Vibe
Vibe is a tool designed to preform post-ex lateral movement techniques while remaining undetected by network detection tools including Threat Hunting appliances. Vibe works by pulling down all information about a domain, allowing users to perform the same domain net commands offline.
Vibe also enumerates additional information that is not typically shown in these queries. Vibe also provides the ability to scan systems to see what shares are available and what privileges the account used, has access to. Vibe also provides the ability to enumerate user’s currently logged into systems, as well as, who has been logged in, while remaining undetected.
Installation
Vibe was developed with Python version 2.7
Tested and supported on Kali Linux and Ubuntu.
Vibe uses the following external dependencies:
- python-ldap
- ldap3
- pandas
- tabulate
- impacket
- netaddr
To install run following commands:
sudo apt-get install libsasl2-dev python-dev libldap2-dev libssl-dev pip install -r requirements.txt
Usage
./vibe.py -husage: main [-h] -U username -P password -D domain -I IP [-o] [-r] [-p PORT][-u]optional arguments:-h, --help show this help message and exit-U username, --username usernameUsername-P password, --password passwordPassword-D domain, --domain domainFully Qualified Domain Name-I IP, --ip IP IP address of Domain Controller-o, --offline Offline Mode-r, --remove Remove Database-p PORT, --port PORT Specify a specific port to connect on (default is 636)-u, --unencrypted Specify a specific for unencrypted mode (if LDAPS isnot available)
[email protected]:~/# ./vibe.py -U admin -P Password! -D STARLABS.local -I 172.16.144.185___ ___ ___ ________ _______|\ \ / /||\ \ |\ __ \ |\ ____\\ \ \ / / /\ \ \ \ \ \|\ /_ \ \ \_____\ \ \/ / / \ \ \ \ \ __ \ \ \ ____\\ \ / / \ \ \ \ \ \|\ \ \ \ \____\ \__/ / \ \__\ \ \_______\ \ \______\\|__|/ \|__| \|_______| \|______|(@Tyl0us)[+] Credentials Valid, Generating Database[+] Table 1/4 : Generating Group Table[+] Table 2/4 : Generating User Table[+] Table 3/4 : Generating Computer Table[+] Table 4/4 : Generating Password Policy Table[+] Sucessful Database Created0.434292078018>>helpCommands========clear Clears the screenhelp Displays this help menulist Lists either all Users, Computers, or Groups. Use the -f option to pipe the contents to a filesession Scans target(s) to see who has/is currently logged in. Can take a list or range of hosts, using -t/--target and specify a user using -d/--domain, -u/--user, -p/--password and --jitter/-j to add a delay. Requires: read/write privileges on either Admin$ or C$ sharenet Perform a query to view all information pertaining to a specific user, group, or computer (Similar to the Windows net user, net group commands). example: 'net group Domain Admins'columns Displays the column names in each of the three major tables (users, groups and computersquery Executes a query on the contents of tablessearch Searches for a key word(s) through every field of every table for any matches, displaying rowshare_hunter Scans target(s) enumerating the shares on the target(s) and the level of access the specified user, using -d/--domain, -u/--user, -p/--password. Can take a list or range of hosts, using -t/--target and --jitter/-j to add a delayshow Shows the contents of Users, Computers, Credentials, Groups, Password policy, Store, Credentials, Files Servers and Access tablesstore Displays the contents of a specific table. Example: 'show [table “” not found /]
(access, creds, computers, file servers, pwdpolicy, users)export Export the contents of the database to a path in one of the following formats: CSV, HTML. (using with -f or --filetype)exit Exit Vibe>>
Domain Information Quering
The show command displays the contents of a table, specific information across all tables or the available modules, using the following syntax:
>>show users+----------------+------------------------+-------+---------------------+---------------------+--------------------+----------------------------------------+| Username | Home Directory | SID | Password Last Set | Last Logged On | Account Settings | Member Of |+================+========================+=======+=====================+=====================+====================+========================================+| Administrator | | 500 | 2017-11-28 16:40:56 | 2017-11-28 16:35:48 | DONT_EXPIRE_PASSWD | Domain Users || | | | | | NORMAL_ACCOUNT | WseInvisibleToDashboard || | | | | | ACCOUNT_DISABLED | Group Policy Creator Owners || | | | | | | Domain Admins || | | | | | | Enterprise Admins || | | | | | | Schema Admins || | | | | | | Administrators |+----------------+------------------------+-------+---------------------+---------------------+--------------------+----------------------------------------+| Guest | | 501 | 1600-12-31 19:03:58 | 1600-12-31 19:03:58 | DONT_EXPIRE_PASSWD | Domain Guests || | | | | | PASSWD_NOTREQD | Guests || | | | | | NORMAL_ACCOUNT | || | | | | | ACCOUNT_DISABLED | |+----------------+------------------------+-------+---------------------+---------------------+--------------------+----------------------------------------+| DefaultAccount | | 503 | 1600-12-31 19:03:58 | 1600-12-31 19:03:58 | DONT_EXPIRE_PASSWD | Domain Users || | | | | | PASSWD_NOTREQD | System Managed Accounts Group || | | | | | NORMAL_ACCOUNT | || | | | | | ACCOUNT_DISABLED | |+----------------+------------------------+-------+---------------------+---------------------+--------------------+----------------------------------------+| Admin | | 1000 | 2017-11-28 16:40:24 | 2018-08-24 13:01:20 | DONT_EXPIRE_PASSWD | Domain Users || | | | | | NORMAL_ACCOUNT | Domain Admins || | | | | | | Administrators |+----------------+------------------------+-------+---------------------+---------------------+--------------------+----------------------------------------+| krbtgt | | 502 | 2017-11-28 16:44:43 | 1600-12-31 19:03:58 | NORMAL_ACCOUNT | Domain Users || | | | | | ACCOUNT_DISABLED | Denied RODC Password Replication Group |+----------------+------------------------+-------+---------------------+---------------------+--------------------+----------------------------------------+| ballen | \\\\SLServer01\\ballen | 1123 | 2017-11-28 17:40:08 | 2018-08-09 17:56:50 | DONT_EXPIRE_PASSWD | Domain Users || | | | | | NORMAL_ACCOUNT | SL_R&D || | | | | | | SL_Scientist |+----------------+------------------------+-------+---------------------+---------------------+--------------------+----------------------------------------+| cramon | \\\\SLFS02\\cramon | 1125 | 2018-05-29 13:07:32 | 2018-08-23 21:47:26 | NORMAL_ACCOUNT | Domain Users || | | | | | | SL_R&D || | | | | | | SL_HelpDesk || | | | | | | Domain Admins || | | | | | | Enterprise Admins |+----------------+------------------------+-------+---------------------+---------------------+--------------------+----------------------------------------+| hwells | | 1126 | 2017-11-28 17:51:51 | 2018-08-23 21:46:21 | DONT_EXPIRE_PASSWD | Domain Users || | | | | | NORMAL_ACCOUNT | SLServ01_Admin || | | | | | | SL_R&D |+----------------+------------------------+-------+---------------------+---------------------+--------------------+----------------------------------------+| ssmith | | 2104 | 2018-08-09 20:54:14 | 2018-08-09 20:47:47 | NORMAL_ACCOUNT | Domain Users || | | | | | | SL_HR |+----------------+------------------------+-------+---------------------+---------------------+--------------------+----------------------------------------+| csnow | \\\\SLFS01\\csnow | 2105 | 2018-08-09 19:35:05 | 2018-08-23 20:53:35 | NORMAL_ACCOUNT | Domain Users || | | | | | | SL_R&D || | | | | | | SL_Scientist |+----------------+------------------------+-------+---------------------+---------------------+--------------------+----------------------------------------+| wwest | | 2608 | 2018-08-09 20:58:39 | 1600-12-31 19:03:58 | NORMAL_ACCOUNT | Domain Users |+----------------+------------------------+-------+---------------------+---------------------+--------------------+----------------------------------------+| iwallen | | 2610 | 2018-05-16 22:49:37 | 1600-12-31 19:03:58 | NORMAL_ACCOUNT | Domain Users |+----------------+------------------------+-------+---------------------+---------------------+--------------------+----------------------------------------+
There are several different options that can be used with the show command includiong:
- access
- computers
- creds
- fgpolicy (only accessible if an account that has admin access to the domain contoller is used, on inital start up)
- file servers
- groups
- pwdpolicy
- store
- users
Search
The search <key word(s)> command looks for a key word(s) through every field of every table for any matches, displaying all the information about that object it was discovered in.
>>search SLServerGroups---------+----------------+-------+-------------------------------+-------------+------------+| Name | SID | Description | Member Of | Members |+================+=======+===============================+=============+============+| SLServ01_Admin | 2609 | Admin Group for SLServer01... | | SLSERVER01 || | | | | hwells |+----------------+-------+-------------------------------+-------------+------------+Users---------+------------+---------------+------------------------+-------+----------------------+---------------------+---------------------+--------------------+--------------+| Username | Description | Home Directory | SID | Profile Path | Password Last Set | Last Logged On | Account Settings | Member Of |+============+===============+========================+=======+======================+=====================+=====================+====================+==============+| ballen | CEO... | \\\\SLServer01\\ballen | 1123 | \\SLServer01\\ballen | 2017-11-28 17:40:08 | 2018-08-09 17:56:50 | DONT_EXPIRE_PASSWD | Domain Users || | | | | | | | NORMAL_ACCOUNT | SL_R&D || | | | | | | | | SL_Scientist |+------------+---------------+------------------------+-------+----------------------+---------------------+---------------------+--------------------+--------------+Computers---------+------------+---------------+--------------------------------+-----------------------------------+----------------+| Name | Description | Operating System | Operating System Version Number | Member Of |+============+===============+================================+===================================+================+| SLSERVER01 | | Windows Server 2016 Essentials | 10.0 (14393) | SLServ01_Admin |+------------+---------------+--------------------------------+-----------------------------------+----------------+>>
