Skip to content

trewwwsec/ade

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

126 Commits
ade
ade
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
install.sh
install.sh
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

ADE

ADE is a Python package and CLI that automates Active Directory (AD) enumeration in lab environments, helping users on Hack The Box, Hack Smarter, TryHackMe, Proving Grounds, or exams like OSCP and CPTS streamline initial AD recon.

Examples

No Credentials Provided

Credentials Provided

Kerberos

Installation

Install from the current checkout with pip, pipx, or uv pip:

git clone https://github.com/trewwwsec/ade.git
cd ade
python -m pip install .

Install as an isolated CLI app with pipx:

git clone https://github.com/trewwwsec/ade.git
cd ade
pipx install .

Install into a uv-managed virtual environment:

git clone https://github.com/trewwwsec/ade.git
cd ade
uv venv .venv
source .venv/bin/activate
uv pip install .

Note

ADE configures uv pip to use link-mode = "copy" so installs stay quiet on cross-filesystem setups like Docker bind mounts and lab containers.

Install as a standalone CLI with uv tool:

git clone https://github.com/trewwwsec/ade.git
cd ade
uv tool install --link-mode copy .

Use the helper installer if you want ADE plus the external toolchain:

git clone https://github.com/trewwwsec/ade.git
cd ade
./install.sh

Dependencies

The dependencies for ADE are certipy-ad, netexec, bloodhound-ce, bloodyAD, and Impacket

Key Features

Initial Discovery & Host Setup

  • Target Alive Checks: Pings the target with nmap before starting to ensure the IP is correct and the host is online.
  • /etc/hosts Management: Discovers the target's FQDN and domain, then maps them in /etc/hosts for name resolution.
  • Credential Validation: Checks if supplied credentials are valid before launching deeper scans to avoid failed authenticated runs.
  • User & Description Enumeration: Collects sAMAccountName and description attributes via LDAP, and uses SMB-based RID cycling as a fallback to find accounts that LDAP queries might not return

Initial Access & Credential Attacks

  • User Spraying: If run without credentials, it attempts user:user logins for all discovered accounts.
  • AS-REP Roasting: Uses the generated users.txt to find accounts vulnerable to offline password cracking.
  • Kerberoasting: Searches for service accounts and requests their tickets, providing hashes to crack offline.
  • Auto-Kerberos Switching: Detects if Kerberos is required. If NTLM is unsupported, ADE enables Kerberos mode and restarts the workflow.

Post-Authentication Enumeration

  • Kerberos Ticket Management: Gets a Kerberos ticket, saves it as a .ccache file you can reuse, and tells you the command to connect to SMB using that ticket.
  • SMB Share Enumeration: Enumerates SMB shares on the target, attempts access with anonymous/guest or supplied credentials, and reports access permissions (e.g., READ, WRITE).
  • Intelligent Retries: Automatically retries SMB checks when they fail to ensure more reliable results.
  • BloodHound Collection: Executes the BloodHound data collector, automatically retrying on failure, and outputs a ZIP that can be imported into BloodHound.
  • Permission Checks: Scans Active Directory with bloodyAD to find items your credentials can change (like user accounts or groups).
  • ADCS Checks: Probes for Active Directory Certificate Services and then uses Certipy to find misconfigured templates that allow for privilege escalation.

Usage

Tip

Wait at least 5 minutes after starting your lab before running the script to make sure nxc --shares works.
This is because some labs take longer to start up.

Without credentials (anonymous/guest checks):

ade -r <box-ip>

With credentials (authenticated checks):

ade -r <box-ip> -u <user> -p <password>

Write loot into a specific output directory:

ade -r <box-ip> -o <output-dir>

Run only selected modules:

ade -r <box-ip> --modules smb,asrep

Skip selected modules:

ade -r <box-ip> --skip bloodhound,adcs

Current module names:

discovery, creds, ldap, smb, asrep, kerberoast, bloodhound, bloodyad, adcs

Notes:

  • --modules is exact. ADE only runs the modules you name.
  • Some modules require prerequisites. For example, asrep needs a domain, and kerberoast / bloodhound / bloodyad / adcs need credentials plus discovered or supplied domain/FQDN context.
  • The output directory is resolved at startup but created only when ADE actually writes the first artifact.

Development / Testing

Run the package directly from the checkout with uv:

uv run python -m ade -r <box-ip>

Run the test suite with uv:

uv run python tests/test_ade.py

Thank You

Schlop made the script that installs ADE.

Note

If you have any issues or requests, reach out on Discord (Blue Pho3nix).

Roadmap

  • Add AS-REP roastable accounts to request SPNs without authentication.

About

ADE: automates Active Directory enumeration for labs (Hack The Box, Hack Smarter, TryHackMe, Proving Grounds) and exam prep (OSCP, CPTS).

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Python 95.8%
  • Shell 4.2%