Friday, October 4, 2013

AD Zone Transfers as a user

The tired and true method for Zone Transfers are using either nslookup:
nslookup
ls -d domain.com.local
Or dig:
dig -t AXFR domain.com.local @ns1.domain.com.local
In the Windows Enterprise world there are a few more options. If you are a DNS Admin you can use the 'dnscmd' command like so:
dnscmd /EnumZones
dnscmd /ZonePrint domain.com.local
Which is handy if you can pop the DNS server (usually the Domain Controller so you usually have better things to do at that point).

You can also use PowerShell:

PS C:\Users\jdoe> get-wmiobject -ComputerName dc1 -Namespace root\microsoftDNS -Class MicrosoftDNS_ResourceRecord -Filter "domainname='projectmentor.net'" | select textrepresentation
Again, this requires you to be a very high privileged account, which is no fun. I need these computer lists as part of my internal / post-exploitation recon, not an end step.

For the longest time I relied on a very awesome tool called "Adfind":
adfind -sc computers_active -csv -nodn -nocsvq -nocsvheader
This command will output a list of computer accounts that have been active in the last 90 days in a straight line by line format (hence all of the no "this"and no "that" flags)

But that wasn't good enough, this image kept haunting me:


It's Active Directory Explorer by SysInternals. It shows the complete list of DNS records, stored as objects in Active Directory that I was able to get to as a basic domain user. This means all of the static DNS records for the unix systems and mainframes and other systems outside of the purely Windows world are there as well.

I spent 4 days attempting to write my own script, ldap query, prayer to  get all of the data out but was unsuccessful. On the 5th day I happened upon a very short post saying "I did it", as I probably would have written the same. It comes in the form of a PowerShell script that you can find here:

Code: https://github.com/mmessano/PowerShell/blob/master/dns-dump.ps1

And is very easy to run:
PS C:\Users\jdoe> dns-dump.ps1 -zone projectmentor.net -dc dc1

or
C:\> powershell -ep bypass -f dnsdump.ps1 -zone projectmentor.net -dc dc1
If you put a -csv on the end of those the author has even given you the CSV format which makes the output extremely easy to parse. Now you can throw your list into your tool of choice instead of scanning random IP ranges on the targets network for important stuff you can scan directly against known good hosts.

-- mubix

P.S. Yes I realize this isn't actually "Zone Transfer"s but its close enough 

1 comment:

  1. The script hard-codes "CN=MicrosoftDNS,CN=System", but this will actually vary based on the replication scope defined for the zone. The AD Explorer screenshot above shows one of the alternate locations: "CN=MicrosoftDNS,DC=DomainDNSZones", which is also the configuration used on my current client engagement as well as my lab (I believe I used default configuration options).

    The replication scopes/possible locations are as follows:
    All DNS servers in forest: CN=MicrosoftDNS,DC=ForestDNSZones
    All DNS servers in domain: CN=MicrosoftDNS,DC=DomainDNSZones
    All DCs in domain: CN=MicrosoftDNS,CN=System

    The latter option is apparently used for Win2k compatibility, so this may be in place for domains that have been upgraded over the years.

    Just FYI in case you or anyone else runs into this snag. As always, thanks for taking the time to share these techniques.

    ReplyDelete