Skip to content
/ ade Public

ADE: automates Active Directory enumeration for labs (Hack The Box, Hack Smarter, TryHackMe, Proving Grounds) and exam prep (OSCP, CPTS).

20 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

blue-pho3nix/ade

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

104 Commits
README.md
README.md
 
 
ade.py
ade.py
 
 
install.sh
install.sh
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

ADE

ADE is a Python script that automates Active Directory (AD) enumeration in lab environments, helping users on Hack The Box, Hack Smarter, TryHackMe, Proving Grounds, or exams like OSCP and CPTS streamline initial AD recon.

Examples

No Credentials Provided

Credentials Provided

Kerberos

Installation

git clone https://github.com/blue-pho3nix/ade.git
cd ade
sudo apt update && sudo apt install git pipx 
pipx ensurepath
./install.sh

Dependencies

The dependecies for the script are certipy-ad, netexec, bloodhound-ce, bloodyAD, and Impacket

Key Features

Initial Discovery & Host Setup

  • Target Alive Checks: Pings the target with nmap before starting to ensure the IP is correct and the host is online.
  • /etc/hosts Management: Discovers the target's FQDN and domain, then maps them in /etc/hosts for name resolution.
  • Credential Validation: Checks if supplied credentials are valid before launching deeper scans to avoid failed authenticated runs.
  • User & Description Enumeration: Collects sAMAccountName and description attributes via LDAP, and uses SMB-based RID cycling as a fallback to find accounts that LDAP queries might not return

Initial Access & Credential Attacks

  • User Spraying: If run without credentials, it attempts user:user logins for all discovered accounts.
  • AS-REP Roasting: Uses the generated users.txt to find accounts vulnerable to offline password cracking.
  • Kerberoasting: Searches for service accounts and requests their tickets, providing hashes to crack offline.
  • Auto-Kerberos Switching: Detects if Kerberos is required. If NTLM is unsupported, ADE enables Kerberos mode and restarts the workflow.

Post-Authentication Enumeration

  • Kerberos Ticket Management: Gets a Kerberos ticket, saves it as a .ccache file you can reuse, and tells you the command to connect to SMB using that ticket.
  • SMB Share Enumeration: Enumerates SMB shares on the target, attempts access with anonymous/guest or supplied credentials, and reports access permissions (e.g., READ, WRITE).
  • Intelligent Retries: Automatically retries SMB checks when they fail to ensure more reliable results.
  • BloodHound Collection: Executes the BloodHound data collector, automatically retrying on failure, and outputs a ZIP that can be imported into BloodHound.
  • Permission Checks: Scans Active Directory with bloodyAD to find items your credentials can change (like user accounts or groups).
  • ADCS Checks: Probes for Active Directory Certificate Services and then uses Certipy to find misconfigured templates that allow for privilege escalation.

Usage

Tip

Wait at least 5 minutes after starting your lab before running the script to make sure nxc --shares works.
This is because some labs take longer to start up.

Without credentials (anonymous/guest checks):

ade -r <box-ip>

With credentials (authenticated checks):

ade -r <box-ip> -u <user> -p <password>

Thank You

Schlop made the script that installs ADE.

Note

If you have any issues or requests, reach out on Discord (Blue Pho3nix).

TODO

  • Add additional improvements and features as needed

About

ADE: automates Active Directory enumeration for labs (Hack The Box, Hack Smarter, TryHackMe, Proving Grounds) and exam prep (OSCP, CPTS).

Resources

Readme
Activity

Stars

20 stars

Watchers

1 watching

Forks

7 forks
Report repository

Languages