Basic module to extract information from the database with easy output to a bash-flow workspace
There are a few things you can extract with this module:
- Users, computers and groups
- Group members
- Computers that a user is administrator to
- Computer to computer administrator rights
- ... and more!
users
,comps
,groups
,das
,dasessions
,nolaps
,unconst
,npusers
,kerb
,kerb-la
,passnotreq
,owned
,hvt
, andowned-to-hvts
all return simple lists and take no inputsgroups-full
returns all domain groups with their respective members in the format[email protected] - member_node_name
group-members
returns all AD objects that are members of the inputGROUP
owned-groups
returns a list of owned objects with a list of all groups they are a member of, nice for grepping and targetingdesc
returns all objects configured with a description in the formatobjectname - description text
admincomps
returns computers that are configured with admin rights for another computer in the formatadmincomp.domain.local - victimcomp.domain.local
. Useful for printspooler + relay attacksadminto
returns a all computersUNAME
is local admin to. Useful for offline cred spraying & dumpsadminsof
returns a list of all the users that have administrative privileges toCOMP
sessions
returns a list of all computers that a user has a session onsidhist
returns a list of objects configured with SID History in the formatusername - sid - foreign domain - foreign object name (if found)
foreignprivs
returns a list of all cross-domain privileges on the network in the formatobject1@domain1 - edgename - object2@domain2
unsupported
returns a list of all machines running unsupported operating systems, with the OS versionget-note
returns the notes of each object, typically used with theadd-note
function in themark-*
modulespath
will return the full shortest path between two input nodes,paths-all
will return all the shortest pathshvt-paths
will return all paths to HVTs originating from an input nodeowned-paths
will return all paths to HVTs originating from an input nodeowned-admins
will return all computers to which owned users are admins-l
apply column labels as a header. All queries withget-info
do not return column headers (like "UserName","ComputerName","Description",etc) by default with the query-e/--enabled
returns only the enabled users from the applicable query (only working for--users
and--passnotreq
)d/delim
Is a flag where a new output delimeter can be set to separate outputs. Default isoutput1 - output2
with the "-" being the changable delimeter. Doesn't apply to path outputs
python3 max.py get-info --users
[email protected]
...
python3 max.py get-info --admincomps
COMPUTER1.DOMAIN.LOCAL - COMPUTER2.DOMAIN.LOCAL
...
python3 max.py get-info --foreignprivs -l
ObjectName - EdgeName - VictimObjectName
COMP1.DOMAIN1.LOCAL - EdgeName - COMP2.DOMAIN2.LOCAL
[email protected] - EdgeName - [email protected]
...
python3 max.py get-info --adminto [email protected]
COMP1.DOMAIN.LOCAL
COMP2.DOMAIN.LOCAL
...
python3 max.py get-info --desc
[email protected] - This user is super cool
[email protected] - This user's password is Password1!
...
python3 max.py get-info --path "DOMAIN [email protected], DOMAIN [email protected]"
DOMAIN [email protected] - EdgeName -> Node2 .... -> DOMAIN [email protected]
python3 max.py get-info --hvt-paths "[email protected]"
[email protected] - MemberOf -> ENTERPRISE [email protected] - GenericAll -> DOMAIN.LOCAL
[email protected] - MemberOf -> [email protected] - WriteDacl -> DOMAIN.LOCAL
[email protected] - MemberOf -> [email protected] - AllExtendedRights -> DOMAIN.LOCAL
[email protected] - MemberOf -> [email protected] - WriteOwner -> DOMAIN.LOCAL
python3 max.py get-info --owned-admins
COMP1.DOMAIN.LOCAL - AdministratedBy - [email protected]
COMP2.DOMAIN.LOCAL - AdministratedBy - [email protected]
COMP2.DOMAIN.LOCAL - AdministratedBy - [email protected]
...