feat: add comprehensive automation modules for AD and Windows exploitation#233
Open
l50 wants to merge 79 commits into
Open
feat: add comprehensive automation modules for AD and Windows exploitation#233l50 wants to merge 79 commits into
l50 wants to merge 79 commits into
Conversation
dreadnode-renovate-bot
Bot
added
the
area/docs
l50
force-pushed
the
main
branch
2 times, most recently
from
bda0eaa to
8a7b1b8
Compare
dreadnode-renovate-bot
Bot
added
area/pre-commit
l50
force-pushed
the
feat/more-attack-cov
branch
from
2f66c2f to
470eb2b
Compare
dreadnode-renovate-bot
Bot
added
the
area/github
l50
force-pushed
the
feat/more-attack-cov
branch
3 times, most recently
from
61cc615 to
9d669c3
Compare
) **Key Changes:** - Added extensive unit and integration tests across all modules in ares-cli, ares-core, ares-llm, and ares-tools - Improved test coverage for pure functions, builder APIs, input validation, and end-to-end tool workflows - Introduced mock executor for ares-tools to enable isolated tool wrapper testing - Enhanced test assertions to cover edge cases, deduplication, and error handling **Added:** - Unit tests for config, deduplication, label normalization, user and credential processing, and MITRE technique detection in ares-cli - Direct tests for time window plumbing, builder logic, and detection query composition in detection/techniques - Test modules for orchestrator automation helpers, deduplication keys, domain/host logic, and parent/child domain matching - Test coverage for orchestrator state persistence, publishing, milestones, and redis-backed dedup sets - Tests for result processing, admin checks, parsing, timeline event classification, and critical hash detection - Mock Redis connection and in-memory state for ares-core, including scan, pipeline, and set/hash/list operations - End-to-end and unit tests for gap analysis, recommendations, ground truth transformation, and scoring in ares-core eval modules - Tests for telemetry propagation (traceparent injection/setting), state readers/writers, and blue operations in ares-core - Blue and red/blue correlation tests for technique matching, gap reason analysis, and coverage calculation - Default test features for blue team support in ares-core, ares-llm, and ares-tools - Unit and integration tests for tool registry logic, agent role parsing, and blue tool capability assignment in ares-llm - Test coverage for all tool wrapper functions in ares-tools, including argument validation, command builder APIs, and output sanitization - Tests for output parsers, including SMB, LDAP, BloodHound, delegation, and credential spider logic **Changed:** - Refactored code to allow easier dependency injection for testability (e.g., generic TaskQueueCore over connection type) - Adjusted some test-only code paths to use #[cfg(test)] or - Improved test assertions to cover corner cases, deduplication, ordering, and fallback logic - Updated test data to use consistent sample IPs, domains, and hostnames across modules - Enhanced test performance by using in-memory or tempfile-backed stores for persistence tests **Removed:** - Unused or dead test helper modules (e.g., resume_helper.rs in orchestrator recovery) - Redundant #[allow(dead_code)] attributes on enums and structs now covered by tests - Legacy or placeholder test code in favor of comprehensive, behavior-driven test suites
…ogon exploits
**Added:**
- Automated detection and exploitation modules for:
- noPac (CVE-2021-42287/42278): computer account manipulation to enable DCSync
- PrintNightmare (CVE-2021-1675): Print Spooler DLL injection for SYSTEM access
- NTLM relay: automatic orchestration of relay attacks (SMB->LDAP, ADCS ESC8)
- Zerologon (CVE-2020-1472): Netlogon protocol check for DCs
- New deduplication set constants for each technique to prevent redundant dispatches
- New test coverage for deduplication keys and technique registration
**Changed:**
- Registered new automation tasks in the orchestrator automation module and spawner
- Integrated new deduplication sets into deduplication tracking and tests
- Added new techniques to all strategy weight presets (fast, comprehensive, stealth)
- Updated strategy tests to verify inclusion and correct prioritization of new techniques
- Updated GOAD checklist documentation to reflect dispatch and test status for added CVE exploits
**Added:** - Introduced `auto_share_coercion` automation to drop coercion files (.scf, .url, .lnk) on writable shares for NTLMv2 hash capture; integrates with dispatcher and deduplication logic - Added `auto_smb_signing_detection` automation to scan discovered hosts for SMB signing disabled and publish vulnerabilities for NTLM relay - Registered both automation tasks in the automation spawner for concurrent execution - Included test coverage for deduplication and vulnerability key generation in new modules **Changed:** - Exported `auto_share_coercion` and `auto_smb_signing_detection` from automation module for external use - Updated attack strategy presets (fast, comprehensive, stealth) to include weights for `share_coercion` technique, ensuring prioritized dispatching - Expanded the GOAD checklist documentation to reflect coverage and results for SMB signing and file-based coercion automation, increasing network poisoning & relay and user-level/coercion coverage statistics **Removed:** - Outdated checklist items and comments for coercion attacks that are now automated in `goad-checklist.md`
…, ldap signing, webdav **Added:** - Introduced `auto_mssql_coercion` to dispatch NTLM authentication coercion from MSSQL servers using xp_dirtree/xp_fileexist, enabling relay/cracking of service account hashes - Added `auto_password_policy` to enumerate password policies per domain, supporting safer password spraying and lockout avoidance - Added `auto_gpp_sysvol` for scanning SYSVOL for Group Policy Preferences passwords and credential artifacts, combining GPP XML and script searches - Added `auto_ntlmv1_downgrade` to detect DCs allowing NTLMv1 authentication, enabling capture of easily crackable hashes via downgrade attacks - Introduced `auto_ldap_signing` to check for LDAP signing/channel binding enforcement on each DC, identifying relay/NTLM vulnerabilities - Added `auto_webdav_detection` to detect WebDAV-enabled hosts for NTLM relay and proactively register related vulnerabilities for downstream modules **Changed:** - Registered new deduplication sets in state for mssql coercion, password policy, gpp sysvol, ntlmv1 downgrade, ldap signing, and webdav detection - Updated automation module exports and mod.rs to include all new automation tasks for orchestration - Registered new automation spawns in `automation_spawner.rs` to ensure new modules are launched at runtime - Expanded strategy module to assign priorities to new automation techniques across all strategy presets (fast, comprehensive, stealth) - Synchronized deduplication set lists and tests to cover all new dedup sets
…eral checks **Added:** - Automated detection and dispatch of Print Spooler service checks on discovered hosts (`auto_spooler_check`) - Automated per-domain MachineAccountQuota (MAQ) checks to support machine account attack paths (`auto_machine_account_quota`) - Automated DFSCoerce (MS-DFSNM) NTLM coercion dispatch against uncoerced DCs (`auto_dfs_coercion`) - Automated unauthenticated PetitPotam (MS-EFSRPC) coercion attempts against DCs (`auto_petitpotam_unauth`) - Automated WinRM lateral movement attempts using owned credentials against hosts with WinRM indicators (`auto_winrm_lateral`) - Unit tests for deduplication key and set name for all new modules **Changed:** - Registered new deduplication set constants and integrated them with the dedup system (`DEDUP_SPOOLER_CHECK`, `DEDUP_MACHINE_ACCOUNT_QUOTA`, `DEDUP_DFS_COERCION`, `DEDUP_PETITPOTAM_UNAUTH`, `DEDUP_WINRM_LATERAL`) - Updated automation task spawner to launch new automation modules - Re-exported new automation functions in the automation module for unified API - Added new techniques to the strategy module with appropriate priority weights for fast, comprehensive, and stealth modes - Updated GOAD checklist documentation to reflect coverage and automation for Print Spooler, WinRM lateral, and WebDAV checks, and adjusted statistics for privilege escalation, lateral movement, and coercion coverage **Removed:** - No removals in this change
…coverage **Added:** - Automated certificate abuse: `auto_certifried` module for CVE-2022-26923 machine account DNS spoofing and `auto_certipy_auth` for certificate-based authentication - DNS attack surface: `auto_dns_enum` module for zone transfer and SRV/A/CNAME record enumeration from DCs - LDAP enumeration: `auto_domain_user_enum` for per-domain user enumeration, `auto_group_enumeration` for group memberships, and `auto_foreign_group_enum` for cross-domain/forest group memberships - Privilege escalation & credential access: `auto_krbrelayup` for Kerberos relay attacks when LDAP signing is weak, `auto_lsassy_dump` for LSASS memory dump on owned hosts - Lateral movement: `auto_rdp_lateral` for RDP lateral movement to port 3389 hosts, `auto_pth_spray` for pass-the-hash spray, and `auto_localuser_spray` for explicit localuser credential checks across DCs - User coercion: `auto_searchconnector_coercion` for dropping .searchConnector-ms files on writable shares for WebDAV relay - SID and well-known account mapping: `auto_sid_enumeration` to resolve domain SIDs and enumerate renamed administrator accounts - Registered all new deduplication sets in orchestrator state and updated dedup tracking for each automation - Comprehensive test coverage for dedup key formats and logic for all new modules **Changed:** - Expanded `mod.rs` to include all new automation modules in the orchestrator - Updated `automation_spawner.rs` to spawn all new automation tasks - Extended deduplication set arrays and ALL_DEDUP_SETS in orchestrator state to include new modules for dedup and persistence - Updated strategy weights (fast, comprehensive, stealth) to assign priorities to new automation techniques, ensuring they're integrated into all operational modes - Improved documentation checklist to reflect the addition and coverage of new automation modules, including credential discovery, lateral movement, coercion, and enumeration techniques **Removed:** - No removals; all changes extend automation coverage and infrastructure
**Added:** - Implemented auto_dacl_abuse for direct ACL abuse on known attack paths, dispatching abuses such as ForceChangePassword, GenericWrite, WriteDacl, WriteOwner, and GenericAll when matching credentials and targets are found - Introduced auto_smbclient_enum to perform authenticated SMB share enumeration using available credentials, complementing unauthenticated enumeration - Unit tests for deduplication logic in both new modules **Changed:** - Registered auto_dacl_abuse and auto_smbclient_enum modules and their public exports in the automation orchestration layer - Spawned new automation tasks for dacl abuse and smbclient enum in the automation task spawner - Added deduplication constants and updated ALL_DEDUP_SETS for new automation tasks in state management - Incorporated dacl_abuse and smbclient_enum into automation strategy weights for all presets (fast, comprehensive, stealth) - Updated GOAD checklist to reflect new automation coverage, marking Certifried as dispatched and adjusting attack/coverage counts
…tool reliability - Redesign comprehensive strategy weights to use a three-tiered system that prioritizes exploitation breadth over speed-to-DA, with Tier 1 for ADCS, delegation, NTLM relay; Tier 2 for credential pipeline; Tier 3 for recon - Pass --always-continue to coercer and petitpotam to prevent EOF on interactive prompts - Fix DFSCoerce to use positional args matching CLI expectations - Add setuptools install to noPac venv in Ansible role (provides pkg_resources) - Update tests to validate tiered weights instead of flat priorities
…verage **Added:** - Introduced `acl_discovery` automation module for discovering ACL attack paths via targeted LDAP queries, bridging the gap between BloodHound collection and DACL exploitation. Includes logic to dispatch per-domain LDAP ACE enumeration tasks and register discovered ACL paths as vulnerabilities. - Added `cross_forest_enum` automation module for targeted cross-forest user and group enumeration, using best available credentials and retrying with improved creds as discovered (e.g., via hash cracking or pivots). - Implemented comprehensive unit tests for the new modules, covering dedup key logic, cross-forest detection, ACE type filtering, and fallback behaviors. - Registered new deduplication set constants `DEDUP_ACL_DISCOVERY` and `DEDUP_CROSS_FOREST_ENUM` with coverage in state management and tests. - Unit tests for deduplication constants to ensure uniqueness and presence in the global dedup set list. **Changed:** - Refined `auto_adcs_enumeration` to select credentials on a per-domain basis, ensuring proper handling of cross-domain ADCS hosts. - Enhanced test coverage across multiple automation modules with new cases for dedup key normalization, detection and filtering logic, domain extraction from hostnames, and correct fallback behaviors for missing fields. - Expanded group enumeration automation to always include filters and attributes for group objects, as well as recursion and foreign principal resolution. - Updated deduplication set constants and their use throughout state management to support new modules. - Extended `automation_spawner` and module re-exports to include new automation tasks for ACL discovery and cross-forest enumeration. - Improved documentation and comments throughout the automation codebase to clarify test logic and rationale. **Removed:** - Eliminated fallback logic in `auto_adcs_enumeration` that previously selected a single credential for all ADCS hosts, in favor of per-domain selection.
) **Key Changes:** - Added extensive unit and integration tests across all modules in ares-cli, ares-core, ares-llm, and ares-tools - Improved test coverage for pure functions, builder APIs, input validation, and end-to-end tool workflows - Introduced mock executor for ares-tools to enable isolated tool wrapper testing - Enhanced test assertions to cover edge cases, deduplication, and error handling **Added:** - Unit tests for config, deduplication, label normalization, user and credential processing, and MITRE technique detection in ares-cli - Direct tests for time window plumbing, builder logic, and detection query composition in detection/techniques - Test modules for orchestrator automation helpers, deduplication keys, domain/host logic, and parent/child domain matching - Test coverage for orchestrator state persistence, publishing, milestones, and redis-backed dedup sets - Tests for result processing, admin checks, parsing, timeline event classification, and critical hash detection - Mock Redis connection and in-memory state for ares-core, including scan, pipeline, and set/hash/list operations - End-to-end and unit tests for gap analysis, recommendations, ground truth transformation, and scoring in ares-core eval modules - Tests for telemetry propagation (traceparent injection/setting), state readers/writers, and blue operations in ares-core - Blue and red/blue correlation tests for technique matching, gap reason analysis, and coverage calculation - Default test features for blue team support in ares-core, ares-llm, and ares-tools - Unit and integration tests for tool registry logic, agent role parsing, and blue tool capability assignment in ares-llm - Test coverage for all tool wrapper functions in ares-tools, including argument validation, command builder APIs, and output sanitization - Tests for output parsers, including SMB, LDAP, BloodHound, delegation, and credential spider logic **Changed:** - Refactored code to allow easier dependency injection for testability (e.g., generic TaskQueueCore over connection type) - Adjusted some test-only code paths to use #[cfg(test)] or - Improved test assertions to cover corner cases, deduplication, ordering, and fallback logic - Updated test data to use consistent sample IPs, domains, and hostnames across modules - Enhanced test performance by using in-memory or tempfile-backed stores for persistence tests **Removed:** - Unused or dead test helper modules (e.g., resume_helper.rs in orchestrator recovery) - Redundant #[allow(dead_code)] attributes on enums and structs now covered by tests - Legacy or placeholder test code in favor of comprehensive, behavior-driven test suites
**Added:** - Introduced detailed unit tests for automation modules in the following areas: - Validated payload JSON structure and fields for each attack technique - Verified struct construction and field assignments for all work types - Checked deduplication key normalization and uniqueness logic per context - Asserted credential domain/user matching (including case-insensitivity) - Ensured service detection logic for SMB, RDP, WinRM, WebDAV, and others - Added coverage for selection/fallback logic in credential and user queries - Tested edge cases (e.g., empty domains, dedup keys, fallback fields, limits) - Confirmed correct logic for admin/writable share filtering and permission checks - Verified protocol and attribute lists for LDAP and other enumeration modules **Changed:** - Significantly increased unit test coverage across all orchestrator/automation modules - Strengthened assertions to ensure correct business logic for all main workflows - Unified style and approach to test construction and assertions for consistency **Removed:** - No code or test removals; all changes are additive to improve test coverage and reliability
**Added:** - Introduced pure functions (e.g., `collect_acl_discovery_work`, `collect_adcs_work`, `collect_certifried_work`, etc.) for each automation module to encapsulate work item construction logic, enabling unit testing without dispatcher or async runtime - Added comprehensive unit tests for each new work collection function, validating all edge cases and credential selection logic **Changed:** - Refactored automation modules to delegate work item construction to the new pure `collect_*_work` functions, reducing code duplication and improving testability - Updated per-automation test modules to cover both original and new work collection logic, improving test coverage - Made `StateInner::new` public within the crate to enable state construction in tests and work functions - Ensured that all deduplication, credential selection, and domain matching logic is now unit-testable and consistent across modules **Removed:** - Removed large inline work item construction blocks from async automation routines, replacing them with calls to the new pure logic functions
…overy improvements **Added:** - Implement cross-domain LDAP operation support by adding `bind_domain` logic to orchestrator and tool payloads - Introduce `smb_login_check` tool for checking SMB credential validity and admin status; add orchestration, parsing, and dispatch support - Add `DeferredQueue::total_count()` method for deferred task monitoring - Emit timeline event when golden ticket is forged for attack path tracking - Wait for active and deferred red team tasks to drain before shutdown, with a 5-minute cap **Changed:** - Update LDAP-using orchestrator modules (`acl_discovery`, `domain_user_enum`, `group_enumeration`, `ldap_signing`) to support cross-domain operations by conditionally adding `bind_domain` to payload - Expand user discovery logic to accept and process new trusted sources: `ldap_group_enumeration`, `acl_discovery`, `foreign_group_enumeration`, `ldap_enumeration` in both parsing and polling - Enhance group and ACL enumeration instructions to clarify required `discovered_users` output format for all users found, including cross-domain memberships - Add `smb_login_check` to tool routing as a recon and auth-bearing tool - Add weight entries for `cross_forest_enum` and `acl_discovery` in all strategy presets, with associated tests - Clarify `ldap_search` and `ldap_search_descriptions` docs and logic to support `bind_domain` for correct authentication context - Set HOME env for xfreerdp execution to avoid user profile issues **Removed:** - Remove `--admin-status` flag from `domain_admin_checker` since netexec reports admin automatically - Remove unnecessary test attribute guard from `ActiveTaskTracker::total()` for production use
**Added:** - Emit timeline events for admin upgrades, exploitation, lateral movement (S4U), and domain admin achievement with MITRE technique mapping - Add defense-in-depth sanitation for span target IPs/FQDNs, rejecting CIDRs, multi-value strings, and malformed input at both span builder and extraction - Unit tests for target info extraction: CIDR/multi-token rejection, nmap arg parsing, coverage of new edge cases - Timeline event for DA auto-set from krbtgt hash in state publishing **Changed:** - Improved discovery observability: for "hosts" discoveries, emit a span per discovered host for accurate destination.address attribution - Enhanced cross-forest and group enumeration instructions for LLM agents, specifying strict JSON schema for discovered users and explicit vuln reporting - Certipy instructions for ADCS recon updated with explicit vulnerable template reporting, including guidance for mapping ESC types and failure fallback - Timeline events now include richer MITRE ATT&CK mappings based on exploitation technique, such as Kerberoasting, RBCD, ADCS ESCs, etc. - All user enumeration in essos.local marked as complete in goad-checklist.md - Unconstrained delegation and MSSQL exploitation status updated for clarity in goad-checklist.md - Coverage table in goad-checklist.md updated: user enumeration, group parsing, ADCS enumeration, lateral movement, and trust exploitation status refreshed **Removed:** - Redundant or duplicate timeline event emission for DA achievement in favor of unified event creation with full context and MITRE mapping
**Changed:** - Updated logic to check if event description already starts with 'CRITICAL:' before prepending the prefix, ensuring it is not added multiple times in `print_attack_path` function within the loot display formatter
… for multi-domain AD
**Added:**
- Introduced `resolve_dc_ip` and `all_domains_with_dcs` methods to StateInner for
robust domain controller IP resolution across all known, trusted, and discovered
domains, improving automation coverage in multi-domain and trust scenarios
- Added trust credential fallback logic (`find_trust_credential`) to enable child→parent
and cross-forest credential use for group/ACL/ADCS enumeration when no same-domain
cleartext credential is present
- Implemented multi-line rpcclient `queryuser` description/password extraction
for improved plaintext credential discovery (block-aware parser)
- Added machine hostname domain filtering (`is_machine_hostname_domain`) to prevent
SMB banners and UPNs from polluting domain context during user/password extraction
- Enhanced instructions and prompt context for LLM tasks to include explicit
pass-the-hash guidance and clarify fallback logic for AD trust/forest scenarios
- Updated ADCS tool wrappers and schemas to support pass-the-hash (`hashes` argument)
for certipy_find and rpcclient_command, with corresponding tool inventory updates
- Implemented post-exploitation grace period in completion logic to allow group/ACL/ADCS
automation to complete after DA/GT is achieved
**Changed:**
- Refactored all orchestrator automation modules to use `all_domains_with_dcs` for
DC iteration instead of direct `domain_controllers` mapping, ensuring complete
enumeration and task dispatch across all AD domains and trust relationships
- Updated credential selection logic for group/ACL/ADCS automation to:
- Only use same-domain cleartext creds for initial attempts
- Skip cross-domain creds unless a valid trust allows authentication
- Dispatch hash-based (PTH) tasks with distinct dedup keys so failed cred attempts
do not block hash fallback
- Revised group and ACL enumeration modules to generate and test dedup keys separately
for cred, hash, and trust credential attempts, preventing task starvation
- Updated LLM credential routing logic to correctly permit child→parent and bidirectional
cross-forest authentication, aligning with AD trust semantics
- Improved recon and privesc prompt templates to explicitly present technique, instructions,
NTLM hash context, and tool-specific notes for agent tasks
- Enhanced password and user extraction routines to ignore machine hostnames as domains,
ensuring only valid AD domains are tracked and assigned
- Lowered group/ACL automation intervals for faster post-DA post-exploitation coverage
- Updated test coverage for new trust/cred fallback logic, machine hostname filtering,
and rpcclient multi-user extraction
**Removed:**
- Eliminated fallback to `credentials.first()` for group/ACL/ADCS automation, preventing
accidental cross-domain task dispatch that would consume dedup slots with doomed attempts
- Removed acceptance of cross-domain creds for LDAP simple bind unless a trust relationship
is known and valid, improving automation reliability in multi-domain labs
**Added:** - Added `mark_host_owned` method to persist host ownership in Redis and trigger downstream automations when admin access is confirmed - Provided new debug and info logging for group enumeration, LDAP signing, and lsassy_dump automation modules to improve traceability - Documented cross-domain authentication requirements and bind_domain usage in automation instructions and LLM prompt templates - Extended tool schema for `ldap_search` (bind_domain) and `create_inter_realm_ticket` (optional extra_sid for child-to-parent escalation) - Added test coverage for credential fallback in group enumeration and extra_sid handling in trust ticket creation **Changed:** - Refactored automation modules (`group_enumeration`, `ldap_signing`, `lsassy_dump`) to use `force_submit`, bypassing throttler to avoid blocking on long-running recon tasks - Group enumeration and ACL discovery now support credential fallback across trusted domains using both explicit trusts and presence heuristics - Group enumeration and LDAP signing automations now provide more detailed instructions, including correct hash handling and cross-domain bind guidance - Improved domain resolution for result processing, ensuring correct attribution when extracting credentials or marking hosts as owned - Trust exploitation prompt now resolves target DC hostname for Kerberos SPN accuracy, improving guidance for secretsdump_kerberos usage - Updated tool wrappers to parse and use only the NT hash portion for pass-the-hash scenarios in rpcclient - Increased the default and tested max concurrent tasks to 12 and set more conservative weights for group_enumeration and acl_discovery in fast mode - Various documentation and checklist improvements to reflect new validation results, trust fallback logic, and accurate coverage assessment **Removed:** - Removed unnecessary debug logging from some automation modules for clarity - Eliminated redundant golden ticket extra_sid logic from trust ticket creation (now optional and user-controlled) - Pruned unreachable code paths in state and dispatcher modules
**Changed:** - Replace single bulk `gem update` command with per-gem loop to avoid OOM kills during parallel native extension compilation on low-memory instances, adding `--no-document` to skip memory-intensive documentation generation - Clarify task description and README to reflect per-gem update approach for vulnerable Ruby gems
…efully **Changed:** - Clarified in documentation that vulnerable ruby gem dependencies are updated only on Ubuntu, as Kali handles CVE patches via apt - Limited the gem update task to Ubuntu by adding a distribution check and explicitly excluding Kali - Added `failed_when: false` to the gem update task to prevent task failure if the update process is killed or encounters issues - Expanded documentation and task comments to explain the rationale behind these changes and the memory limitations during gem updates
**Changed:** - Replace `libnvidia-opencl1` with `nvidia-opencl-icd` in the list of NVIDIA driver packages to improve compatibility and match current package naming in both documentation and default configuration for the cracking tools role
**Added:** - Execute NVIDIA driver and OpenCL runtime installation using shell with full output logging to capture complete error details during apt installation - Display the last 200 lines of the NVIDIA install log on failure for better troubleshooting - Print the captured install log tail in Ansible debug output if the install fails - Explicitly fail the play with a descriptive message if NVIDIA driver install fails, referencing the install log for context **Changed:** - Updated documentation to reflect use of shell-based NVIDIA driver install, log tail display, and explicit failure handling in the task list **Removed:** - Removed previous use of the Ansible apt module for NVIDIA driver and OpenCL runtime installation to avoid truncation of important error output
…patibility **Changed:** - Switch default NVIDIA driver package from `linux-headers-amd64` to `linux-headers-cloud-amd64` to ensure DKMS module builds succeed on Kali AMIs using the cloud kernel - Update documentation to reflect the new default package and clarify the reason for using the cloud headers over the generic headers
… packages **Added:** - Added task to install NVIDIA CUDA apt repository for accessing newer drivers compatible with Kali's 6.19+ kernel and Turing+ GPUs **Changed:** - Updated default NVIDIA driver packages to use `cuda-drivers` and `nvidia-open-kernel-dkms` instead of `nvidia-driver`, ensuring support for modern kernels and open-source modules - Clarified and expanded documentation regarding NVIDIA package sources and driver/kernel compatibility in defaults
**Changed:** - Update CUDA keyring download URL from Debian 12 to Debian 13 in cracking tools installation script to ensure compatibility with newer Debian releases
**Changed:** - Updated documentation and package list to use `nvidia-kernel-open-dkms` instead of deprecated `nvidia-open-kernel-dkms` for Turing+ GPUs in the NVIDIA driver installation defaults. This aligns with current package naming and ensures compatibility with modern kernels.
**Changed:** - Replaced `cuda-drivers` with `nvidia-driver-cuda` in default package list to ensure only the open kernel module is used and prevent conflicts with closed drivers - Improved comments to clarify package selection rationale and avoid pulling conflicting kernel modules via meta-packages - Removed `nvidia-opencl-common` from the driver package list as it is no longer required
**Added:** - Added separate task to install `linux-headers-cloud-amd64`, `dkms`, and `firmware-misc-nonfree` before NVIDIA driver installation to ensure DKMS prerequisites are fully configured on Debian systems **Changed:** - Improved reliability of NVIDIA driver installation by preventing race conditions where DKMS modules are configured before kernel headers are ready during a single apt transaction on Debian
…nstalled **Added:** - Add task to dump DKMS `make.log` and relevant build environment details on NVIDIA driver build failure to aid troubleshooting - Print captured DKMS `make.log` output using debug module for easier visibility **Changed:** - Ensure `build-essential` is installed alongside DKMS and headers to provide required build tools for NVIDIA driver installation
…tion **Changed:** - Enhance domain extraction to fall back to `credential.domain` if top-level domain is missing or empty, ensuring proper domain value is used in prompt generation and preventing downstream authentication failures due to empty realms in secretsdump scenarios - ares-llm/src/prompt/credential_access/mod.rs - Add clarifying comments on domain fallback behavior and its necessity for correct tool invocation
**Added:** - Added DETECTED_ARCH variable to auto-detect k8s node architecture and set appropriate RUST_TARGET in remote build, check, and deploy tasks **Changed:** - Updated remote build, check, and deploy tasks to use auto-detected RUST_TARGET instead of hardcoded default - Moved RUST_TARGET variable definition from global to deploy task scope in ec2 Taskfile for better task isolation **Removed:** - Removed unused BIN_DIR and RUST_TARGET variables from global scope in ec2 Taskfile to reduce redundancy
Resolved conflicts by: - Templates: kept main's templated variable approach (target_domain, target_dc_ip, target_dc_fqdn, listener_ip via OperationContext) - Tracing: merged main's automation.dispatch spans into PR's SubmissionOutcome refactor in dispatcher/submission.rs - ares-tools/lib.rs: combined PR's credentials::validate_arguments and spider_plus concurrency cap with main's scope::validate_in_scope - secrets.rs parser: kept both PR's strip_nxc_framing and main's DumpSection-aware local SAM attribution - users.rs extractor: combined is_machine_hostname_domain (PR) and is_workgroup_domain (main) filters - credentials.rs publisher: ordered FQDN typo normalization before realm casing canonicalization - Added missing TASK_ACL_CHAIN_STEP template constant required by acl.rs after taking main's templates.rs Bug fixes uncovered by the merge: - Wired is_user_quarantined into the snapshot filter alongside is_credential_quarantined: the PR added quarantined_users plumbing but only the bulk-list path (quarantined_users_in_domain via inject_excluded_users) was hooked up; the per-principal check belongs in the snapshot filter for the same reason credential quarantine does — surfacing a locked-out account to the LLM just invites another failed auth that re-extends the lockout. - sanitize_spray_userlist tmp path included only the process id, so concurrent calls within the same process (tests, overlapping spray dispatches) raced on the same file and clobbered each other's filtered userlists. Added a per-call atomic counter to the path. Test fixups required by the merge: - extract_hashes_keeps_plain_ntlm_when_no_machine_acct_marker: switched to a custom RID since main's is_well_known_local_sam now strips Administrator/500 to an empty domain - parse_ntlm_dedup_key tests: assert NT-half prefix; PR's ntlm_dedup_key_part returns the NT half (correct for dedup, since the LM half is always the empty placeholder) - prompt::tests::exploit_constrained_delegation_with_state and exploit_child_to_parent_offers_extra_sid_via_child_krbtgt: relaxed to assert only what main's exploit_trust template renders, since the PR's principal-only / extra-SID / 'Do NOT call' template variants are not in main's templates
The two maps had identical shape (`user@domain → expiry`) and identical
read semantics — "don't authenticate as this principal right now". The
distinction lived only at write time:
- quarantine_credential: a known cleartext returned
STATUS_ACCOUNT_LOCKED_OUT or KDC_ERR_CLIENT_REVOKED
- quarantine_user: an enumeration tool (username_as_password,
password_spray) reported the principal locked but we didn't have
a cleartext for them
Every read site needed *both* checked or it would miss half the
quarantined population — the LLM snapshot filter just before this
commit had grown a literal `is_credential_quarantined ||
is_user_quarantined` to plug the gap, which is the smell that motivated
the refactor.
Replaced both maps with one `quarantined_principals` map and one
`quarantine_principal` write API; kept `quarantined_principals_in_domain`
as the bulk-list reader the spray-injection path needs. 28 callers
updated; full ares test suite (2426 tests) and clippy stay green.
…logic **Added:** - Added expert agent definition for Python ares codebase at `.claude/agents/python-ares-expert.md` **Changed:** - Refactored EC2 deploy and build scripts to remove strict SHA256 verification on deploy, simplify SSM command polling, and streamline file copy and permissions logic in `.taskfiles/ec2/Taskfile.yaml` - Reduced SSM timeout and polling duration to 10 minutes for EC2 deploys in `.taskfiles/ec2/Taskfile.yaml` - Simplified ulimit handling for Zig builds to set only when current limit is unlimited or too low - Removed S3 SHA verification logic from deploy steps; now only ensures binary is present and executable - Stopped propagating OPERATION_ID from user input in EC2 orchestrator launch; always generates a fresh op ID - Removed all references to `LOKI_URL` from orchestrator scripts, env files, and variable lists - Refactored `.taskfiles/ec2/scripts/launch-orchestrator.sh.tmpl` to remove systemd-run usage, cgroup/slice logic, and LOKI_URL, launching orchestrator via `nohup` directly for simplicity - Removed legacy ares-worker systemd unit, system-ares.slice, swap file/OOM tuning, and sysctl logic from EC2 setup in `.taskfiles/ec2/scripts/setup.sh` - Set default Rust target to `x86_64-unknown-linux-gnu` for remote and EC2 builds in `.taskfiles/remote/Taskfile.yaml` and removed architecture auto-detection logic - Simplified orchestrator wrapper patch to remove operation_id presence check in `.taskfiles/remote/orchestrator-wrapper-patch.json` - Updated Ansible playbook for goad_attack_box to take `alloy_loki_endpoint` directly from variable, not environment, and dropped NVIDIA driver/CUDA install options from role vars in `ansible/playbooks/ares/goad_attack_box.yml` - Updated lateral movement tools role to combine gem updates into a single command and clarify task description for ruby gem CVE patching **Removed:** - Removed all NVIDIA GPU/driver/CUDA installation logic, variables, and docs from `ansible/roles/cracking_tools` (README, defaults, tasks), including apt repo setup, DKMS, CUDA toolkit, and OpenCL runtime tasks - Eliminated legacy systemd slice, swap/OOM tuning, and legacy worker unit cleanup from EC2 setup script - Removed logic to support direct IP specification and strategy override from red team multi-agent task runner in `.taskfiles/red/Taskfile.yaml` - Removed all LOKI_URL propagation and configuration from main Taskfile, sub-Taskfiles, and orchestrator scripts - Replaced custom shell pip install with ansible.builtin.pip module in base Ansible role for Python dependencies; removed manual pip error handling tasks - Dropped all NVIDIA driver/CUDA toolkit package variables from cracking_tools role defaults - Removed per-gem update loop for ruby gems in lateral_movement_tools, using a single command instead
…forest pivots **Added:** - Added forest trust escalation and child-to-parent vulns to critical-path throttling, ensuring they bypass the concurrency cap and are dispatched promptly - ares-cli/src/orchestrator/throttling.rs - Added test to verify that forest pivot vulns bypass the throttling hard cap **Changed:** - Updated trust automation logic to avoid blocking cross-forest dispatch on target SID resolution, reflecting that the SID is not required and preventing indefinite deferral - ares-cli/src/orchestrator/automation/trust.rs - Clarified comments explaining forest pivot task handling and SID requirements for cross-forest forges - Changed logging to only reference parent SID resolution for child→parent scenarios, aligning with new logic - Modified throttling code and comments to treat forest trust escalation and child-to-parent vulns as critical path tasks **Removed:** - Removed unnecessary SAMR lookupsid gating for cross-forest trust forges, eliminating a phantom requirement that could park work indefinitely
**Added:** - Unit test to verify set_golden_ticket records golden tickets independently for each domain **Changed:** - Golden ticket forging now dispatches and deduplicates per domain, not globally, allowing multiple domains to be processed in a single operation - ares-cli/src/orchestrator/automation/golden_ticket.rs - Result processing for golden ticket exploits now checks deduplication per domain, enabling proper handling of multi-domain operations - ares-cli/src/orchestrator/result_processing/admin_checks.rs - set_golden_ticket implementation now performs per-domain deduplication and updates vulnerable states for each domain individually while preserving global has_golden_ticket for legacy and summary usage - ares-cli/src/orchestrator/state/publishing/milestones.rs **Removed:** - Global has_golden_ticket check for deduplication in golden ticket result processing and milestone setting, replaced by per-domain logic
**Added:** - Tag users matched via sAMAccountName with `ldap_extraction` source in `extract_users` - Allow publishing of users tagged with `ldap_extraction` in result processing, enabling persistence of verified LDAP discoveries - Add tests verifying correct tagging of LDAP and non-LDAP extracted users **Changed:** - Update user publishing logic to unmark processed AS-REP domains when a new user is added, ensuring AS-REP roasting can proceed for newly discovered domains - Improve documentation and comments for user extraction and publishing logic, clarifying gating and deduplication behavior
…tch filters **Changed:** - Short-circuit certifried exploit dispatch when no tool is registered, avoiding unnecessary failed attempts and resource usage - `certifried.rs` - Filter pass-the-hash secretsdump attempts to only target DCs within the same forest as the credential's domain, preventing cross-forest failures and wasted compute - `credential_expansion.rs` - Update krbrelayup work collection to skip hosts with no matching domain credential, preventing dispatch of invalid cross-domain tasks and reducing failed attempts - `krbrelayup.rs` - Add test coverage for krbrelayup to verify hosts are skipped when no matching credential for the host's domain exists, removing previous fallback to the first available credential - Always inject both `hash` and `hashes` arguments in credential resolver for compatibility with tools expecting different field names, preventing silent failures and unnecessary LLM token usage - `credential_resolver.rs`
…l dispatch **Added:** - Implement deduplication for task patterns ending with RequestAssistance to prevent repeat dispatches that always fail, including canonical pattern keying and related state tracking in dispatcher and orchestrator state modules - Add `assist_pattern_key` utility to compute dedup keys based on (task_type, target_ip/dc_ip, username, domain) - Extend test coverage for assist-abandon dedup logic, including assist pattern key generation and state propagation - Add robust UPN-suffixed username handling in credential resolver, splitting into bare user and realm hint for credential/hash lookups - Introduce `certipy_esc3_full_chain` tool function for full ESC3 (Enrollment Agent) exploitation chain, including argument fallbacks, intermediate file handling, and detailed stepwise result aggregation - Add comprehensive tests for UPN handling, credential/hash resolution, and argument shape of the ESC3 full chain function **Changed:** - Update dispatcher to refuse redispatch of doomed automation task patterns after a single assist-abandon outcome, reducing unnecessary LLM token usage - Refactor credential resolver to fall back to realm suffix in domain matching when domain argument is empty, improving cross-realm credential resolution - Modify `smb_login_check` and `certipy_find` tools to fail soft (structured stdout, success exit) when no credential is resolved, avoiding LLM escalation and excessive token burn - Enhance documentation and argument fallbacks in `certipy_esc3_full_chain` for clearer behavior and improved automation compatibility **Removed:** - Remove hard failure on missing credential in `smb_login_check` and `certipy_find`; now handles absence gracefully
…atch path **Added:** - Deterministic automation for MSSQL linked server pivots via new `auto_mssql_link_pivot` task, including bounded retry logic and deduplication keyed per link - `mssql_link_pivot.rs`, registered in automation and spawner modules - Per-vuln attempt counter for MSSQL link pivot probes to `StateInner` - Deduplication constant and integration for `mssql_link_pivot` in state management - Unit tests for MSSQL link pivot probe, argument building, and retry logic - Test coverage for new hash crack prioritization logic in `crack.rs` **Changed:** - Update automation module and spawner to register and spawn `auto_mssql_link_pivot` - Update state management to track and clear MSSQL link pivot attempts and dedup state - Prioritize kerberoast and asrep hashes for cracking over NTLM in `auto_crack_dispatch` to avoid starvation, with sorting and new `crack_priority` function - Add comments and logic in ADCS exploitation to deterministically dispatch ESC3 via a two-step chain, bypassing the LLM path that previously skipped the on-behalf-of step - Register new tool endpoint `certipy_esc3_full_chain` in `ares-tools` dispatcher **Removed:** - LLM-based single-step dispatch for ESC3 in favor of deterministic two-step chain (logic path updated, not wholesale removal of code)
**Added:** - Introduced a regression test verifying that tasks without a username (generic enum/recon) do not return a deduplication key and are never abandoned **Changed:** - Updated `assist_pattern_key` to return `None` when the username is empty, ensuring generic enumeration and recon tasks without a user are never abandoned and not mistakenly blacklisted due to a transient failure - Expanded documentation for `assist_pattern_key` to clarify the reasoning and prevent orchestrator lockout after repeated failures on generic tasks
**Changed:** - Propagate discovered usernames to AS-REP roasting automation, enabling direct use of known user lists for `GetNPUsers` instead of relying solely on enumeration, improving effectiveness on hardened domain controllers - Add logic to filter and deduplicate real user accounts (excluding computer accounts ending with `$`) from state and pass them to automation payloads - Include contextual instructions and known users in the payload to guide agents and optimize the roasting process, especially for SID-filtered or cross-forest scenarios
…LM fallback **Added:** - Introduced fallback for LLM cracker agents to report cracked credentials via a structured callback (`report_cracked_credential`), with handler-side validation to reject hash-shaped or truncated values - Added null-session `lsaquery` fallback in domain SID resolution to unblock child→parent forge paths when authenticated lookupsid fails (`golden_ticket.rs`) - Added test coverage for credential validator and LLM credential reporting rejection logic - Supported passing orchestrator-supplied user lists (`known_users`) to `asrep_roast`, including temp file handling in `ares-tools` **Changed:** - Refined AS-REP roast automation to allow re-dispatch per domain state (empty/non-empty userlist), ensure deduplication, and deterministically invoke direct tool calls when userlists are available - Hardened password/credential validation in both orchestrator and parser layers to reject all hash-shaped strings, `$krb5*`/`$NT$` blobs, and LLM-truncated displays (e.g., containing `...`) - Expanded test coverage for credential filtering and edge cases in `output_extraction` and cracker output parsers - Updated orchestrator state to immediately promote trusted domains as candidate domains when a trust is published, ensuring automations see new forests without waiting for host discovery - Increased post-exploitation grace period from 90s to 180s after all forests are dominated - Improved comments and error messages for credential reporting, trust publishing, and asrep logic for maintainability and clarity - Updated LLM tool registry to re-enable `report_cracked_credential` as a structured callback with schema/description and ensure it's included for cracker agents - Updated shell scripts and taskfiles to clamp FD limits for Zig compatibility and clarify inherited limits in cross-compilation tasks **Removed:** - Removed legacy code and comments disabling `report_cracked_credential`; replaced with secure structured fallback and validation - Eliminated fragile FD limit bumping logic from EC2 Taskfile, relying instead on parent shell setup
…aceholder hostnames **Added:** - Added `local-ip-address` crate to enumerate the orchestrator's own IPv4 addresses - Implemented `SharedState::initialize_self_ips` to collect and store self interface IPs for filtering - Added a `self_ips` field to `StateInner` to hold the orchestrator's interface addresses - Updated `publish_host` to ignore hosts whose IP matches any orchestrator interface, preventing self-discovery - Added logic in `publish_host` to clear placeholder hostnames like "none", "null", "n/a", etc. for cleaner display - Introduced tests to verify placeholder hostname removal and self-IP filtering in host publishing - New dependencies in `Cargo.lock` for `local-ip-address`, `darling`, `derive_builder`, `getset`, `neli`, `proc-macro-error2` and related proc-macro crates to support the new interface enumeration logic **Changed:** - Modified orchestrator startup to call `initialize_self_ips` before loading state from Redis - Updated `StateInner::new` to initialize `self_ips` as an empty set for deterministic test behavior - Enhanced `publish_host` behavior to skip publishing hosts with self IP or placeholder hostnames
# Conflicts: # .taskfiles/ec2/Taskfile.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Key Changes:
coercion, and enumeration in
ares-cliAdded:
nopac(CVE-2021-42287/42278),zerologon,print_nightmare,krbrelayup,certifried(CVE-2022-26923),dacl_abusentlm_relay,share_coercion,mssql_coercion,dfs_coercion,petitpotam_unauth,searchconnector_coercionpassword_policy,gpp_sysvol,ntlmv1_downgrade,ldap_signing,webdav_detection,spooler_check,machine_account_quota,group_enumeration,localuser_spray,sid_enumeration,dns_enum,domain_user_enum,foreign_group_enum,smb_signing,smbclient_enumwinrm_lateral,rdp_lateral,pth_spray,lsassy_dumpcertipy_authpublic exports in
automation/mod.rsand dedup constants instate/mod.rssetuptoolsis installed in noPac venvfor
pkg_resourcesimportChanged:
automation_spawner.rs): registered all new modules to bespawned and monitored automatically
state/mod.rs,state/inner.rs): added dedup constantsand test coverage for all new modules, ensuring idempotency and correct state
strategy.rs):fast,comprehensive, andstealthpresets, introducing three-tier prioritization for comprehensive modedocs/goad-checklist.md): documented coverage, testobservations, and module effects for each exploit, enumeration, and privilege
escalation path