Share
## https://sploitus.com/exploit?id=BC23CDA6-3480-5DEE-8F09-A82AD9A0F8A9
# Active Directory Attack Path Suggestion Engine

![Python Version](https://img.shields.io/badge/python-3.6%2B-blue)
![License](https://img.shields.io/badge/license-Educational%20Use-orange)

An **interactive educational tool** for authorized Active Directory penetration testing that acts as an attack-path suggestion engine. This script intelligently suggests relevant attack paths, tools, and methodologies based on your current access state without performing any actual exploitation.

> โš ๏ธ **WARNING**: This tool is for **authorized security assessments and educational purposes only**. It does NOT perform attacks, send network traffic, or execute exploits. Always obtain proper authorization before conducting security assessments.

## ๐Ÿ“‹ Table of Contents

- [Overview](#overview)
- [Features](#features)
- [Installation](#installation)
- [How It Works](#how-it-works)
- [Usage](#usage)
- [Parameters and Input](#parameters-and-input)
- [Attack Path Categories](#attack-path-categories)
- [Example Scenarios](#example-scenarios)
- [Output Format](#output-format)
- [Knowledge Base](#knowledge-base)
- [Legal Disclaimer](#legal-disclaimer)
- [Contributing](#contributing)

## ๐ŸŽฏ Overview

The Active Directory Attack Path Suggestion Engine is a Python-based interactive tool designed to help security professionals and penetration testers identify potential attack vectors in Active Directory environments. Based on established resources like **InternalAllTheThings** and the **Orange Cyberdefense AD Mindmap v2025.03**, the tool provides:

- **Contextual attack path suggestions** based on your current access level
- **Tool recommendations** with example commands
- **Prerequisites** for each attack technique
- **Reference materials** for further research
- **Phase-based organization** (Reconnaissance, Enumeration, Credential Access, etc.)

## โœจ Features

- **Interactive questionnaire** to gather your current access state
- **Smart filtering** that suggests only applicable attacks based on your situation
- **50+ attack paths** covering modern AD exploitation techniques
- **Color-coded terminal output** for easy reading
- **Organized by attack phase** (Reconnaissance โ†’ Persistence)
- **No exploitation** - purely educational and planning-focused
- **Comprehensive tool references** with exact command syntax
- **Cross-platform support** (Windows, Linux, macOS)

## ๐Ÿ”ง Installation

### Prerequisites

- Python 3.6 or higher
- Terminal with ANSI color support (most modern terminals)

### Setup

1. **Clone or download the script:**
   ```bash
   git clone 
   cd "Active Directory Exploit Suggestor"
   ```

2. **Ensure Python 3 is installed:**
   ```bash
   python3 --version
   ```

3. **Make the script executable (Linux/macOS):**
   ```bash
   chmod +x ad_suggestor.py
   ```

4. **Run the script:**
   ```bash
   python3 ad_suggestor.py
   ```
   or
   ```bash
   ./ad_suggestor.py
   ```

No additional dependencies are required - the script uses only Python standard library modules.

## ๐Ÿ” How It Works

The tool operates through a simple workflow:

1. **Information Gathering**: Interactively asks about your current access state
2. **State Analysis**: Analyzes what you have (IPs, credentials, access level, etc.)
3. **Path Matching**: Filters the knowledge base to match your situation
4. **Suggestion Output**: Displays relevant attack paths organized by phase

The engine uses an access level hierarchy:
- **Unauthenticated** (level 0): External attacker with network access
- **Low-Priv** (level 1): Standard domain user credentials
- **Domain-Joined** (level 2): Compromised workstation or elevated privileges

## ๐Ÿš€ Usage

### Basic Usage

Simply run the script and answer the interactive prompts:

```bash
python3 ad_suggestor.py
```

### Interactive Prompts

The tool will ask you a series of questions to understand your current state:

1. **Do you have any target IP addresses?** (y/n)
   - If yes, enter one or more IP addresses
   
2. **Do you have a domain name?** (y/n)
   - Example: `corp.local`, `contoso.com`
   
3. **Do you have any usernames?** (y/n)
   - Enter discovered or compromised usernames
   
4. **Do you have credentials?**
   - **Plaintext password?** (y/n)
   - **NTLM hash?** (y/n)
   - **Kerberos ticket?** (y/n)
   
5. **What is your current access level?**
   - Unauthenticated
   - Low-priv (standard user)
   - Domain-joined (machine/admin)

## ๐Ÿ“Š Parameters and Input

### State Parameters

The tool tracks the following information about your current access:

| Parameter | Type | Description | Example |
|-----------|------|-------------|---------|
| **IPs** | List[str] | Target IP addresses or DC IPs | `192.168.1.10`, `10.0.0.5` |
| **Domain** | str | Target domain name | `corp.local`, `contoso.com` |
| **Usernames** | List[str] | Discovered or compromised usernames | `jdoe`, `administrator` |
| **Has Password** | bool | Do you have plaintext password(s)? | `True` / `False` |
| **Has NTLM Hash** | bool | Do you have NTLM hash(es)? | `True` / `False` |
| **Has Kerberos Ticket** | bool | Do you have Kerberos ticket(s)? | `True` / `False` |
| **Access Level** | str | Current privilege level | `unauthenticated`, `low-priv`, `domain-joined` |

### Input Validation

- **IPs**: No specific format validation (accepts any string)
- **Domain**: Required when answering "yes" to having a domain
- **Usernames**: Required when answering "yes" to having usernames
- **Access Level**: Automatically determined based on credentials, or manually selected

## ๐ŸŽฏ Attack Path Categories

The tool organizes attacks into the following phases:

### 1. Reconnaissance
- Network Discovery and Port Scanning
- DNS Enumeration

### 2. Enumeration
- SMB NULL Session Enumeration
- LDAP Anonymous Bind Enumeration
- Authenticated LDAP Enumeration with BloodHound
- PowerView Enumeration
- SMB Share Enumeration

### 3. Credential Access
- LLMNR/NBT-NS/mDNS Poisoning (Responder)
- AS-REP Roasting
- Password Spraying
- Kerberoasting
- DCSync Attack
- LSASS Memory Dumping
- SAM/SYSTEM/SECURITY Hive Dumping
- LAPS Password Retrieval
- gMSA Password Retrieval
- PetitPotam
- Time Roasting

### 4. Privilege Escalation
- Unconstrained Delegation Abuse
- Constrained Delegation Abuse
- Resource-Based Constrained Delegation (RBCD)
- ACL Abuse - GenericAll/WriteDACL
- ADCS ESC1 - Misconfigured Certificate Template
- ADCS ESC8 - NTLM Relay to ADCS HTTP Endpoints
- GPO Abuse
- Shadow Credentials
- Machine Account Quota (MAQ) Abuse
- ZeroLogon (CVE-2020-1472)
- PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
- SCCM/MECM Exploitation

### 5. Lateral Movement
- Pass the Hash (PtH)
- Overpass-the-Hash (Pass-the-Key)
- Pass the Ticket (PtT)
- NTLM Relay to SMB
- Trust Relationship Exploitation

### 6. Persistence
- Golden Ticket
- Silver Ticket

## ๐Ÿ“– Example Scenarios

### Scenario 1: External Penetration Test (Unauthenticated)

**Your Input:**
- Target IPs: `192.168.1.10`
- Domain: `corp.local`
- Usernames: None
- Credentials: None
- Access Level: `unauthenticated`

**Suggested Attacks:**
- Network Discovery and Port Scanning
- DNS Enumeration
- SMB NULL Session Enumeration
- LDAP Anonymous Bind Enumeration
- LLMNR/NBT-NS Poisoning
- AS-REP Roasting
- Password Spraying
- NTLM Relay attacks

### Scenario 2: Low-Privileged User Access

**Your Input:**
- Target IPs: `192.168.1.10`
- Domain: `corp.local`
- Usernames: `jdoe`
- Credentials: Password (yes)
- Access Level: `low-priv`

**Suggested Attacks:**
- BloodHound Collection
- PowerView Enumeration
- Kerberoasting
- SMB Share Enumeration
- ADCS ESC1/ESC8 attacks
- LAPS Password Retrieval (if permissions)
- Machine Account Quota abuse

### Scenario 3: Compromised Admin Workstation

**Your Input:**
- Target IPs: `192.168.1.10`
- Domain: `corp.local`
- Usernames: `admin`
- Credentials: NTLM Hash (yes)
- Access Level: `domain-joined`

**Suggested Attacks:**
- Unconstrained/Constrained Delegation
- RBCD attacks
- DCSync Attack
- LSASS Memory Dumping
- GPO Abuse
- Shadow Credentials
- Golden/Silver Ticket creation

## ๐Ÿ“ค Output Format

Each suggested attack path includes:

### Attack Header
```
================================================================================
Attack: Kerberoasting
Phase: Credential Access
Access Required: low-priv
================================================================================
```

### Description
A clear explanation of what the attack does and when to use it.

### Prerequisites
- List of requirements needed before attempting the attack
- Example: "Valid domain credentials"

### Tools
- Recommended tools for executing the attack
- Example: "Impacket GetUserSPNs.py", "Rubeus (Windows)"

### Example Commands
```bash
$ impacket-GetUserSPNs DOMAIN/USERNAME:PASSWORD -dc-ip DC_IP -request
$ impacket-GetUserSPNs DOMAIN/USERNAME:PASSWORD -dc-ip DC_IP -request -outputfile hashes.txt
```

### References
- Links to InternalAllTheThings
- References to Orange Cyberdefense AD Mindmap
- Relevant CVE numbers for exploits

## ๐Ÿ“š Knowledge Base

This tool is based on:

1. **InternalAllTheThings** by SwisskyRepo
   - Comprehensive pentesting repository
   - URL: https://swisskyrepo.github.io/InternalAllTheThings/

2. **Orange Cyberdefense AD Mindmap v2025.03**
   - Visual representation of AD attack paths
   - Updated techniques and methodologies

3. **MITRE ATT&CK Framework**
   - Industry-standard adversary tactics and techniques
   - Active Directory specific techniques

## โš–๏ธ Legal Disclaimer

**IMPORTANT**: This tool is provided for **educational purposes** and **authorized security assessments only**.

### Acceptable Use:
โœ… Authorized penetration testing with written permission  
โœ… Educational learning in lab environments  
โœ… Security research in controlled environments  
โœ… Red team exercises with proper authorization  

### Prohibited Use:
โŒ Unauthorized access to computer systems  
โŒ Malicious hacking or cybercrime  
โŒ Testing without explicit written permission  
โŒ Any illegal activities  

**The authors and contributors are not responsible for misuse of this tool. Users must ensure they have proper authorization before conducting any security assessments.**

### Legal Considerations:
- Always obtain **written authorization** before testing
- Ensure you are within **scope** of your engagement
- Follow **responsible disclosure** practices
- Comply with **local laws and regulations**
- Maintain **professional ethics**

## ๐Ÿค Contributing

Contributions are welcome! To contribute:

1. Fork the repository
2. Create a feature branch (`git checkout -b feature/new-attack-path`)
3. Add your attack path following the existing format
4. Test the changes
5. Submit a pull request

### Adding New Attack Paths

To add a new attack path, modify the `_initialize_attack_paths()` method in `ad_suggestor.py`:

```python
paths.append(AttackPath(
    name="Your Attack Name",
    phase="Attack Phase",
    description="Clear description of the attack",
    tools=["Tool1", "Tool2"],
    commands=[
        "example-command --option value",
        "another-command"
    ],
    prerequisites=["Requirement 1", "Requirement 2"],
    references=[
        "Reference source",
        "Documentation link"
    ],
    access_required="unauthenticated|low-priv|domain-joined"
))
```

## ๐Ÿ“ To-Do / Future Enhancements

- [ ] Export results to HTML/PDF report
- [ ] Save and load session states
- [ ] Integration with BloodHound for automatic path analysis
- [ ] Command-line arguments for non-interactive mode
- [ ] Custom attack path definitions via config files
- [ ] Difficulty ratings for each attack
- [ ] Success probability estimation
- [ ] Detection risk ratings

## ๐Ÿ“ž Support

For questions, issues, or suggestions:
- Open an issue in the repository
- Contribute improvements via pull requests
- Share feedback and use cases

---

**Version**: 1.0  
**Last Updated**: 2026-01-29  
**Python Requirement**: 3.6+  
**License**: Educational Use Only

---

**Remember**: With great power comes great responsibility. Use this tool ethically and legally! ๐Ÿ›ก๏ธ