|
| 1 | +______ _ ___ _____ _ _____ ___ ___ ______ _ _____ _ _ _______ __ _____ _____ |
| 2 | +| ___ \ | / _ \/ __ \| | / /| \/ | / _ \ | ___ \ | |_ _| \ | || ___\ \ / /| ___/ __ \ |
| 3 | +| |_/ / | / /_\ \ / \/| |/ / | . . |/ /_\ \| |_/ / | | | | \| || |__ \ V / | |__ | / \/ |
| 4 | +| ___ \ | | _ | | | \ | |\/| || _ || /| | | | | . ` || __| / \ | __|| | |
| 5 | +| |_/ / |____| | | | \__/\| |\ \| | | || | | || |\ \| |_____| |_| |\ || |___/ /^\ \| |___| \__/\ |
| 6 | +\____/\_____/\_| |_/\____/\_| \_/\_| |_/\_| |_/\_| \_\_____/\___/\_| \_/\____/\/ \/\____/ \____/ |
| 7 | +vx-x |
| 8 | + |
| 9 | +Active Directory ( attack path ) finder |
| 10 | + |
| 11 | +A tool used to enumerate, attack, or poisoning target inside an online environment and networks |
| 12 | +Forged by @pxcs and @GangstaCrew |
| 13 | + |
| 14 | +B L A C K M A R L I N E X E C |
| 15 | + |
| 16 | +------------------------------- |
| 17 | + |
| 18 | +(c) 2017 - 2024 by pxcs ( p3xsouger ) / Leader of GangstaCrew |
| 19 | +< [email protected]> https://github.com/pxcs/BlackMarlinExec |
| 20 | + |
| 21 | +Licensed under GPL (see LICENSE file) |
| 22 | + |
| 23 | +Please do not use in military or secret service organizations, |
| 24 | +or for illegal purposes. |
| 25 | +(This is the wish of the author and non-binding. Many people working |
| 26 | +in these organizations do not care for laws and ethics anyways. |
| 27 | +You are not one of the "good" ones if you ignore this.) |
| 28 | + |
| 29 | +NOTE: no this is not meant to be a markdown doc! old school! |
| 30 | + |
| 31 | + |
| 32 | +BlackMarlinExec ( Seven Degrees of Domain Admin ) |
| 33 | +``` |
| 34 | +makefile pull pxcs/BlackMarlinExec |
| 35 | +``` |
| 36 | + |
| 37 | + |
| 38 | +INTRODUCTION |
| 39 | +------------ |
| 40 | +BlackMarlinExec uses graph and analysis theory to reveal the hidden and unintended relationships within an Active Directory or Active Environment. Security can use BlackMarlinExec to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. It also has it's own attack path management that continuously maps and quantifies Active Directory attack paths. CS can see thousand, even millions of attack paths within your existing architecture. |
| 41 | + |
| 42 | +Intro About Barracuda Attack |
| 43 | +------------ |
| 44 | +TCP Killer |
| 45 | +Barracuda is a utility to kill all TCP connections on a network. It works by intercepting network traffic, and forging RST packets of existing connections to cause hangups. Works for both IPv4 connections and IPv6. Barracuda ( TCPkiller ) is a sneaky way to kill network connections. Any targeted system will appear to work when examined through typical diagnostics - DNS will resolve, ICMP's will go through, and the network card will be able to connect ( slow ) to the network-but no TCP connections will be sustained. |
| 46 | + |
| 47 | +LDAP Automatic Injections |
| 48 | +------------ |
| 49 | +Using BME to automate the process of detecting and exploiting LDAP injection vulnerabilities in AD scenario. With BME, CS researcher can quickly identify and exploit LDAP injection flaws, allowing CS to assess the security posture of the applications more effectively. |
| 50 | + |
| 51 | +More Features |
| 52 | +------------ |
| 53 | +Automated detection of LDAP injection vulnerabilities. |
| 54 | +Exploitation of LDAP injection vulnerabilities to extract sensitive information. |
| 55 | +Customizable payloads for fine-tuning injection attacks. |
| 56 | + |
| 57 | +Network Traffic Analysis |
| 58 | +------------ |
| 59 | +This is a research project for classifying network traffic. We collected more than 300000 flows from some network. After that, we used nDPI to analyze the flows. We got more than 100 types of applications. Then we group that application into 10 classes. After that, we tried different ML algorithms to classify them. |
| 60 | +Our current results |
| 61 | + |
| 62 | +Decision Tree 95.8% accuracy |
| 63 | +Random Forest 96.69% accuracy |
| 64 | +Regression 92.1% accuracy |
| 65 | +Boosting 95.8% accuracy |
| 66 | +Neural Net 97.5% accuracy |
| 67 | +KNN 97.24% accuracy |
| 68 | +PAA 99.29% accuracy |
| 69 | +SVM 94.7% accuracy |
| 70 | + |
| 71 | +To get the dataset check out the instructions in the dataset folder. |
| 72 | + |
| 73 | +( THIS TOOL IS FOR LEGAL PURPOSES ONLY! ) |
| 74 | + |
| 75 | +There are already several active directory tools available, however, none does |
| 76 | +either support more than one protocol to find an attack path or support parallelized |
| 77 | +connections. |
| 78 | + |
| 79 | + |
| 80 | +HOW TO COMPILE |
| 81 | +-------------- |
| 82 | +To configure, compile and install BME, just type: |
| 83 | + |
| 84 | +``` |
| 85 | +./configure |
| 86 | +make |
| 87 | +make install |
| 88 | +``` |
| 89 | + |
| 90 | +If you want the ssh module, you have to setup libssh (not libssh2!) on your |
| 91 | +system, get it from https://www.libssh.org, for ssh v1 support you also need |
| 92 | +to add "-DWITH_SSH1=On" option in the cmake command line. |
| 93 | +IMPORTANT: If you compile on MacOS then you must do this - do not install libssh via brew! |
| 94 | + |
| 95 | +If you use Ubuntu/Debian, this will install supplementary libraries needed |
| 96 | +for a few optional modules (note that some might not be available on your distribution): |
| 97 | + |
| 98 | + |
| 99 | + |
| 100 | +This enables all optional modules and features with the exception of Oracle, |
| 101 | +SAP R/3, NCP and the apple filing protocol - which you will need to download and |
| 102 | +install from the vendor's web sites. |
| 103 | + |
| 104 | +For all other Linux derivates and BSD based systems, use the system |
| 105 | +software installer and look for similarly named libraries like in the |
| 106 | +command above. In all other cases, you have to download all source libraries |
| 107 | +and compile them manually. |
| 108 | + |
| 109 | + |
| 110 | + |
| 111 | +SUPPORTED PLATFORMS |
| 112 | +------------------- |
| 113 | +- All UNIX platforms (Linux, *BSD, Solaris, etc.) |
| 114 | +- MacOS (basically a BSD clone) |
| 115 | +- Windows with Cygwin (both IPv4 and IPv6) |
| 116 | +- Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq) |
| 117 | + |
| 118 | + |
| 119 | + |
| 120 | +HOW TO USE |
| 121 | +---------- |
| 122 | +If you just enter `bme`, you will see a short summary of the important |
| 123 | +options available. |
| 124 | +Type `./bme -h` to see all available command line options. |
| 125 | + |
| 126 | + |
| 127 | +RESULTS OUTPUT |
| 128 | +-------------- |
| 129 | + |
| 130 | +The results are output to stdio along with the other information. Via the -command |
| 131 | +command line option, the results can also be written to a file. Using -command, |
| 132 | +the format of the output can be specified. Currently, these are supported: |
| 133 | + |
| 134 | +SPEED |
| 135 | +----- |
| 136 | +through the parallelizing feature, this password cracker tool can be very |
| 137 | +fast, however it depends on the protocol. The fastest are generally POP3 |
| 138 | +and FTP. |
| 139 | +Experiment with the task option (-t) to speed things up! The higher - the |
| 140 | +faster ;-) (but too high - and it disables the service) |
| 141 | + |
| 142 | + |
| 143 | +STATISTICS |
| 144 | +---------- |
| 145 | +Run against a SuSE Linux 7.2 on localhost with a "-C FILE" containing |
| 146 | +295 entries (294 tries invalid logins, 1 valid). Every test was run three |
| 147 | +times (only for "1 task" just once), and the average noted down. |
| 148 | + |
| 149 | +``` |
| 150 | +P A R A L L E L T A S K S |
| 151 | +SERVICE 1 4 8 16 32 50 64 100 128 |
| 152 | +------- -------------------------------------------------------------------- |
| 153 | +telnet x-x-x |
| 154 | +ftp x-x-x |
| 155 | +pop3 x-x-x |
| 156 | +imap x-x-x |
| 157 | +``` |
| 158 | + |
| 159 | +Thanks to |
| 160 | + |
| 161 | +- Allah and pxcs p3xsouger |
| 162 | +- Our Offsec team GangstaCrew |
| 163 | +- People in Offensive Security |
| 164 | +- Some credit to U.G people |
| 165 | +- And several Github repo. |
| 166 | + |
| 167 | +(*) |
| 168 | +Note: |
| 169 | +BlackMarlinExec uses graph theory to reveal hidden relationships and attack paths in an Active Directory environment. |
| 170 | +This program is free software: you can redistribute it and/or modify it under the terms of the GNU as published by the Free Software Foundation, either version of the License, or (at your option) any later version. |
| 171 | + |
| 172 | +This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. |
| 173 | + |
| 174 | +BUGS & FEATURES |
| 175 | +--------------- |
| 176 | +BlackMarlinExec: |
| 177 | +Email me or GangstaCrew if you find bugs or if you have written a new module. |
| 178 | +[email protected] (and put "antispam" in the subject line) |
| 179 | + |
| 180 | +If you want to report a problem, open un ( Issue ) |
| 181 | +If you want to contribute, open a ( Pull Request ) |
| 182 | +If you want to discuss, open a ( Discussion ) |
0 commit comments