AD-RECON is a new tool developed by BreakPoint Labs to quickly triage BloodHound data to identify potential attack paths and misconfigurations. Written in Python, it utilizes the Neo4j driver to automate a multitude of high-value queries. 

With a single command, AD-RECON presents relevant domain information and checks for ‘quick wins’ within Active Directory, including but not limited to:

  • Kerberoasting
  • Certificate Template Abuse
  • Users with excessive permissions and `admincount=false`
  • Unconstrained Delegation
  • Enabled Accounts that have never authenticated to the domain
  • Top oldest computers that have recently authenticated to the domain
  • Users with `pwdlastset` over one year
  • Who has DCSync Rights
  • Identify Domain Trusts
  • Privileged Sessions

Additionally, there are several optional functions available:

  • “–dump” to print out the queries the tool performs with a description
  • “–morehelp” to provide more context into how to analyze the data the tool provides
  • “–pathing” to run more in-depth queries
  • “–transitive” generates a list of total transitive outbound permissions for all users and computers. This option can take several minutes, depending on the size of the network.

AD-RECON is a tool that can save organizations numerous hours of manual analysis. It can quickly triage BloodHound data and identify potential attack paths and misconfigurations, performing tasks that usually take days of manpower in a matter of minutes. On most Active Directory (AD) networks, it likely uncovers at least one significant misconfiguration. Pentesters and Red Teamers can leverage it to save time on engagements, and Defenders can benefit by identifying flaws before an engagement or real threat actor.