StandIn

StandIn is a small AD post-compromise toolkit. StandIn came about because recently at xforcered we needed a .NET native solution to perform resource based constrained delegation. However, StandIn quickly ballooned to include a number of comfort features.

I want to continue developing StandIn to teach myself more about Directory Services programming and to hopefully expand a tool which fits in to the AD post-exploitation toolchain.

Roadmap

Contributing

Contributions are most welcome. Please ensure pull requests include the following items: description of the functionality, brief technical explanation and sample output.

Do you have something you want to see added to StandIn but don't have a PR? Please open a ticket and describe the functionality as best as possible.

ToDo's

The following items are currently on the radar for implementation in subsequent versions of StandIn.

• Domain share enumeration. This can be split out into two parts, (1) finding and getting a unique list based on user home directories / script paths / profile paths and (2) querying fTDfs / msDFS-Linkv2 objects.
• Finding and parsing GPO's to map users to host local groups.
• GPO -> OU & OU -> GPO.
• Rewrite policy function probably.
• Adding optional JSON/XML output for some functions to help with scripting.
• Code needs a re-factor, better modularized functions and split out into different classes.

Subject References

• An ACE up the sleeve (by @_wald0 & @harmj0y) - here
• Kerberoasting (by @xpn) - here
• Roasting AS-REPs (by @harmj0y) - here
• Kerberos Unconstrained Delegation (by @spotheplanet) - here
• S4U2Pwnage (by @harmj0y) - here
• Resource-based Constrained Delegation (by @spotheplanet) - here
• Rubeus - here
• Powerview - here
• Powermad (by @kevin_robertson) - here
• SharpGPOAbuse (by @den_n1s & @pkb1s) - here
• adidnsdump (by @_dirkjan) - here
• Certified Pre-Owned (by @harmj0y & @tifkin_) - here

Index

• Help
• LDAP Object Operations
  • Raw LDAP
  • Get object
  • Get object access permissions
  • Grant object access permission
  • Set object password
  • Add ASREP to object flags
  • Remove ASREP from object flags
• SID
• ASREP
• PASSWD_NOTREQD
• SPN
  • SPN Collection
  • Set SPN
• Unconstrained / constrained / resource-based constrained delegation
• DC's
• Trust
• GPO Operations
  • List GPO's
  • GPO add local admin
  • GPO add user privilege
  • GPO add immediate task
  • GPO increase User / Computer version
• Policy
• DNS
• Groups Operations
  • List group membership
  • Add / remove user from group
• Machine Object Operations
  • Create machine object
  • Disable machine object
  • Delete machine object
  • Add msDS-AllowedToActOnBehalfOfOtherIdentity
  • Remove msDS-AllowedToActOnBehalfOfOtherIdentity
• Active Directory Certificate Services (ADCS)
  • List
  • Client Authentication
  • ENROLLEE_SUPPLIES_SUBJECT
  • PEND_ALL_REQUESTS
  • Change Owner
  • Add Write Permission
  • Add Certificate-Enrollment Permission
• Detection
• Special Thanks

Help

  __
 ( _/_   _//   ~b33f
__)/(//)(/(/)  v1.4


 >--~~--> Args? <--~~--<

--help          This help menu
--object        LDAP filter, e.g. samaccountname=HWest
--ldap          LDAP filter, can return result collection
--filter        Filter results, varies based on function
--limit         Limit results, varies based on function, defaults to 50
--computer      Machine name, e.g. Celephais-01
--group         samAccountName, e.g. "Necronomicon Admins"
--ntaccount     User name, e.g. "REDHOOK\UPickman"
--sid           Dependent on context
--grant         User name, e.g. "REDHOOK\KMason"
--guid          Rights GUID to add to object, e.g. 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
--domain        Domain name, e.g. REDHOOK
--user          User name
--pass          Password
--newpass       New password to set for object
--gpo           List group policy objects
--acl           Show ACL's for returned GPO's
--localadmin    Add samAccountName to BUILTIN\Administrators for vulnerable GPO
--setuserrights samAccountName for which to add token rights in a vulnerable GPO
--tasktype      Immediate task type (user/computer)
--taskname      Immediate task name
--author        Immediate task author
--command       Immediate task command
--args          Immediate task command args
--target        Optional, filter for DNS name or NTAccount
--targetsid     Optional, provider user SID
--increase      Increment either the user or computer GPO version number for the AD object
--policy        Reads some account/kerberos properties from the "Default Domain Policy"
--dns           Performs ADIDNS enumeration, supports wildcard filters
--legacy        Boolean, sets DNS seach root to legacy (CN=System)
--forest        Boolean, sets DNS seach root to forest (DC=ForestDnsZones)
--passnotreq    Boolean, list accounts that have PASSWD_NOTREQD set
--type          Rights type: GenericAll, GenericWrite, ResetPassword, WriteMembers, DCSync
--spn           Boolean, list kerberoastable accounts
--setspn        samAccountName for which to add/remove an SPN
--principal     Principal name to add to samAccountName (e.g. MSSQL/VermisMysteriis)
--delegation    Boolean, list accounts with unconstrained / constrained delegation
--asrep         Boolean, list ASREP roastable accounts
--dc            Boolean, list all domain controllers
--trust         Boolean, list all trust relationships
--adcs          List all CA's and all published templates
--clientauth    Boolean, modify ADCS template to add/remove "Client Authentication"
--ess           Boolean, modify ADCS template to add/remove "ENROLLEE_SUPPLIES_SUBJECT"
--pend          Boolean, modify ADCS template to add/remove "PEND_ALL_REQUESTS"
--owner         Boolean, modify ADCS template owner
--write         Boolean, modify ADCS template, add/remove WriteDacl/WriteOwner/WriteProperty permission for NtAccount
--enroll        Boolean, modify ADCS template, add/remove "Certificate-Enrollment" permission for NtAccount
--add           Boolean, context dependent group/spn/adcs
--remove        Boolean, context dependent msDS-AllowedToActOnBehalfOfOtherIdentity/group/adcs
--make          Boolean, make machine; ms-DS-MachineAccountQuota applies
--disable       Boolean, disable machine; should be the same user that created the machine
--access        Boolean, list access permissions for object
--delete        Boolean, delete machine from AD; requires elevated AD access

 >--~~--> Usage? <--~~--<

# Perform LDAP search
StandIn.exe --ldap "(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
StandIn.exe --ldap servicePrincipalName=* --domain redhook --user RFludd --pass Cl4vi$Alchemi4e --limit 10
StandIn.exe --ldap servicePrincipalName=* --filter "pwdlastset, distinguishedname, lastlogon" --limit 100

# Query object properties by LDAP filter
StandIn.exe --object "(&(samAccountType=805306368)(servicePrincipalName=*vermismysteriis.redhook.local*))"
StandIn.exe --object samaccountname=Celephais-01$ --domain redhook --user RFludd --pass Cl4vi$Alchemi4e
StandIn.exe --object samaccountname=Celephais-01$ --filter "pwdlastset, serviceprincipalname, objectsid"

# Query object access permissions, optionally filter by NTAccount
StandIn.exe --object "distinguishedname=DC=redhook,DC=local" --access
StandIn.exe --object samaccountname=Rllyeh$ --access --ntaccount "REDHOOK\EDerby"
StandIn.exe --ob