | bool | Do you have Kerberos ticket(s)? | `True` / `False` |
| **Access Level** | str | Current privilege level | `unauthenticated`, `low-priv`, `domain-joined` |
### Input Validation
- **IPs**: No specific format validation (accepts any string)
- **Domain**: Required when answering "yes" to having a domain
- **Usernames**: Required when answering "yes" to having usernames
- **Access Level**: Automatically determined based on credentials, or manually selected
## ๐ฏ Attack Path Categories
The tool organizes attacks into the following phases:
### 1. Reconnaissance
- Network Discovery and Port Scanning
- DNS Enumeration
### 2. Enumeration
- SMB NULL Session Enumeration
- LDAP Anonymous Bind Enumeration
- Authenticated LDAP Enumeration with BloodHound
- PowerView Enumeration
- SMB Share Enumeration
### 3. Credential Access
- LLMNR/NBT-NS/mDNS Poisoning (Responder)
- AS-REP Roasting
- Password Spraying
- Kerberoasting
- DCSync Attack
- LSASS Memory Dumping
- SAM/SYSTEM/SECURITY Hive Dumping
- LAPS Password Retrieval
- gMSA Password Retrieval
- PetitPotam
- Time Roasting
### 4. Privilege Escalation
- Unconstrained Delegation Abuse
- Constrained Delegation Abuse
- Resource-Based Constrained Delegation (RBCD)
- ACL Abuse - GenericAll/WriteDACL
- ADCS ESC1 - Misconfigured Certificate Template
- ADCS ESC8 - NTLM Relay to ADCS HTTP Endpoints
- GPO Abuse
- Shadow Credentials
- Machine Account Quota (MAQ) Abuse
- ZeroLogon (CVE-2020-1472)
- PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
- SCCM/MECM Exploitation
### 5. Lateral Movement
- Pass the Hash (PtH)
- Overpass-the-Hash (Pass-the-Key)
- Pass the Ticket (PtT)
- NTLM Relay to SMB
- Trust Relationship Exploitation
### 6. Persistence
- Golden Ticket
- Silver Ticket
## ๐ Example Scenarios
### Scenario 1: External Penetration Test (Unauthenticated)
**Your Input:**
- Target IPs: `192.168.1.10`
- Domain: `corp.local`
- Usernames: None
- Credentials: None
- Access Level: `unauthenticated`
**Suggested Attacks:**
- Network Discovery and Port Scanning
- DNS Enumeration
- SMB NULL Session Enumeration
- LDAP Anonymous Bind Enumeration
- LLMNR/NBT-NS Poisoning
- AS-REP Roasting
- Password Spraying
- NTLM Relay attacks
### Scenario 2: Low-Privileged User Access
**Your Input:**
- Target IPs: `192.168.1.10`
- Domain: `corp.local`
- Usernames: `jdoe`
- Credentials: Password (yes)
- Access Level: `low-priv`
**Suggested Attacks:**
- BloodHound Collection
- PowerView Enumeration
- Kerberoasting
- SMB Share Enumeration
- ADCS ESC1/ESC8 attacks
- LAPS Password Retrieval (if permissions)
- Machine Account Quota abuse
### Scenario 3: Compromised Admin Workstation
**Your Input:**
- Target IPs: `192.168.1.10`
- Domain: `corp.local`
- Usernames: `admin`
- Credentials: NTLM Hash (yes)
- Access Level: `domain-joined`
**Suggested Attacks:**
- Unconstrained/Constrained Delegation
- RBCD attacks
- DCSync Attack
- LSASS Memory Dumping
- GPO Abuse
- Shadow Credentials
- Golden/Silver Ticket creation
## ๐ค Output Format
Each suggested attack path includes:
### Attack Header
```
================================================================================
Attack: Kerberoasting
Phase: Credential Access
Access Required: low-priv
================================================================================
```
### Description
A clear explanation of what the attack does and when to use it.
### Prerequisites
- List of requirements needed before attempting the attack
- Example: "Valid domain credentials"
### Tools
- Recommended tools for executing the attack
- Example: "Impacket GetUserSPNs.py", "Rubeus (Windows)"
### Example Commands
```bash
$ impacket-GetUserSPNs DOMAIN/USERNAME:PASSWORD -dc-ip DC_IP -request
$ impacket-GetUserSPNs DOMAIN/USERNAME:PASSWORD -dc-ip DC_IP -request -outputfile hashes.txt
```
### References
- Links to InternalAllTheThings
- References to Orange Cyberdefense AD Mindmap
- Relevant CVE numbers for exploits
## ๐ Knowledge Base
This tool is based on:
1. **InternalAllTheThings** by SwisskyRepo
- Comprehensive pentesting repository
- URL: https://swisskyrepo.github.io/InternalAllTheThings/
2. **Orange Cyberdefense AD Mindmap v2025.03**
- Visual representation of AD attack paths
- Updated techniques and methodologies
3. **MITRE ATT&CK Framework**
- Industry-standard adversary tactics and techniques
- Active Directory specific techniques
## โ๏ธ Legal Disclaimer
**IMPORTANT**: This tool is provided for **educational purposes** and **authorized security assessments only**.
### Acceptable Use:
โ Authorized penetration testing with written permission
โ Educational learning in lab environments
โ Security research in controlled environments
โ Red team exercises with proper authorization
### Prohibited Use:
โ Unauthorized access to computer systems
โ Malicious hacking or cybercrime
โ Testing without explicit written permission
โ Any illegal activities
**The authors and contributors are not responsible for misuse of this tool. Users must ensure they have proper authorization before conducting any security assessments.**
### Legal Considerations:
- Always obtain **written authorization** before testing
- Ensure you are within **scope** of your engagement
- Follow **responsible disclosure** practices
- Comply with **local laws and regulations**
- Maintain **professional ethics**
## ๐ค Contributing
Contributions are welcome! To contribute:
1. Fork the repository
2. Create a feature branch (`git checkout -b feature/new-attack-path`)
3. Add your attack path following the existing format
4. Test the changes
5. Submit a pull request
### Adding New Attack Paths
To add a new attack path, modify the `_initialize_attack_paths()` method in `ad_suggestor.py`:
```python
paths.append(AttackPath(
name="Your Attack Name",
phase="Attack Phase",
description="Clear description of the attack",
tools=["Tool1", "Tool2"],
commands=[
"example-command --option value",
"another-command"
],
prerequisites=["Requirement 1", "Requirement 2"],
references=[
"Reference source",
"Documentation link"
],
access_required="unauthenticated|low-priv|domain-joined"
))
```
## ๐ To-Do / Future Enhancements
- [ ] Export results to HTML/PDF report
- [ ] Save and load session states
- [ ] Integration with BloodHound for automatic path analysis
- [ ] Command-line arguments for non-interactive mode
- [ ] Custom attack path definitions via config files
- [ ] Difficulty ratings for each attack
- [ ] Success probability estimation
- [ ] Detection risk ratings
## ๐ Support
For questions, issues, or suggestions:
- Open an issue in the repository
- Contribute improvements via pull requests
- Share feedback and use cases
---
**Version**: 1.0
**Last Updated**: 2026-01-29
**Python Requirement**: 3.6+
**License**: Educational Use Only
---
**Remember**: With great power comes great responsibility. Use this tool ethically and legally! ๐ก๏ธ