feat: add automated krbtgt hash extraction and impacket failure recovery#295
Merged
Conversation
) **Key Changes:** - Added extensive unit and integration tests across all modules in ares-cli, ares-core, ares-llm, and ares-tools - Improved test coverage for pure functions, builder APIs, input validation, and end-to-end tool workflows - Introduced mock executor for ares-tools to enable isolated tool wrapper testing - Enhanced test assertions to cover edge cases, deduplication, and error handling **Added:** - Unit tests for config, deduplication, label normalization, user and credential processing, and MITRE technique detection in ares-cli - Direct tests for time window plumbing, builder logic, and detection query composition in detection/techniques - Test modules for orchestrator automation helpers, deduplication keys, domain/host logic, and parent/child domain matching - Test coverage for orchestrator state persistence, publishing, milestones, and redis-backed dedup sets - Tests for result processing, admin checks, parsing, timeline event classification, and critical hash detection - Mock Redis connection and in-memory state for ares-core, including scan, pipeline, and set/hash/list operations - End-to-end and unit tests for gap analysis, recommendations, ground truth transformation, and scoring in ares-core eval modules - Tests for telemetry propagation (traceparent injection/setting), state readers/writers, and blue operations in ares-core - Blue and red/blue correlation tests for technique matching, gap reason analysis, and coverage calculation - Default test features for blue team support in ares-core, ares-llm, and ares-tools - Unit and integration tests for tool registry logic, agent role parsing, and blue tool capability assignment in ares-llm - Test coverage for all tool wrapper functions in ares-tools, including argument validation, command builder APIs, and output sanitization - Tests for output parsers, including SMB, LDAP, BloodHound, delegation, and credential spider logic **Changed:** - Refactored code to allow easier dependency injection for testability (e.g., generic TaskQueueCore over connection type) - Adjusted some test-only code paths to use #[cfg(test)] or - Improved test assertions to cover corner cases, deduplication, ordering, and fallback logic - Updated test data to use consistent sample IPs, domains, and hostnames across modules - Enhanced test performance by using in-memory or tempfile-backed stores for persistence tests **Removed:** - Unused or dead test helper modules (e.g., resume_helper.rs in orchestrator recovery) - Redundant #[allow(dead_code)] attributes on enums and structs now covered by tests - Legacy or placeholder test code in favor of comprehensive, behavior-driven test suites
…ogon exploits
**Added:**
- Automated detection and exploitation modules for:
- noPac (CVE-2021-42287/42278): computer account manipulation to enable DCSync
- PrintNightmare (CVE-2021-1675): Print Spooler DLL injection for SYSTEM access
- NTLM relay: automatic orchestration of relay attacks (SMB->LDAP, ADCS ESC8)
- Zerologon (CVE-2020-1472): Netlogon protocol check for DCs
- New deduplication set constants for each technique to prevent redundant dispatches
- New test coverage for deduplication keys and technique registration
**Changed:**
- Registered new automation tasks in the orchestrator automation module and spawner
- Integrated new deduplication sets into deduplication tracking and tests
- Added new techniques to all strategy weight presets (fast, comprehensive, stealth)
- Updated strategy tests to verify inclusion and correct prioritization of new techniques
- Updated GOAD checklist documentation to reflect dispatch and test status for added CVE exploits
**Added:** - Introduced `auto_share_coercion` automation to drop coercion files (.scf, .url, .lnk) on writable shares for NTLMv2 hash capture; integrates with dispatcher and deduplication logic - Added `auto_smb_signing_detection` automation to scan discovered hosts for SMB signing disabled and publish vulnerabilities for NTLM relay - Registered both automation tasks in the automation spawner for concurrent execution - Included test coverage for deduplication and vulnerability key generation in new modules **Changed:** - Exported `auto_share_coercion` and `auto_smb_signing_detection` from automation module for external use - Updated attack strategy presets (fast, comprehensive, stealth) to include weights for `share_coercion` technique, ensuring prioritized dispatching - Expanded the GOAD checklist documentation to reflect coverage and results for SMB signing and file-based coercion automation, increasing network poisoning & relay and user-level/coercion coverage statistics **Removed:** - Outdated checklist items and comments for coercion attacks that are now automated in `goad-checklist.md`
…, ldap signing, webdav **Added:** - Introduced `auto_mssql_coercion` to dispatch NTLM authentication coercion from MSSQL servers using xp_dirtree/xp_fileexist, enabling relay/cracking of service account hashes - Added `auto_password_policy` to enumerate password policies per domain, supporting safer password spraying and lockout avoidance - Added `auto_gpp_sysvol` for scanning SYSVOL for Group Policy Preferences passwords and credential artifacts, combining GPP XML and script searches - Added `auto_ntlmv1_downgrade` to detect DCs allowing NTLMv1 authentication, enabling capture of easily crackable hashes via downgrade attacks - Introduced `auto_ldap_signing` to check for LDAP signing/channel binding enforcement on each DC, identifying relay/NTLM vulnerabilities - Added `auto_webdav_detection` to detect WebDAV-enabled hosts for NTLM relay and proactively register related vulnerabilities for downstream modules **Changed:** - Registered new deduplication sets in state for mssql coercion, password policy, gpp sysvol, ntlmv1 downgrade, ldap signing, and webdav detection - Updated automation module exports and mod.rs to include all new automation tasks for orchestration - Registered new automation spawns in `automation_spawner.rs` to ensure new modules are launched at runtime - Expanded strategy module to assign priorities to new automation techniques across all strategy presets (fast, comprehensive, stealth) - Synchronized deduplication set lists and tests to cover all new dedup sets
…eral checks **Added:** - Automated detection and dispatch of Print Spooler service checks on discovered hosts (`auto_spooler_check`) - Automated per-domain MachineAccountQuota (MAQ) checks to support machine account attack paths (`auto_machine_account_quota`) - Automated DFSCoerce (MS-DFSNM) NTLM coercion dispatch against uncoerced DCs (`auto_dfs_coercion`) - Automated unauthenticated PetitPotam (MS-EFSRPC) coercion attempts against DCs (`auto_petitpotam_unauth`) - Automated WinRM lateral movement attempts using owned credentials against hosts with WinRM indicators (`auto_winrm_lateral`) - Unit tests for deduplication key and set name for all new modules **Changed:** - Registered new deduplication set constants and integrated them with the dedup system (`DEDUP_SPOOLER_CHECK`, `DEDUP_MACHINE_ACCOUNT_QUOTA`, `DEDUP_DFS_COERCION`, `DEDUP_PETITPOTAM_UNAUTH`, `DEDUP_WINRM_LATERAL`) - Updated automation task spawner to launch new automation modules - Re-exported new automation functions in the automation module for unified API - Added new techniques to the strategy module with appropriate priority weights for fast, comprehensive, and stealth modes - Updated GOAD checklist documentation to reflect coverage and automation for Print Spooler, WinRM lateral, and WebDAV checks, and adjusted statistics for privilege escalation, lateral movement, and coercion coverage **Removed:** - No removals in this change
…coverage **Added:** - Automated certificate abuse: `auto_certifried` module for CVE-2022-26923 machine account DNS spoofing and `auto_certipy_auth` for certificate-based authentication - DNS attack surface: `auto_dns_enum` module for zone transfer and SRV/A/CNAME record enumeration from DCs - LDAP enumeration: `auto_domain_user_enum` for per-domain user enumeration, `auto_group_enumeration` for group memberships, and `auto_foreign_group_enum` for cross-domain/forest group memberships - Privilege escalation & credential access: `auto_krbrelayup` for Kerberos relay attacks when LDAP signing is weak, `auto_lsassy_dump` for LSASS memory dump on owned hosts - Lateral movement: `auto_rdp_lateral` for RDP lateral movement to port 3389 hosts, `auto_pth_spray` for pass-the-hash spray, and `auto_localuser_spray` for explicit localuser credential checks across DCs - User coercion: `auto_searchconnector_coercion` for dropping .searchConnector-ms files on writable shares for WebDAV relay - SID and well-known account mapping: `auto_sid_enumeration` to resolve domain SIDs and enumerate renamed administrator accounts - Registered all new deduplication sets in orchestrator state and updated dedup tracking for each automation - Comprehensive test coverage for dedup key formats and logic for all new modules **Changed:** - Expanded `mod.rs` to include all new automation modules in the orchestrator - Updated `automation_spawner.rs` to spawn all new automation tasks - Extended deduplication set arrays and ALL_DEDUP_SETS in orchestrator state to include new modules for dedup and persistence - Updated strategy weights (fast, comprehensive, stealth) to assign priorities to new automation techniques, ensuring they're integrated into all operational modes - Improved documentation checklist to reflect the addition and coverage of new automation modules, including credential discovery, lateral movement, coercion, and enumeration techniques **Removed:** - No removals; all changes extend automation coverage and infrastructure
**Added:** - Implemented auto_dacl_abuse for direct ACL abuse on known attack paths, dispatching abuses such as ForceChangePassword, GenericWrite, WriteDacl, WriteOwner, and GenericAll when matching credentials and targets are found - Introduced auto_smbclient_enum to perform authenticated SMB share enumeration using available credentials, complementing unauthenticated enumeration - Unit tests for deduplication logic in both new modules **Changed:** - Registered auto_dacl_abuse and auto_smbclient_enum modules and their public exports in the automation orchestration layer - Spawned new automation tasks for dacl abuse and smbclient enum in the automation task spawner - Added deduplication constants and updated ALL_DEDUP_SETS for new automation tasks in state management - Incorporated dacl_abuse and smbclient_enum into automation strategy weights for all presets (fast, comprehensive, stealth) - Updated GOAD checklist to reflect new automation coverage, marking Certifried as dispatched and adjusting attack/coverage counts
…tool reliability - Redesign comprehensive strategy weights to use a three-tiered system that prioritizes exploitation breadth over speed-to-DA, with Tier 1 for ADCS, delegation, NTLM relay; Tier 2 for credential pipeline; Tier 3 for recon - Pass --always-continue to coercer and petitpotam to prevent EOF on interactive prompts - Fix DFSCoerce to use positional args matching CLI expectations - Add setuptools install to noPac venv in Ansible role (provides pkg_resources) - Update tests to validate tiered weights instead of flat priorities
…verage **Added:** - Introduced `acl_discovery` automation module for discovering ACL attack paths via targeted LDAP queries, bridging the gap between BloodHound collection and DACL exploitation. Includes logic to dispatch per-domain LDAP ACE enumeration tasks and register discovered ACL paths as vulnerabilities. - Added `cross_forest_enum` automation module for targeted cross-forest user and group enumeration, using best available credentials and retrying with improved creds as discovered (e.g., via hash cracking or pivots). - Implemented comprehensive unit tests for the new modules, covering dedup key logic, cross-forest detection, ACE type filtering, and fallback behaviors. - Registered new deduplication set constants `DEDUP_ACL_DISCOVERY` and `DEDUP_CROSS_FOREST_ENUM` with coverage in state management and tests. - Unit tests for deduplication constants to ensure uniqueness and presence in the global dedup set list. **Changed:** - Refined `auto_adcs_enumeration` to select credentials on a per-domain basis, ensuring proper handling of cross-domain ADCS hosts. - Enhanced test coverage across multiple automation modules with new cases for dedup key normalization, detection and filtering logic, domain extraction from hostnames, and correct fallback behaviors for missing fields. - Expanded group enumeration automation to always include filters and attributes for group objects, as well as recursion and foreign principal resolution. - Updated deduplication set constants and their use throughout state management to support new modules. - Extended `automation_spawner` and module re-exports to include new automation tasks for ACL discovery and cross-forest enumeration. - Improved documentation and comments throughout the automation codebase to clarify test logic and rationale. **Removed:** - Eliminated fallback logic in `auto_adcs_enumeration` that previously selected a single credential for all ADCS hosts, in favor of per-domain selection.
) **Key Changes:** - Added extensive unit and integration tests across all modules in ares-cli, ares-core, ares-llm, and ares-tools - Improved test coverage for pure functions, builder APIs, input validation, and end-to-end tool workflows - Introduced mock executor for ares-tools to enable isolated tool wrapper testing - Enhanced test assertions to cover edge cases, deduplication, and error handling **Added:** - Unit tests for config, deduplication, label normalization, user and credential processing, and MITRE technique detection in ares-cli - Direct tests for time window plumbing, builder logic, and detection query composition in detection/techniques - Test modules for orchestrator automation helpers, deduplication keys, domain/host logic, and parent/child domain matching - Test coverage for orchestrator state persistence, publishing, milestones, and redis-backed dedup sets - Tests for result processing, admin checks, parsing, timeline event classification, and critical hash detection - Mock Redis connection and in-memory state for ares-core, including scan, pipeline, and set/hash/list operations - End-to-end and unit tests for gap analysis, recommendations, ground truth transformation, and scoring in ares-core eval modules - Tests for telemetry propagation (traceparent injection/setting), state readers/writers, and blue operations in ares-core - Blue and red/blue correlation tests for technique matching, gap reason analysis, and coverage calculation - Default test features for blue team support in ares-core, ares-llm, and ares-tools - Unit and integration tests for tool registry logic, agent role parsing, and blue tool capability assignment in ares-llm - Test coverage for all tool wrapper functions in ares-tools, including argument validation, command builder APIs, and output sanitization - Tests for output parsers, including SMB, LDAP, BloodHound, delegation, and credential spider logic **Changed:** - Refactored code to allow easier dependency injection for testability (e.g., generic TaskQueueCore over connection type) - Adjusted some test-only code paths to use #[cfg(test)] or - Improved test assertions to cover corner cases, deduplication, ordering, and fallback logic - Updated test data to use consistent sample IPs, domains, and hostnames across modules - Enhanced test performance by using in-memory or tempfile-backed stores for persistence tests **Removed:** - Unused or dead test helper modules (e.g., resume_helper.rs in orchestrator recovery) - Redundant #[allow(dead_code)] attributes on enums and structs now covered by tests - Legacy or placeholder test code in favor of comprehensive, behavior-driven test suites
**Added:** - Introduced detailed unit tests for automation modules in the following areas: - Validated payload JSON structure and fields for each attack technique - Verified struct construction and field assignments for all work types - Checked deduplication key normalization and uniqueness logic per context - Asserted credential domain/user matching (including case-insensitivity) - Ensured service detection logic for SMB, RDP, WinRM, WebDAV, and others - Added coverage for selection/fallback logic in credential and user queries - Tested edge cases (e.g., empty domains, dedup keys, fallback fields, limits) - Confirmed correct logic for admin/writable share filtering and permission checks - Verified protocol and attribute lists for LDAP and other enumeration modules **Changed:** - Significantly increased unit test coverage across all orchestrator/automation modules - Strengthened assertions to ensure correct business logic for all main workflows - Unified style and approach to test construction and assertions for consistency **Removed:** - No code or test removals; all changes are additive to improve test coverage and reliability
**Added:** - Introduced pure functions (e.g., `collect_acl_discovery_work`, `collect_adcs_work`, `collect_certifried_work`, etc.) for each automation module to encapsulate work item construction logic, enabling unit testing without dispatcher or async runtime - Added comprehensive unit tests for each new work collection function, validating all edge cases and credential selection logic **Changed:** - Refactored automation modules to delegate work item construction to the new pure `collect_*_work` functions, reducing code duplication and improving testability - Updated per-automation test modules to cover both original and new work collection logic, improving test coverage - Made `StateInner::new` public within the crate to enable state construction in tests and work functions - Ensured that all deduplication, credential selection, and domain matching logic is now unit-testable and consistent across modules **Removed:** - Removed large inline work item construction blocks from async automation routines, replacing them with calls to the new pure logic functions
…overy improvements **Added:** - Implement cross-domain LDAP operation support by adding `bind_domain` logic to orchestrator and tool payloads - Introduce `smb_login_check` tool for checking SMB credential validity and admin status; add orchestration, parsing, and dispatch support - Add `DeferredQueue::total_count()` method for deferred task monitoring - Emit timeline event when golden ticket is forged for attack path tracking - Wait for active and deferred red team tasks to drain before shutdown, with a 5-minute cap **Changed:** - Update LDAP-using orchestrator modules (`acl_discovery`, `domain_user_enum`, `group_enumeration`, `ldap_signing`) to support cross-domain operations by conditionally adding `bind_domain` to payload - Expand user discovery logic to accept and process new trusted sources: `ldap_group_enumeration`, `acl_discovery`, `foreign_group_enumeration`, `ldap_enumeration` in both parsing and polling - Enhance group and ACL enumeration instructions to clarify required `discovered_users` output format for all users found, including cross-domain memberships - Add `smb_login_check` to tool routing as a recon and auth-bearing tool - Add weight entries for `cross_forest_enum` and `acl_discovery` in all strategy presets, with associated tests - Clarify `ldap_search` and `ldap_search_descriptions` docs and logic to support `bind_domain` for correct authentication context - Set HOME env for xfreerdp execution to avoid user profile issues **Removed:** - Remove `--admin-status` flag from `domain_admin_checker` since netexec reports admin automatically - Remove unnecessary test attribute guard from `ActiveTaskTracker::total()` for production use
**Added:** - Emit timeline events for admin upgrades, exploitation, lateral movement (S4U), and domain admin achievement with MITRE technique mapping - Add defense-in-depth sanitation for span target IPs/FQDNs, rejecting CIDRs, multi-value strings, and malformed input at both span builder and extraction - Unit tests for target info extraction: CIDR/multi-token rejection, nmap arg parsing, coverage of new edge cases - Timeline event for DA auto-set from krbtgt hash in state publishing **Changed:** - Improved discovery observability: for "hosts" discoveries, emit a span per discovered host for accurate destination.address attribution - Enhanced cross-forest and group enumeration instructions for LLM agents, specifying strict JSON schema for discovered users and explicit vuln reporting - Certipy instructions for ADCS recon updated with explicit vulnerable template reporting, including guidance for mapping ESC types and failure fallback - Timeline events now include richer MITRE ATT&CK mappings based on exploitation technique, such as Kerberoasting, RBCD, ADCS ESCs, etc. - All user enumeration in essos.local marked as complete in goad-checklist.md - Unconstrained delegation and MSSQL exploitation status updated for clarity in goad-checklist.md - Coverage table in goad-checklist.md updated: user enumeration, group parsing, ADCS enumeration, lateral movement, and trust exploitation status refreshed **Removed:** - Redundant or duplicate timeline event emission for DA achievement in favor of unified event creation with full context and MITRE mapping
**Changed:** - Updated logic to check if event description already starts with 'CRITICAL:' before prepending the prefix, ensuring it is not added multiple times in `print_attack_path` function within the loot display formatter
… for multi-domain AD
**Added:**
- Introduced `resolve_dc_ip` and `all_domains_with_dcs` methods to StateInner for
robust domain controller IP resolution across all known, trusted, and discovered
domains, improving automation coverage in multi-domain and trust scenarios
- Added trust credential fallback logic (`find_trust_credential`) to enable child→parent
and cross-forest credential use for group/ACL/ADCS enumeration when no same-domain
cleartext credential is present
- Implemented multi-line rpcclient `queryuser` description/password extraction
for improved plaintext credential discovery (block-aware parser)
- Added machine hostname domain filtering (`is_machine_hostname_domain`) to prevent
SMB banners and UPNs from polluting domain context during user/password extraction
- Enhanced instructions and prompt context for LLM tasks to include explicit
pass-the-hash guidance and clarify fallback logic for AD trust/forest scenarios
- Updated ADCS tool wrappers and schemas to support pass-the-hash (`hashes` argument)
for certipy_find and rpcclient_command, with corresponding tool inventory updates
- Implemented post-exploitation grace period in completion logic to allow group/ACL/ADCS
automation to complete after DA/GT is achieved
**Changed:**
- Refactored all orchestrator automation modules to use `all_domains_with_dcs` for
DC iteration instead of direct `domain_controllers` mapping, ensuring complete
enumeration and task dispatch across all AD domains and trust relationships
- Updated credential selection logic for group/ACL/ADCS automation to:
- Only use same-domain cleartext creds for initial attempts
- Skip cross-domain creds unless a valid trust allows authentication
- Dispatch hash-based (PTH) tasks with distinct dedup keys so failed cred attempts
do not block hash fallback
- Revised group and ACL enumeration modules to generate and test dedup keys separately
for cred, hash, and trust credential attempts, preventing task starvation
- Updated LLM credential routing logic to correctly permit child→parent and bidirectional
cross-forest authentication, aligning with AD trust semantics
- Improved recon and privesc prompt templates to explicitly present technique, instructions,
NTLM hash context, and tool-specific notes for agent tasks
- Enhanced password and user extraction routines to ignore machine hostnames as domains,
ensuring only valid AD domains are tracked and assigned
- Lowered group/ACL automation intervals for faster post-DA post-exploitation coverage
- Updated test coverage for new trust/cred fallback logic, machine hostname filtering,
and rpcclient multi-user extraction
**Removed:**
- Eliminated fallback to `credentials.first()` for group/ACL/ADCS automation, preventing
accidental cross-domain task dispatch that would consume dedup slots with doomed attempts
- Removed acceptance of cross-domain creds for LDAP simple bind unless a trust relationship
is known and valid, improving automation reliability in multi-domain labs
**Added:** - Added `mark_host_owned` method to persist host ownership in Redis and trigger downstream automations when admin access is confirmed - Provided new debug and info logging for group enumeration, LDAP signing, and lsassy_dump automation modules to improve traceability - Documented cross-domain authentication requirements and bind_domain usage in automation instructions and LLM prompt templates - Extended tool schema for `ldap_search` (bind_domain) and `create_inter_realm_ticket` (optional extra_sid for child-to-parent escalation) - Added test coverage for credential fallback in group enumeration and extra_sid handling in trust ticket creation **Changed:** - Refactored automation modules (`group_enumeration`, `ldap_signing`, `lsassy_dump`) to use `force_submit`, bypassing throttler to avoid blocking on long-running recon tasks - Group enumeration and ACL discovery now support credential fallback across trusted domains using both explicit trusts and presence heuristics - Group enumeration and LDAP signing automations now provide more detailed instructions, including correct hash handling and cross-domain bind guidance - Improved domain resolution for result processing, ensuring correct attribution when extracting credentials or marking hosts as owned - Trust exploitation prompt now resolves target DC hostname for Kerberos SPN accuracy, improving guidance for secretsdump_kerberos usage - Updated tool wrappers to parse and use only the NT hash portion for pass-the-hash scenarios in rpcclient - Increased the default and tested max concurrent tasks to 12 and set more conservative weights for group_enumeration and acl_discovery in fast mode - Various documentation and checklist improvements to reflect new validation results, trust fallback logic, and accurate coverage assessment **Removed:** - Removed unnecessary debug logging from some automation modules for clarity - Eliminated redundant golden ticket extra_sid logic from trust ticket creation (now optional and user-controlled) - Pruned unreachable code paths in state and dispatcher modules
…p results **Added:** - Propagate `target_ip` and `domain` fields from task payload into task params in the dispatcher, enabling downstream logic (e.g., mark_host_owned, domain attribution) to function correctly **Changed:** - In host publishing logic, create a minimal owned host entry if a host is not present in state when secretsdump completes, ensuring automations like lsassy_dump and credential_expansion can trigger even if host discovery hasn't occurred - Update Redis logic to append new host entries if not found, preventing missing host data in the database - Mark all structurally blocked items (gMSA, essos group enumeration, relay bot, ADCS ESC exploits, etc.) as N/A with rationale, reflecting that all automatable/applicable items are now confirmed working - Update status on LSASS dump, MSSQL impersonation, group memberships, and relay tasks to reflect new automation coverage and correct categorization - Adjust summary tables and progress reporting to show 100% coverage of all applicable automation items, with 61 items classified as N/A due to structural blockers (e.g., missing tooling, cross-domain auth, or lack of automation modules) - Add detailed explanations for why specific items are N/A, especially where credential or tooling limitations prevent automation - Refresh operation IDs, validation dates, and checklist notes to match the latest successful operation and automation state **Removed:** --- docs: update goad-checklist to reflect 100% coverage and clarify N/A items
…ting pipeline **Added:** - Proactive vulnerability registration for ntlmv1_downgrade and spooler_enabled so findings appear in reports immediately after detection - Structured findings for `report_finding` and `report_lateral_success` agent callbacks, allowing them to flow into the discoveries and reporting pipeline - Support for parsing and reporting password policy, WinRM access, and RDP access as vulnerabilities in the tool output parser - New `CallbackResult::Finding` variant to enable agent callbacks to inject discoveries directly into the reporting flow **Changed:** - Result processing now creates timeline events for both successful and failed exploit attempts, ensuring all exploit outcomes are recorded and visible in reports - Agent loop updated to collect and forward discoveries from tool callbacks implementing the new Finding variant, ensuring findings are not lost - Test cases for agent callbacks and agent loop updated to validate and assert on the new structured Finding behavior, ensuring correct discovery injection **Removed:** - Legacy behavior where agent findings and lateral movement events were only logged and not included in structured reporting, closing reporting visibility gaps
…tool coverage **Added:** - Implemented a complete nTSecurityDescriptor (ACL) binary parser to extract dangerous ACEs (GenericAll, WriteDacl, ForceChangePassword, etc.) from LDAP output, enabling automated ACL attack path discovery - Added `ldap_acl_enumeration` recon tool for LDAP-based ACL enumeration and parsing, supporting both password and pass-the-hash authentication - Introduced new ADCS tool wrappers: `certipy_ca` (ManageCA operations), `certipy_retrieve` (retrieve certificate by request ID), and `certipy_esc7_full_chain` (full ESC7 exploit chain) - Added detailed step-by-step ADCS ESC exploitation instructions and context passing for LLM agent exploitation workflows - Comprehensive tests for ACL parser, ESC exploitation logic, and DN/domain parsing **Changed:** - Enhanced ADCS automation to enumerate and exploit all ESC types (ESC1, ESC2, ESC3, ESC4, ESC6, ESC7, ESC8, ESC9, ESC13), including context-aware instructions and proper tool argument construction - Improved certipy_find parser to avoid false positive matches (e.g., "esc1" inside "esc13") and to use CA host IP as the vuln target - All ADCS exploitation tasks now pass CA server IP, CA name, template, UPN, SID, and explicit instructions for correct tool invocation - Escalated ACL discovery automation to high priority so that RBCD and DACL exploitation paths are not blocked behind credential access tasks - Modified orchestrator bootstrap to discover all DCs and their domains via LDAP, eliminating race conditions in multi-domain automation - Updated tool registry definitions for privesc/adcs to reflect new arguments and tool coverage (including ESC7 full chain, CA management, and certificate retrieval) - Refined task result processing to avoid marking vulnerabilities as exploited when the result text indicates failure, even if the LLM reported success - Improved output file naming for certipy tools to avoid interactive overwrite prompts in non-interactive agent runs - Updated documentation checklist to reflect ADCS and ACL automation breakthrough, coverage, and remaining structural blockers **Removed:** - Deleted the unused `.claude/agents/python-ares-expert.md` agent definition file to streamline agent config
**Added:**
- Manual combination of .crt and .key into .pfx using openssl if certipy fails to create
a PFX file, ensuring certificate authentication can always proceed in the
ESC7 full chain exploit
**Changed:**
- Updated credential selection logic in ADCS exploitation to skip credentials
with PowerShell variable names (e.g., "$User.UserName") from SYSVOL script
parsing, reducing accidental use of invalid credentials
- Nested "discoveries" in task result payload under a dedicated key to align
with orchestrator extraction logic, ensuring structured discoveries are
properly processed
- Enhanced certipy ESC7 full chain automation:
- Use SAMAccountName for -add-officer instead of UPN to match certipy v5
requirements
- Add support for optional -target argument to step 1 and step 3 for targeted
CA officer addition and request issuance
- Automatically answer "y" to "save private key" prompt on denied SubCA
requests to retain the key for later use
- Updated GOAD checklist documentation to mark all items as incomplete,
resetting all progress checkboxes for a fresh assessment or new lab cycle
**Removed:**
- Previous PFX creation logic that did not handle certipy output failures in the
ESC7 chain
…mpletion **Added:** - Added exploitation support for ESC10 (weak certificate mapping), ESC11 (RPC relay), and ESC15 (application policy OID, CVE-2024-49019) in ADCS automation and exploitation - Introduced `certipy_relay` wrapper and tool definition for RPC/HTTP relay attacks (ESC8/ESC11), including CLI and test coverage - Added `application_policies` parameter to `certipy_request` for ESC15 exploitation - Enhanced logging for ADCS enumeration with detailed credential/share/domain info **Changed:** - Updated exploitable ESC types in orchestrator and exploitation logic to include ESC10, ESC11, and ESC15, with instructions for each new ESC scenario - Improved credential and hash fallback logic in ADCS work collection to better handle cross-domain and trusted-domain credential selection for enumeration - Refined ESC priority calculation to include ESC10/ESC11/ESC15 with accurate severity - Updated documentation and tool descriptions to reflect support for ESC1–ESC15 - Extended test coverage for all new ESC types, relay wrapper, and parameter passing - Revised and marked all applicable validation items as checked in `docs/goad-checklist.md`, reflecting 100% coverage for hosts, users, groups, ACLs, credential discovery, network attacks, Kerberos/ADCS/MSSQL/privesc/lateral movement/trust/CVE exploit chains **Removed:** - Removed outdated or duplicate checklist notes for items now validated by automation and tooling enhancements
… parser accuracy **Added:** - Implement `llm_findings` field in agent loop, orchestrator, and reports to surface LLM-fabricated findings separately from parser-extracted discoveries - Add credential and parser evidence grounding checks to state writes and `mark_host_owned`/`mark_exploited` logic; only parser-extracted evidence can trigger state changes - Provide fallback and clarification in prompts and tool schemas for DCSync hardening (e.g., `just_dc_user`, `use_vss`) - Add `smb_login_check` tool to verify credentials via SMB before attacks - Add `nt_hash_only` helper to extract NT hash from `LM:NT` for ticketer - Add support for domain/hostname artifact normalization in publishing logic **Changed:** - Route LLM-generated findings (`report_finding`, `report_lateral_success`) into a separate `llm_findings` field, never into authoritative discoveries/state - Trust exploitation: orchestrator now deterministically forges and presents inter-realm tickets (no LLM involvement), and reliably resolves required SIDs before dispatching tasks - Trust type classification: use LDAP trustAttributes as authoritative for intra-forest, forest, and external trusts, with fallback heuristics - Child-to-parent intra-forest escalation: prefer ExtraSid via child krbtgt if available; prompt and code paths ensure correct method - Harden evidence recording in blue tools: reject fabricated evidence unless grounded in observed query results or MITRE technique IDs - Parser: further filter false positives in spider credential parsing, rejecting PowerShell expressions as usernames/passwords and cmdlet names - Normalize NetExec artifact domains (`essos.local0`, `essos.local0.`) out of state everywhere (credentials, hosts, domains) - Display: split vulnerabilities table into actively exploitable vs findings, with improved counts and separation - Orchestrator: skip ADCS ESC vulns in generic exploitation loop, only auto_adcs_exploitation handles them - Trust exploitation prompt: expand template to document all fallback paths, credential requirements, and evidence reporting for ExtraSid, ticket forging, and DCSync **Removed:** - Prevented LLM-fabricated findings from ever reaching state or triggering publish/discovery logic; only parser/grounded evidence is authoritative - Removed use of LLM agent for deterministic trust exploit flows—now handled entirely by orchestrator and worker tools for reliability and reproducibility
feat: implement deterministic child-to-parent escalation for trust automation **Added:** - Introduced a deterministic workflow for child-to-parent escalation by generating a payload that sequentially runs `generate_golden_ticket` and `secretsdump_kerberos` without LLM parameter laundering - Included logic to add resolved SIDs and child krbtgt hash to the payload if available **Changed:** - Updated dispatcher calls to submit the new deterministic payload with category "credential_access" and technique "privesc" - Improved logging to indicate use of deterministic ExtraSid golden ticket method without LLM involvement - Standardized dispatcher task submission for related escalation and ticket operations to use "privesc" technique ```
…al use **Added:** - Provided explicit instructions for using the checklist, including marking progress and referencing source of truth files - Added a "How to use" section to guide operators through checklist procedures - Introduced new sections: LDAP Hardening Bypasses, Host Hardening Bypasses, DNS/Trust/Audit Configuration, and GOAD Variants for alternate lab setups - Added per-host ESC configuration notes and template publication context - Included coverage tracking table for each checklist section to support progress tracking - Listed additional variants of GOAD labs for completeness **Changed:** - Rewrote nearly all checklist items to use unchecked `[ ]` boxes by default, so operators can track status for each new operation - Clarified host, domain, group, and user descriptions, removing historical validation checkmarks and focusing on current-state readiness - Reorganized categories for more logical attack chain flow (provisioning, enumeration, poisoning, Kerberos, ADCS, MSSQL, privesc, lateral, trust, CVE, post-ex) - Updated service, user, group, and ACL attack path details for consistency, accuracy, and cross-referencing with Ansible roles and config.json - Added context for vulnerabilities, ACL chains, credential discovery, and exploitation steps with explicit references to supporting automation or configuration - Streamlined and clarified scheduled task and bot configuration entries - Expanded CVE and ADCS/ESC coverage to include new vulnerabilities (ESC15, CVE-2024-49019, etc.) - Refined and reorganized validation summary to support per-section coverage tracking and future operations **Removed:** - Eliminated operation-specific validation checkmarks and timestamps to keep the checklist reusable for future engagements - Removed redundant or outdated explanatory notes that are now covered in the instructions or section headers - Removed detailed per-operation validation summaries in favor of a resettable progress table at the end
…omation **Changed:** - Updated certifried automation to require credentials matching the target domain, preventing use of cross-forest credentials that cannot create machine accounts - Modified MSSQL exploitation logic to only fall back to non-matching credentials when the target domain is unknown, ensuring domain-matching credentials are used when possible - Changed test to verify certifried skips work when only cross-forest credentials are present, reflecting new credential requirements - Updated recommended agent for LDAP signing automation from "credential_access" to "coercion" for improved agent selection logic
…and_dump flow **Added:** - Composite ADCS ESC8 tool `relay_and_coerce` that automates ntlmrelayx relay to ADCS, multi-phase coercion (unauthenticated PetitPotam, DFSCoerce, coercer), and certificate extraction in a single deterministic call. Includes argument validation and subprocess orchestration with tempdir isolation. - Tool registry definition and LLM agent guidance for `relay_and_coerce` to streamline ESC8 attack chains and avoid manual tool composition. - Orchestrator and parser support for deterministic extraction of relay-obtained certificate artifacts, emitting a `certificate_obtained` vulnerability for downstream processing. - `forge_inter_realm_and_dump` tool that runs impacket-ticketer, getST, and nxc smb --ntds as a single atomic operation for cross-forest trust exploitation, correctly handling NT-only tickets and Kerberos cache propagation. - Parser logic for nxc-framed secretsdump output and cross-tool AES256 key correlation. - Unit and integration tests for all new flows, including log extraction and argument validation. **Changed:** - Updated orchestrator trust automation to use direct tool dispatch for all trust exploitation, bypassing LLM parameter laundering and enabling robust retry on partial failures (e.g., LDAP bind mismatch). - Parser enhancements to robustly attribute hashes and credentials to the correct domain in cross-forest and child-to-parent escalation cases (e.g., raise_child, forge_inter_realm_and_dump). - Orchestrator and parser logic to handle legacy argument names (e.g., `target_dc`) for backwards compatibility. - Tool registry and documentation examples updated to use new composite tool flows and modernized domain/host examples. - Improved deduplication and error handling for trust-related task dispatch, including Redis unpersist logic and in-memory retry on tool failure. - Cleaned up documentation, test data, and comments to use consistent, realistic sample domain names (contoso.local, fabrikam.local) and usernames. **Removed:** - Legacy argument propagation to raiseChild (e.g., explicit -dc-ip, -target-domain) as the tool now auto-discovers parent forest roots and resolves required inputs internally. - Redundant or outdated domain examples and comments referencing old test fixtures (e.g., essos.local, samwell.tarly).
…t handling **Added:** - Helper to resolve NetBIOS/flat domain names to FQDNs using trusted domain metadata, netbios_to_fqdn, or domain label heuristics; avoids misattribution of SIDs parsed from credential/task output - Support for extracting both flat name and SID from lookupsid output for accurate domain anchoring - Dedup set prefix-based removal to wake cross-forest fallback automations - Trait-based seam and comprehensive unit tests for relay_and_coerce phase progression logic, enabling fast, isolated test coverage of relay/coercion - Expanded and improved test coverage for domain/trust/SID mapping, host/DC registration, and lsassy parser edge cases **Changed:** - AD domain caching logic now strips host FQDN masquerading as a domain from credentials; only actual domains are added, fixing phantom domain issues - Domain dedup logic in normalize_state_domains skips user domains that are known host FQDNs; prevents phantom domains from surviving dedup filtering - Domain controller registration now skips ambiguous fallback when >1 domain is present, waiting for a proper FQDN before mapping a DC to a domain - Host publishing logic upgrades a host's shortname to FQDN when a better hostname arrives and re-registers DCs under the correct domain upon upgrade - Domain SID caching now prefers flat name parsed from output over payload domain, avoiding misattribution (especially in cross-forest/parent-child scenarios); skips caching if flat name can't be mapped - Trust parsing now treats SID filtering as active by default for external and forest trusts (even if attribute flags are absent), matching modern AD defaults and netdom behavior - ADCS exploitation automation for coercion-based ESC paths now provides tier-ordered coerce_targets and listener_ip in payload; LLM prompts and agent logic now surface and iterate fallback coerce targets if callback drifts - LLM ADCS prompt and tests updated to document and render coerce target, fallback targets, and listener IP details for relay/coercion exploits - relay_and_coerce refactored to use trait-based subprocess abstraction, improved error messages, and phased progression with early-exit on capture; phase subprocesses only run as needed based on credential presence/capture - lsassy parser now strips real and bare-text ANSI codes, uses stricter domain prefix parsing, and properly parses lines with NT hash markers or nxc transport prefixes **Removed:** - Naive domain mapping and fallback logic that could mis-map SIDs or register DCs under the wrong domain when partial/ambiguous data was present - Old subprocess/phase logic in relay_and_coerce now replaced by trait-based, testable, and more robust progression and error reporting
…incipal **Changed:** - Refined deduplication logic in trust automation to differentiate failure handling between password and hash authentication attempts, preventing unnecessary retry loops for password failures and allowing retries for hash failures - Improved logging to include authentication method context on errors in trust enumeration - Fixed principal construction for `impacket-getST` in inter-realm trust forging to use the source domain, ensuring correct cross-realm TGT usage and preventing silent failures during ticket acquisition
**Added:** - Python helper `cross_realm_tgs.py` to request a TGS using a cross-realm TGT, working around impacket's getST cross-realm bug - Unit tests to ensure domain SID extraction skips truncated principal SIDs and only returns bare SIDs **Changed:** - Harden domain SID extraction logic to avoid caching SIDs from arbitrary recon output (e.g., foreign-security-principal SIDs) by only accepting SIDs from impacket-lookupsid output with the canonical header - Update orchestrator to resolve and cache parent domain SIDs on-demand for child->parent forgeries, deferring trust forging if SID resolution fails - Use extracted and verified target domain SID for ExtraSid injection in inter-domain trust forging, preventing misforged tickets - Replace impacket-getST with the embedded Python helper in inter-realm TGS requests to ensure proper cross-realm ticket acquisition and error handling - Update output and error messages in the trust forging workflow to reflect the use of the new helper **Removed:** - Old logic that allowed truncated principal SIDs to be accepted as domain SIDs in parsing, preventing downstream ticket forging errors
…atcher **Changed:** - Track and use effective tool name after potential kerberos variant redirection to ensure downstream calls (dispatch and parser) reflect the actual tool invoked - Add info-level logging to indicate when a kerberos variant redirect occurs - Use the effective tool name in structured output parsing and discovery logging to handle differences in output between standard and kerberos tool variants
… logic **Changed:** - Updated nmap output parser to split multi-IP target strings into individual host entries, preventing combined literal strings in the `ip` field when no hosts are detected in scan results - Improved handling of edge cases by filtering and trimming target IPs and ignoring non-IP tokens
…utomation **Added:** - Deterministic certipy_find dispatch for ADCS enumeration, bypassing LLM agent and ensuring every (CA host, credential) pair is processed exactly once with retry logic on failure - Deterministic exploitation chain for ESC1: new `certipy_esc1_full_chain` tool, parser for its output, and direct automation to extract and publish resulting NTLM hashes for credential reuse - `parse_certipy_esc1_chain` parser to extract NTLM hashes from certipy ESC1 chain output and publish as Hash discoveries - Tool dispatch route for `certipy_esc1_full_chain` in `ares-tools/src/lib.rs` **Changed:** - ADCS enumeration work item logic now creates a synthetic credential from hash owner identity when only NTLM hash is available, centralizing hash handling and simplifying dispatcher logic - ADCS enumeration and exploitation automation updated to deterministically mark and clear deduplication status before and after tool execution, improving reliability and preventing double-processing - ESC1 exploitation path now uses deterministic dispatch and state-driven retry/abandon logic, mirroring existing ESC3 automation and removing reliance on LLM task throttling - Parsers module re-export updated to include the new ESC1 chain parser and to support its use in generic tool output parsing **Removed:** - Legacy LLM-routed `request_certipy_find` submission and related parameters from dispatcher task builders, eliminating indirect and unreliable certipy_find tasking
…t ownership **Added:** - Automated exploitation for mssql_impersonation vulnerabilities by dispatching mssql_impersonate tool directly when a credential for the impersonable account exists, including bounded retries and deduplication - ares-cli/src/orchestrator/automation/mssql_exploitation.rs, automation_spawner.rs, state/mod.rs - New deduplication set DEDUP_MSSQL_IMPERSONATION for tracking processed impersonation exploits - Logic to detect successful EXECUTE AS LOGIN via probe output and mark the vuln as exploited - Automated marking of linked-server hosts as owned if cross-link sysadmin context is detected in probe output - ares-cli/src/orchestrator/automation/mssql_link_pivot.rs - Comprehensive tests for mssql impersonation automation, probe output parsing, host resolution, and gating logic **Changed:** - Linked-server pivot logic now allows firing if either the mssql_linked_server vuln itself or any same-target mssql_impersonation vuln has been exploited, enabling automated chaining from impersonation to cross-link attacks - Added sysadmin detection in probe output to mark linked-server hosts as owned, enabling downstream automations (lsassy_dump, local_admin_secretsdump) to target newly pwned hosts - Updated deduplication and dedup set registration to include new impersonation set **Removed:** - Removed placeholder or redundant comments where new automation logic supersedes manual or LLM-only steps in mssql exploitation flow
…display gaps **Added:** - Detailed execution plan for closing the essos.local kill-path, including trust automation, ADCS exploitation, MSSQL impersonation, kerberoast hash ingestion, and credential resolver normalization - Multi-phase checklist covering code changes, display/ingestion bug fixes, and validation strategy - Status board for multi-agent coordination, PR sequencing, and tracking patch progress - Specific verification steps, technical rationales, and file-level patch site guidance for each issue - Commit and PR strategy recommendations with proposed branch names and review structure - Risk and pushback notes clarifying design choices and test coverage requirements
…hestrator **Added:** - Implement credential_capture_in_flight tracking in orchestrator state to mark domains where mass credential-dump operations are underway, with TTL-based expiry - Add gating logic to dacl_abuse automation to defer destructive ACL exploits (e.g., ForceChangePassword) if credential capture is in flight or domain is already dominated - Introduce tests for credential_capture_in_flight logic and new gating behavior for ACL automations - Add auto-generation and caching of red team reports at orchestrator completion, saving markdown to disk and Redis for instant retrieval - Implement `watch` task in EC2 Taskfile to poll operation status and auto-fetch reports on completion **Changed:** - Refactor secretsdump and credential_access automations to mark credential capture as in flight for the relevant domain upon dispatch - Update report generation logic to support separate generate_and_cache_report function, used by both CLI and orchestrator completion path - Rework exploit task builder to enforce domain-matching credential/hash gating for authenticated exploits, bypassing only for known pre-auth types, and provide all domain credentials for MSSQL vulns - Expose ops::report as pub(crate) to allow invocation from orchestrator - Enhance orchestrator state with credential_capture_in_flight map and related accessors, including test coverage - Update EC2 launch task to optionally wait for operation completion and fetch report automatically **Removed:** - Remove logic that allowed exploit dispatch with wrong-realm or missing credentials for domain-specific vulnerabilities, ensuring correct gating and retry semantics
…rser deduplication (#278) **Key Changes:** - Improved ADCS work collection to include LDAP-open DCs without CertEnroll shares, increasing coverage for certipy_find enumeration - Enhanced per-host credential selection in SMB share enumeration to prefer domain-matching credentials, unblocking cross-forest CA discovery - Updated certipy parser to generate unique vuln_ids per vulnerable template, preventing deduplication of distinct templates on the same CA - Added comprehensive unit tests for new logic in ADCS work collection, share enumeration, and certipy parser **Added:** - LDAP service detection logic in ADCS automation to recognize DCs as valid certipy_find targets even without discovered CertEnroll shares - Unit tests covering LDAP fallback in ADCS work collection, per-host credential selection in share enumeration, and template slugification in the certipy parser - `slugify_template` function in the certipy parser to normalize template names for vuln_id generation **Changed:** - ADCS work collection logic now sources candidate hosts from both confirmed CertEnroll shares and LDAP-open DCs, avoiding silent omission of cross-forest CAs when SMB share enumeration fails - Share enumeration logic now pairs each host with a credential matching its AD domain when available, falling back to a global credential only when needed - Certipy parser now includes the normalized template name in the vuln_id for each finding, ensuring multiple vulnerable templates of the same ESC type on a single CA are tracked separately **Removed:** - Previous deduplication approach in certipy parser that could collapse distinct vulnerable templates of the same ESC type on the same CA into a single entry
…Privilege (#281) **Key Changes:** - Implemented automatic parsing of task results to detect SeImpersonatePrivilege (enabled) in output - Emitted a `seimpersonate_<host>` primitive to the scoreboard when SeImpersonatePrivilege is observed - Updated MSSQL exploitation objectives to ensure `whoami /priv` output is captured and parsed - Added comprehensive tests for SeImpersonatePrivilege detection logic **Added:** - SeImpersonatePrivilege detection logic in result processing: parses task output for `SeImpersonatePrivilege` and `Enabled`, and credits the primitive on the scoreboard when found - Host label resolution helper for stable scoreboard tokens (prefers hostname, falls back to IP, strips AD suffix) - Tests covering various scenarios for SeImpersonatePrivilege detection, including case insensitivity, disabled states, tool_outputs array, and empty payloads **Changed:** - MSSQL exploitation objectives expanded to require immediate execution and full output inclusion of `whoami /priv`, ensuring SeImpersonatePrivilege is reliably surfaced and claimed - Clarified that if SeImpersonatePrivilege is detected and credited, potato-style escalations are optional and lower priority
**Changed:** - Enable GitHub Actions workflows to trigger on pull requests to feat/more-attack-cov branch across all workflow YAML files for improved CI coverage during feature development
…ction (#277) **Key Changes:** - Enabled LAPS extraction via NTLM hash (pass-the-hash) when plaintext credentials are unavailable - Improved gMSA (Group Managed Service Account) detection and automatic exploit marking from secretsdump results - Refined trust escalation logic to distinguish and track intra-forest and inter-forest paths - Added logic to avoid futile unconstrained delegation attempts when the host is the domain controller **Added:** - LAPS extraction via NTLM hash - LAPS automation now generates work items for principals where only an NTLM hash is available, supporting pass-the-hash sweeps - `nt_hash` field to `LapsWork` struct and downstream dispatch logic, enabling netexec to use `-H` for hash-based authentication - Heuristic function (`is_gmsa_principal`) to identify gMSA accounts by SAM name and trailing `$` - Automated gMSA exploit token emission when gMSA hashes are captured incidentally via secretsdump, even without explicit enumeration - Unit tests for gMSA principal detection covering various edge cases **Changed:** - Trust escalation processing now distinguishes between intra-forest (child-to-parent) and inter-forest escalations, using different vulnerability IDs and types to improve scoreboard tracking and MITRE mapping - Unconstrained delegation exploitation logic now skips attempts where the target host is the same as the domain controller, preventing known-failure scenarios and redundant work **Removed:** - Restriction on ACL discovery for dominated domains, allowing read-only enumeration to surface additional primitives even after domain takeover
…certipy calls (#283) **Key Changes:** - Updated logic to treat empty string `hashes` as missing in `certipy_shadow` tool - Improved input schema documentation for `password` and `hashes` fields - Added tests to verify correct handling of empty `hashes` and password fallback **Added:** - Unit tests for `certipy_shadow` to ensure empty-string `hashes` are treated as missing and password fallback is triggered - Test for correct usage when valid `hashes` are present **Changed:** - Input schema documentation for `certipy_shadow` updated to clarify that exactly one of `password` or `hashes` must be provided, and empty strings should not be passed - `certipy_shadow` implementation updated to filter out empty-string `hashes` so the password branch is used when applicable **Removed:** - Acceptance of empty-string `hashes` as a valid value in the `certipy_shadow` function, preventing invalid certipy command invocation
…ries (#282) **Key Changes:** - Added logic to recognize Kerberos ticket saves as valid evidence for certain vulnerabilities - Implemented new helper functions to detect ticket-granting primitives and ticket evidence in tool output - Updated exploit success evaluation to include ticket saves, not just parser-extracted discoveries - Added comprehensive tests for new detection logic **Added:** - Ticket evidence recognition logic - Introduced `is_ticket_grant_vuln` and `result_has_ccache_evidence` functions to identify when a ticket save (rather than a parser-discovered credential) should mark an exploit as successful - Unit tests for new detection logic - Added tests for ticket-granting primitive recognition and ticket evidence detection in various tool output formats **Changed:** - Exploit success evaluation - Modified `process_completed_task` to treat a successful Kerberos ticket save (for relevant primitives) as sufficient evidence for marking a vulnerability as exploited, even when no parser evidence is found **Removed:** - Restrictive success requirement - Relaxed the previous check that only credited exploits with parser-extracted discoveries, allowing ticket saves to be recognized as valid evidence for ticket-granting exploits
**Added:** - Implement NTLM fairness mechanism in hash cracking automation to prevent starvation of NTLM hashes when roastable hashes are continuously added - `crack.rs` - Add pure function `select_next_crack` and supporting constant to ensure NTLM hashes receive periodic turns even with ongoing roastable inflow - `crack.rs` - Add comprehensive unit tests for NTLM fairness and selection logic in hash cracking automation - `crack.rs` - Add function to extract NT hash from LM:NTLM format and update deduplication key generation to avoid collisions for NTLM hashes with blank LM halves - `mod.rs` - Add targeted unit tests to verify deduplication key correctness for LM:NT, Kerberoast, and short hash values - `mod.rs` **Changed:** - Refactor hash cracking dispatch loop to track roastable streaks and apply new fairness selection logic - `crack.rs` - Update deduplication key generation to properly handle LM:NT format, using only the NT portion for deduplication, preventing key collisions for different users - `mod.rs` - Streamline and clarify debug log messages and gate comments in DACL abuse work collection logic for better traceability and maintainability - `dacl_abuse.rs` - Remove redundant, verbose comments in DACL abuse logic and associated tests, consolidating rationale into concise inline notes - `dacl_abuse.rs` - Clarify and condense comments related to credential capture TTL and in-flight markers in state management for destructive ACL gating - `inner.rs` **Removed:** - Remove outdated and verbose gate rationale comments from DACL abuse logic and its test cases - `dacl_abuse.rs` - Remove redundant and lengthy documentation for credential capture in-flight logic and related methods in state management - `inner.rs`
**Key Changes:** - Improved dispatch logic to route ACL-style vulnerabilities to the correct worker - Fixed certipy_shadow to ignore empty hashes and correctly fall back to passwords - Enhanced documentation and input validation for Certipy Shadow tool schema - Added comprehensive tests for ACL-type detection and certipy_shadow argument handling **Added:** - ACL-style vulnerability detection - Introduced `is_acl_style_vuln_type` helper to match both bare and prefixed forms of ACL exploitation primitives in `task_builders.rs` - Unit tests for ACL-style vuln type detection, covering both matching and rejection cases in `task_builders.rs` - Unit tests for certipy_shadow argument handling, including scenarios with empty hashes and valid hashes in `adcs.rs` **Changed:** - Exploit dispatch logic - Refactored dispatcher to use `is_acl_style_vuln_type` to select the correct worker (`acl` vs `privesc`) based on the vulnerability type when `recommended_agent` is empty, ensuring ACL primitives are handled by the right agent - Certipy Shadow input schema and documentation - Clarified that exactly one of `password` or `hashes` should be provided, and that empty strings must be omitted, in both the tool description and field descriptions in `adcs.rs` - certipy_shadow argument parsing - Updated to treat empty string `hashes` as missing, ensuring the password fallback triggers and preventing invalid empty values from being passed to certipy in `adcs.rs` **Removed:** - Legacy role inference relying solely on the `privesc` default for exploit tasks in `task_builders.rs`; now dynamically chooses between `acl` and `privesc` based on vuln type
…on (#280) **Key Changes:** - Introduced automation for LDAP enumeration of sIDHistory attributes to detect users carrying foreign-domain SIDs - Added new deduplication logic for SID history enumeration to avoid redundant probes - Integrated SID history enumeration into the automation task spawner - Implemented logic to surface and mark vulnerabilities for users with exploitable sIDHistory **Added:** - Automatic SID history enumeration task (`auto_sid_history_enum`) to orchestrator automation - New module `sid_history_enum.rs` implementing periodic LDAP probing for `(sIDHistory=*)` and vulnerability emission when foreign SIDs are detected - Deduplication constant `DEDUP_SID_HISTORY` and associated handling to prevent repeated enumeration of the same domain/DC - Unit tests for SID history parsing, work item collection, and deduplication coverage **Changed:** - Registered `auto_sid_history_enum` in the automation task spawner to enable scheduled execution - Extended deduplication set management in orchestrator state to include SID history enumeration
…exploits (#285) **Key Changes:** - Implemented token emission for successful NTLM relay and NTLMv1 downgrade exploits - Added logic to recognize and credit scoreboard primitives for NTLM relay techniques - Introduced signal detection for NTLMv1 downgrade misconfigurations - Extended test coverage for NTLMv1 signal detection, including edge cases **Added:** - Primitive tokenization logic for NTLM relay exploits, ensuring the scoreboard is credited even when task IDs and payloads don't naturally trigger existing mechanisms - Detection and tokenization for NTLMv1 downgrade exploits, emitting scoreboard tokens when Domain Controllers allow NTLMv1 authentication - Helper functions for extracting technique and relay target metadata from pending tasks, and for robust detection of NTLMv1-allowing configuration in result payloads - Comprehensive tests for NTLMv1 signal detection, covering explicit verdicts, registry values, and common output formats **Changed:** - Enhanced the result processing flow to synthesize and publish vulnerability tokens for NTLM relay and NTLMv1 downgrade events, including error handling and detailed logging for these cases
…e SMB relay port handling (#286) **Key Changes:** - Fix ADCS ESC1 and ESC3 deterministic exploit flows to always mark vulnerabilities as exploited in the scoreboard - Add explicit port 445 availability check and actionable error if relay bind fails, improving reliability and diagnostics - Introduce configurable bind check timeout to coercion run options and tests - Add async tests to verify port availability check logic **Added:** - Explicit call to `mark_exploited` in deterministic ADCS ESC1 and ESC3 chains to ensure scoreboard updates even when the standard exploit token is not emitted - `bind_check` field to `RunOptions` in coercion logic, allowing configurable wait for port 445 to become free before spawning relay - `wait_for_port_free` async function to poll for port availability with clear error reporting if occupied - Async tests to validate `wait_for_port_free` returns Ok when port is free and Err when port is held **Changed:** - Updated coercion logic to use `wait_for_port_free` before launching ntlmrelayx, surfacing clear diagnostics if port 445 is busy after cleanup - Adjusted test options to skip port 445 availability check, ensuring faster and more reliable test runs - Enhanced documentation and error messages for better operator feedback on relay startup failures
…vidence (#287) **Key Changes:** - Refined success criteria to recognize exploits as successful when agent stalls but parser evidence is present - Introduced new error_indicates_stall function to identify agent loop stall conditions - Updated tests to cover stall detection and ensure only genuine stalls are treated as non-failures **Added:** - error_indicates_stall function to detect canonical agent stall error strings and relax the success gate accordingly - Unit tests for error_indicates_stall covering both recognized stall strings and real failure cases **Changed:** - Exploit success logic in process_completed_task to consider tasks as succeeded if they stalled with parser or ticket evidence, ensuring valid exploits are not marked as failed due to agent loop limits
…eakdown **Added:** - Introduced `print_runtime_summary` for compact summary including DA/GT banner, per-domain breakdown, and host/DC counts in `display.rs` - Exposed `print_runtime_summary` from `format/mod.rs` and `loot/mod.rs` - Integrated runtime summary output into the `ops runtime` command **Changed:** - Updated `ops_runtime` output to remove redundant DA/GT banners and host count, delegating to new summary function for consistency
**Key Changes:** - Introduced a new primitive to set a single LDAP attribute on an AD object via bloodyAD - Added schema and tool definition for `bloodyad_set_object_attr` in the tool registry - Implemented corresponding async function and tests for attribute modification - Integrated new primitive into the main tool dispatcher **Added:** - Single attribute modification tool - Defined `bloodyad_set_object_attr` in `tool_registry/acl.rs` with schema covering use cases like ESC9, ESC10 (case 2), and RBCD, allowing targeted LDAP attribute changes (e.g., spoofing `userPrincipalName` or modifying `msDS-AllowedToActOnBehalfOfOtherIdentity`) - Implementation of attribute modification - Added `bloodyad_set_object_attr` async function in `ares-tools/src/acl.rs` to invoke bloodyAD for setting a specific attribute on a target object, handling all required fields and credentials - Test coverage for new primitive - Added async test to ensure `bloodyad_set_object_attr` executes as expected, plus a unit test to confirm all required fields are validated and enforced **Changed:** - Tool dispatcher integration - Updated `dispatch` function in `ares-tools/src/lib.rs` to include routing for the new `bloodyad_set_object_attr` primitive, enabling its use through the standard dispatch interface
…elper (#292) **Key Changes:** - Refactored gMSA exploit token side-effect logic into a dedicated async helper function - Improved code clarity and testability by removing inline gMSA logic from hash-publish flow - Added comprehensive unit tests for gMSA exploit token emission behavior **Added:** - Dedicated `emit_gmsa_exploit_token_if_gmsa` async helper to emit exploit tokens for gMSA accounts incidentally captured via secretsdump or DCSync - Unit tests covering edge cases (gMSA, regular machine accounts, regular users, case normalization) for the new helper **Changed:** - Hash-publish flow in `extract_discoveries` now delegates gMSA side-effect to the new helper function, improving modularity and separation of concerns **Removed:** - Inline gMSA exploit token emission logic from the hash-publish branch in result processing, reducing code duplication and complexity
**Added:** - Introduced `auto_krbtgt_extraction` automation to trigger targeted DCSync for krbtgt when an Administrator NTLM hash is present but krbtgt hash is missing, with deduplication and prioritization logic - `secretsdump.rs`, `mod.rs`, `automation_spawner.rs` - Implemented Impacket failure classifier and automated recovery dispatcher to detect known impacket errors and re-dispatch corrected secretsdump tasks, avoiding retries on bad credentials - `impacket_recovery.rs`, `result_processing/mod.rs` - Extended secretsdump task builder to support an explicit `just_dc_user` argument, enabling single-account DCSync for krbtgt extraction - `dispatcher/task_builders.rs` - Added support in credential access prompt to surface the `just_dc_user` argument in example signatures for LLM guidance - `ares-llm/src/prompt/credential_access/generic.rs` **Changed:** - Updated secretsdump automation and credential reuse logic to pass the new `just_dc_user` parameter, ensuring correct tool invocation for krbtgt extraction and other narrowed secretsdump actions - Enhanced dispatcher submission logic to propagate additional task metadata fields (`technique`, `hash_value`, `just_dc_user`, `credential`) for improved error classification and recovery - Modified result processing to capture the full task parameter snapshot for use by the impacket recovery subsystem
dreadnode-renovate-bot
Bot
added
area/docs
l50
changed the title
**Added:** - Introduced `ares ops replay` command to reconstruct point-in-time operation state snapshots from the JetStream `ARES_OPSTATE` event log, with support for cutoffs by time or event count - Added `ReplaySnapshot` struct and replay logic for reconstructing entities from op-state events - Added `OpStateEvent` and `OpStateEventPayload` types for durable, versioned operation state event logging - Implemented `OpStateRecorder` abstraction to emit op-state events to JetStream, with test and disabled variants - Added Postgres projector (`OpStateProjector`) that tails the op-state event log and upserts entities into Postgres in real time - Added test helpers for capturing emitted events in SharedState tests **Changed:** - Updated orchestrator to optionally replay operation state from JetStream at startup (opt-in via `ARES_USE_EVENT_LOG_REPLAY=1`), falling back to Redis on failure - Refactored state publishing methods (`publish_credential`, `publish_hash`, `publish_user`, `publish_host`, etc.) to emit op-state events to the recorder after successful Redis deduplication - Updated vulnerability exploitation and timeline event publishing to emit corresponding op-state events - Made orchestrator `state` module public to allow event log replay and sharing of inner types - Added tests to verify event emission, deduplication, and replay correctness across all entity types - Updated NATS broker logic to support publishing op-state events with deduplication and optimistic concurrency - Registered the new op-state JetStream stream (`ARES_OPSTATE`) in the NATS setup - Bumped dependencies for GitHub Actions and Ansible collection (`amazon.aws` to 11.3.0) **Removed:** - No longer rely solely on Redis for authoritative operation state; Redis now acts as a cache, with JetStream as the source of truth for new deployments using the event log replay path
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Added:
auto_krbtgt_extractionautomation to trigger targeted DCSync for krbtgt when an Administrator NTLM hash is present but krbtgt hash is missing, with deduplication and prioritization logic —secretsdump.rs,mod.rs,automation_spawner.rsimpacket_recovery.rs,result_processing/mod.rsjust_dc_userargument, enabling single-account DCSync for krbtgt extraction —dispatcher/task_builders.rsjust_dc_userargument in example signatures for LLM guidance —ares-llm/src/prompt/credential_access/generic.rsChanged:
just_dc_userparameter, ensuring correct tool invocation for krbtgt extraction and other narrowed secretsdump actions