Adalanche: Open-source Active Directory ACL visualizer, explorer
Adalanche provides immediate insights into the permissions of users and groups within an Active Directory. It’s an effective open-source tool for visualizing and investigating potential account, machine, or domain takeovers. Additionally, it helps identify and display any misconfigurations.
What unique features make Adalanche stand out?
“The best feature is the low user effort to get results. Adalanche has no prerequisites, doesn’t require you to install it, runs on the three major OS platforms natively, and will give you (probably surprising) results within minutes – even as a regular non-admin user,” Lars Karlslund, the creator of Adalanche, told Help Net Security.
“The visual attack graph representation of your Active Directory pops up in your browser, and you can explore things from there. The more data you add, the more insights you get: if you run the open-source Windows collector, you get local accounts, groups, services, file/registry permissions, etc., from both workstations and servers in the graph.”
The screenshot above showcases the search for Domain Controller machines and who can successfully reach them. In this example, a user called samwell.tarly has permission to take ownership of a GPO that is applied to a Domain Controller – and on the left, you can see some admin put the plaintext password in the description field.
This is a synthetic example, but these things pop up when doing Active Directory analysis, even for huge companies. The attention to detail is just super important but is often forgotten because people think, “This is too simple to be true.”
“The open-source version has just gotten a UI overhaul, new edges, several bug fixes, and improved search capabilities. A member of the hashcat cracking team suggested that I add word export for use with password audits, so that’s also a recent addition. Right now searches are based on LDAP query syntax, but I want to do a real graph query language for Adalanche. Some minor UI bugs need improvement,” Karlslund concluded.
Avalanche collects information from Active Directory or local Windows machines and can then analyze the collected data. If you’re only doing Active Directory analysis, grab the binary for your preferred platform. Later, you can deploy the dedicated collector .exe for your Windows member machines via a GPO or other orchestration and get even more insight.
This repository provides sample data from the Orange Cyberdefense lab Game of Active Directory project. It is a vulnerable Active Directory lab comprising 5 Windows machines (three DCs across two forests) and two Windows servers.
More open-source tools to consider:
- Latio Application Security Tester: Use AI to scan your code
- CVEMap: Open-source tool to query, browse and search CVEs
- Faction: Open-source pentesting report generation and collaboration framework
- AuthLogParser: Open-source tool for analyzing Linux authentication logs
- DriveFS Sleuth: Open-source tool for investigating Google Drive File Stream’s disk forensic artifacts
- Subdominator: Open-source tool for detecting subdomain takeovers
- EMBA: Open-source security analyzer for embedded devices