Home

Awesome

adPEAS

adPEAS is a Powershell tool to automate Active Directory enumeration. In fact, adPEAS is like a wrapper for different other cool projects like

As said, adPEAS is a wrapper for other tools. They are almost all written in pure Powershell but some of them are included as compressed binary blob or C# code.

adPEAS-Light is a version without Bloodhound and it is more likely that it will not blocked by an AV solution.

How It Works

adPEAS can be run simply by starting the script via invoke-adPEAS if it is started on a domain joined computer. If the system you are running adPEAS from is not domain joined or you want to enumerate another domain, use a certain domain controller to connect to, use different credentials or just to enumerate for credential exposure only, you can do it by using defined parameters.

adPEAS Modules

adPEAS consists of the following enumeration modules:

Important Note about the BloodHound Module

Some How To Use Examples

Simple usage with generic program parameters

First you have to load adPEAS in Powershell...

Import-Module .\adPEAS.ps1

or

. .\adPEAS.ps1

or

gc -raw .\adPEAS.ps1 | iex

or

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/61106960/adPEAS/main/adPEAS.ps1')

Start adPEAS with all enumeration modules and enumerate the domain the logged-on user and computer is connected to.

Invoke-adPEAS

Start adPEAS with all enumeration modules and enumerate the domain 'contoso.com'. In addition it writes all output without any ANSI color codes to a file.

Invoke-adPEAS -Domain 'contoso.com' -Outputfile 'C:\temp\adPEAS_outputfile' -NoColor

Start adPEAS with all enumeration modules, enumerate the domain 'contoso.com' and use the domain controller 'dc1.contoso.com' for almost all enumeration requests.

Invoke-adPEAS -Domain 'contoso.com' -Server 'dc1.contoso.com'

Start adPEAS with all enumeration modules, enumerate the domain 'contoso.com' and use the passed PSCredential object during enumeration.

$SecPassword = ConvertTo-SecureString 'Passw0rd1!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('contoso\johndoe', $SecPassword)
Invoke-adPEAS -Domain 'contoso.com' -Cred $Cred

Start adPEAS with all enumeration modules, enumerate the domain 'contoso.com' by using the domain controller 'dc1.contoso.com' and use the username 'contoso\johndoe' with password 'Passw0rd1!' during enumeration. If, due to DNS issues Active Directory detection fails, the switch -Force forces adPEAS to ignore those issues and try to get still as much information as possible.

Invoke-adPEAS -Domain 'contoso.com' -Server 'dc1.contoso.com' -Username 'contoso\johndoe' -Password 'Passw0rd1!' -Force

Usage with a single enumeration module

All modules below can be combined with all generic program parameters explained above.

Enumerates basic Active Directory information, like Domain Controllers, Password Policy, Sites and Subnets and Trusts.

Invoke-adPEAS -Module Domain

Enumerates specific Active Directory rights and permissions, like LAPS, DCSync and adding computer to domain.

Invoke-adPEAS -Module Rights

Enumerates basic GPO information, like set local group membership on domain computer.

Invoke-adPEAS -Module GPO

Enumerates basic Active Directory Certificate Services information, like CA Name, CA Server and common Template vulnerabilities.

Invoke-adPEAS -Module ADCS

Enumerates credential exposure issues, like ASREPRoast, Kerberoasting, Linux/Unix password attributes, gMSA, LAPS (if your account has the rights to read it), Group Policies, Netlogon scripts.

Invoke-adPEAS -Module Creds

Enumerates delegation issues, like 'Unconstrained Delegation', 'Constrained Delegation', 'Resource Based Constrained Delegation' for user and computer objects.

Invoke-adPEAS -Module Delegation

Enumerates users in high privileged groups which are NOT disabled, like Administrators, Domain Admins, Enterprise Admins, Group Policy Creators, DNS Admins, Account Operators, Server Operators, Printer Operators, Backup Operators, Hyper-V Admins, Remote Management Users und CERT Publishers.

Invoke-adPEAS -Module Accounts

Enumerates installed Domain Controllers, Active Directory Certificate Services, Exchange Server and outdated OS versions like Windows Server 2008R2.

Invoke-adPEAS -Module Computer

Starts Bloodhound enumeration with the scope DCOnly. Output ZIP files are stored in the same directory adPEAS is started from. The implemented SharpHound ingestor supports BloodHound Community Edition only.

Invoke-adPEAS -Module Bloodhound

Starts Bloodhound enumeration with the scope All. With this option the SharpHound collector will contact each member computer of the domain. Output ZIP files are stored in the same directory adPEAS is started from.

Invoke-adPEAS -Module Bloodhound -Scope All

Special thanks go to...