The tired and true method for Zone Transfers are using either nslookup:
nslookup
ls -d domain.com.local
Or dig:
dig -t AXFR domain.com.local @ns1.domain.com.localIn the Windows Enterprise world there are a few more options. If you are a DNS Admin you can use the 'dnscmd' command like so:
dnscmd /EnumZones
dnscmd /ZonePrint domain.com.local
Which is handy if you can pop the DNS server (usually the Domain Controller so you usually have better things to do at that point).
You can also use PowerShell:
You can also use PowerShell:
PS C:\Users\jdoe> get-wmiobject -ComputerName dc1 -Namespace root\microsoftDNS -Class MicrosoftDNS_ResourceRecord -Filter "domainname='projectmentor.net'" | select textrepresentation
Again, this requires you to be a very high privileged account, which is no fun. I need these computer lists as part of my internal / post-exploitation recon, not an end step.
For the longest time I relied on a very awesome tool called "Adfind":
But that wasn't good enough, this image kept haunting me:
It's Active Directory Explorer by SysInternals. It shows the complete list of DNS records, stored as objects in Active Directory that I was able to get to as a basic domain user. This means all of the static DNS records for the unix systems and mainframes and other systems outside of the purely Windows world are there as well.
I spent 4 days attempting to write my own script, ldap query, prayer to get all of the data out but was unsuccessful. On the 5th day I happened upon a very short post saying "I did it", as I probably would have written the same. It comes in the form of a PowerShell script that you can find here:
For the longest time I relied on a very awesome tool called "Adfind":
adfind -sc computers_active -csv -nodn -nocsvq -nocsvheaderThis command will output a list of computer accounts that have been active in the last 90 days in a straight line by line format (hence all of the no "this"and no "that" flags)
But that wasn't good enough, this image kept haunting me:
It's Active Directory Explorer by SysInternals. It shows the complete list of DNS records, stored as objects in Active Directory that I was able to get to as a basic domain user. This means all of the static DNS records for the unix systems and mainframes and other systems outside of the purely Windows world are there as well.
I spent 4 days attempting to write my own script, ldap query, prayer to get all of the data out but was unsuccessful. On the 5th day I happened upon a very short post saying "I did it", as I probably would have written the same. It comes in the form of a PowerShell script that you can find here:
Code: https://github.com/mmessano/PowerShell/blob/master/dns-dump.ps1
And is very easy to run:
or
And is very easy to run:
PS C:\Users\jdoe> dns-dump.ps1 -zone projectmentor.net -dc dc1
or
C:\> powershell -ep bypass -f dnsdump.ps1 -zone projectmentor.net -dc dc1
If you put a -csv on the end of those the author has even given you the CSV format which makes the output extremely easy to parse. Now you can throw your list into your tool of choice instead of scanning random IP ranges on the targets network for important stuff you can scan directly against known good hosts.
-- mubix
P.S. Yes I realize this isn't actually "Zone Transfer"s but its close enough
-- mubix
P.S. Yes I realize this isn't actually "Zone Transfer"s but its close enough
The script hard-codes "CN=MicrosoftDNS,CN=System", but this will actually vary based on the replication scope defined for the zone. The AD Explorer screenshot above shows one of the alternate locations: "CN=MicrosoftDNS,DC=DomainDNSZones", which is also the configuration used on my current client engagement as well as my lab (I believe I used default configuration options).
ReplyDeleteThe replication scopes/possible locations are as follows:
All DNS servers in forest: CN=MicrosoftDNS,DC=ForestDNSZones
All DNS servers in domain: CN=MicrosoftDNS,DC=DomainDNSZones
All DCs in domain: CN=MicrosoftDNS,CN=System
The latter option is apparently used for Win2k compatibility, so this may be in place for domains that have been upgraded over the years.
Just FYI in case you or anyone else runs into this snag. As always, thanks for taking the time to share these techniques.