ADJelly is an Active Directory enumeration and exploitation tool.
Choose module that suits you best.
Go to adjelly directory and install it with the following commands. ADJelly requires root privileges, hence pip is run as root.
(An alternative could be creating a venv).
cd adjelly
sudo pip install .
Run install.sh script as root to install all necessary tools (nmap, crackmapexec, etc.)
chmod +x install.sh
sudo ./install.sh
The script also creates directories with default enumeration lists and scripts located in /opt directory.
Show the list of available modules by running adjelly command:
Usage: adjelly [OPTIONS] COMMAND [ARGS]...
ADJelly is an Active Directory enumeration and exploitation tool.
Options:
--help Show this message and exit.
Commands:
cert Checks for AD CS vulnerabilities and tries to exploit them.
clean Restores previous time settings and /etc/hosts file contents.
dns Performs DNS enumeration.
fullscan Tries to exploit all available AD attack paths.
krb_init Performs Kerberos attacks that do not require creds.
krb_lateral Performs Kerberos attacks focused on lateral movement.
krb_spray Performs AS-REP roast and password spray attack.
ldap Performs LDAP enumeration.
smb Performs SMB enumeration and exploitation.
synchronize Synchronizes time with NTP server.
Fullscan command enumerates and exploits all attack paths that ADJelly has to offer.
Usage: adjelly fullscan [OPTIONS]
Tries to exploit all available AD attack paths.
Options:
-i, --dc-ip TEXT Domain Controller IP address [required]
-u, --username TEXT Username to authenticate as
-p, --password TEXT User password
-d, --domain TEXT Domain name
-dc, --dcname TEXT DC name in <dc_name>.<domain> format
--meta If set, the program tries to retrieve users from files'
metadata
--spray-pass TEXT Password to spray with.
--enum-list TEXT Full path to the list of users used for user
enumeration.
--crack-list TEXT Full path to the list of passwords used for cracking.
Default: rockyou.txt
--no-crack If specified, the tool will not try to crack hashes.
-a, --altname TEXT Specifies the username for certificate request. If not
provided, default to 'admin'.
--help Show this message and exit.
Performs SMB enumeration and exploitation.
If no creds provided, ADJelly tries anonymous SMB session.
Usage: adjelly smb [OPTIONS]
Performs SMB enumeration and exploitation.
Options:
-i, --dc-ip TEXT Domain Controller IP address [required]
-u, --username TEXT Username to authenticate as
-p, --password TEXT User password
-d, --domain TEXT Domain name [required]
--meta If set, the program tries to retrieve users from files'
metadata
--help Show this message and exit.
Performs LDAP enumeration.
If no creds provided, ADJelly tries unauthenticated LDAP bind.
Usage: adjelly ldap [OPTIONS]
Performs LDAP enumeration.
Options:
-i, --dc-ip TEXT Domain Controller IP address [required]
-d, --domain TEXT Domain name
-u, --username TEXT Username to authenticate as
-p, --password TEXT User password
--help Show this message and exit.
Performs DNS enumeration.
Usage: adjelly dns [OPTIONS]
Performs DNS enumeration.
Options:
-i, --dc-ip TEXT Domain Controller IP address [required]
-d, --domain TEXT Domain name [required]
--help Show this message and exit.
Performs Kerberos attacks that do not require creds.
Usage: adjelly krb_init [OPTIONS]
Performs Kerberos attacks that do not require creds.
Options:
-i, --dc-ip TEXT Domain Controller IP address [required]
-d, --domain TEXT Domain name [required]
-p, --spray-pass TEXT Password to spray with.
--enum-list TEXT Full path to the list of users used for user
enumeration.
--crack-list TEXT Full path to the list of passwords used for cracking.
Default: rockyou.txt
--no-crack If specified, the tool will not try to crack hashes.
--help Show this message and exit.
Performs AS-REP roast and password spraying attack.
Usage: adjelly krb_spray [OPTIONS]
Performs AS-REP roast and password spray attack.
Options:
-i, --dc-ip TEXT Domain Controller IP address [required]
-d, --domain TEXT Domain name [required]
-p, --spray-pass TEXT Password to spray with.
--userlist TEXT Full path to the list of users used for as-rep roast
and password spray. [required]
--crack-list TEXT Full path to the list of passwords used for cracking.
Default: rockyou.txt
--no-crack If specified, the tool will not try to crack hashes.
--help Show this message and exit.
Performs Kerberos attacks focused on lateral movement.
Usage: adjelly krb_lateral [OPTIONS]
Performs Kerberos attacks focused on lateral movement.
Options:
-i, --dc-ip TEXT Domain Controller IP address [required]
-u, --username TEXT Username to authenticate as [required]
-p, --password TEXT User password [required]
-d, --domain TEXT Domain name [required]
-a, --altname TEXT Username for ticket creation. If not provided, default
to 'admin'
--no-crack If specified, the tool will not try to crack hashes.
--help Show this message and exit.
Checks for AD CS vulnerabilities and tries to exploit them (right now only ESC1 vulnerability is exploited when found).
Usage: adjelly cert [OPTIONS]
Checks for AD CS vulnerabilities and tries to exploit them.
Options:
-i, --dc-ip TEXT Domain Controller IP address [required]
-u, --username TEXT Username to authenticate as [required]
-p, --password TEXT User password [required]
-d, --domain TEXT Domain name [required]
-dc, --dcname TEXT DC name in <dc_name>.<domain> format
-a, --altname TEXT Specifies the username for certificate request. If not
provided, default to 'admin'.
--help Show this message and exit.
// here put chains with module names on it - at the beginning
// in description of each module explain what exactly is going to happen
//If not done - add this directory to path to run it with name only
// add to install.sh - add adjelly to path? :
//Successfully uninstalled adversary-1.0.0
WARNING: The script adversary is installed in '/home/hijacky/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.