Skip to content

Home

Jump to bottom
Mike edited this page Oct 16, 2019 · 2 revisions

ActiveReign, code name AR3, is a network enumeration and attack toolset designed for use on Windows Active Directory environments. It makes use of built-in Windows components to make enumerating large environments easier, all while keeping stealth in mind.

AR3 relies on the famous Impacket library and builds on the brilliant concepts found in CrackMapExec. Throughout building this tool there have been many intended and unintended contributors. For a complete list, checkout the README in the project repo.

AR3 operational modes:

  • enum - Users can enumerate target system(s) using provided credentials, or an SMB null session if no credentials are provided. By default, only OS information will be displayed. However further information can be extracted using built in functionality and additional modules, controlled by the command line arguments.

    One of the most difficult parts of dropping into a new network is mapping the environment. To help this transition, AR3 uses LDAP queries to extract target systems from Active Directory. This is often a great starting point and can help gain situational awareness.

  • spray - whether for an initial set of credentials, or privilege escalation, AR3 can perform password spraying against hosts using local or domain authentication through various methods. Additionally, target users can be extracted from Active Directory using LDAP queries and compared against the domain's threshold to prevent lockouts using the tools domain password spray functionality.

  • shell - Uses the user-defined, or default, execution method to spawn a simulated shell on the target system. Keeps track of working directory for easy navigation and enhanced features such as file upload and download capabilities.

  • query - This allows users to enumerate a domain, users, groups, group members, hosts, trusts relationships, and more through specialized LDAP queries. Users also have the ability to execute custom queries and extract additional attributes.

  • db - Using the AR3 database, testers can interact with the data to view/analyze/and plan their next attack path. In addition to showing domain relationships and network access, the data is constantly updated and extracted for use in various AR3 operations.

ActiveReign

Home
Installation
Logging
Database
Target Inputs

Operational Modes

Enum
    Code Execution
    Getting Creds
    Modules
    Spider
Spray
Shell
Query
DB

Clone this wiki locally