dirkjanm / adidnsdump Goto Github PK

Active Directory Integrated DNS dumping by any authenticated user

License: MIT License

Python 100.00%

adidnsdump's Introduction

Active Directory Integrated DNS dump tool

By default any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similar to a zone transfer. This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks.

For more info, read the associated blog post.

Install and usage

You can either install the tool via pip with pip install adidnsdump or install it from git to have the latest version:

git clone https://github.com/dirkjanm/adidnsdump
cd adidnsdump
pip install .

pip install git+https://github.com/dirkjanm/adidnsdump#egg=adidnsdump

The tool requires impacket and dnspython to function. While the tool works with both Python 2 and 3, Python 3 support requires you to install impacket from GitHub.

Installation adds the adidnsdump command to your PATH. For help, try adidnsdump -h. The tool can be used both directly from the network and via an implant using proxychains. If using proxychains, make sure to specify the --dns-tcp option.

adidnsdump's People

Contributors

Stargazers

Watchers

Forkers

materaj2 sasqwatch hagen3000 superdong0 raystyle sha-512 hackndo c002 a-min3 chouaibhm lubyruffy qsdj cs24 marciopocebon zshell rajivraj samuelriesz h3llozy i128 xvybihal axtion500 shantanu561993 imulmul jesper0438 illmob attackgithub mygit2014 gavz 1f3lse red-infosec cyberlame pwnfoo xinyuweb clr2of8 mmg1 askyeye polling-repo-continua invokethreatguy yalonso7 moutalib uid-root addenial devbabygo hobaiguigui preventions aivlast fzxcp3 4869aptx vruello asdlei99 nosorry sec-nux katsec maduma claudinei-init jdelta1 dannymas absolomb lnaphade marakovalcik iamanubhavsaini baydakovss slooppe bbeattie-phxlabs svchost9913 retiliator nikpanovpoly maartenb 100security seenanshaneisurely ououover nurfed1 y0d4a powerpress sierghart lacoste jabdy86 ikpehlivan xtenex sec-fork bemonolit orguetta cravaterouge 5l1v3r1 bcp-infosec-repo edgy4 timb-machine-mirrors marcostolosa 3tternp andr4s scrt anshumansrivastavagit ahmetqara ethicalsecurity-agency 30579096 crackercat op0ssum outs1d3r-net kaviranga fckoo

adidnsdump's Issues

TypeError: Struct() argument 1 must be string, not unicode

Python 2.7.5
impacket pulled today

Get the following:

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Querying zone for records
Traceback (most recent call last):
File "/bin/adidnsdump", line 9, in
load_entry_point('adidnsdump==1.1.0', 'console_scripts', 'adidnsdump')()
File "build/bdist.linux-x86_64/egg/adidnsdump/dnsdump.py", line 443, in main
File "build/bdist.linux-x86_64/egg/impacket/structure.py", line 84, in init
File "build/bdist.linux-x86_64/egg/impacket/structure.py", line 142, in fromString
File "build/bdist.linux-x86_64/egg/impacket/structure.py", line 535, in calcUnpackSize
TypeError: Struct() argument 1 must be string, not unicode

NameErr: DSID-03100238, problem 2001 (NO_OBJECT)

Using latest version from HEAD.
Was trying to dump records from target network. Was able to use --print-zones successfully.
Tried different domain controllers both over SSL and without, with same output

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Querying zone for records
Traceback (most recent call last):
  File "/usr/local/bin/adidnsdump", line 11, in <module>
    load_entry_point('adidnsdump==1.2.0', 'console_scripts', 'adidnsdump')()
  File "/usr/local/lib/python2.7/dist-packages/adidnsdump/dnsdump.py", line 420, in main
    c.extend.standard.paged_search(searchtarget, sfilter, search_scope=LEVEL, attributes=['dnsRecord','dNSTombstoned','name'], paged_size=500, generator=False)
  File "/usr/local/lib/python2.7/dist-packages/ldap3/extend/__init__.py", line 125, in paged_search
    paged_criticality)
  File "/usr/local/lib/python2.7/dist-packages/ldap3/extend/standard/PagedSearch.py", line 121, in paged_search_accumulator
    paged_criticality):
  File "/usr/local/lib/python2.7/dist-packages/ldap3/extend/standard/PagedSearch.py", line 84, in paged_search_generator
    raise LDAPOperationResult(result=result['result'], description=result['description'], dn=result['dn'], message=result['message'], response_type=result['type'])
ldap3.core.exceptions.LDAPNoSuchObjectResult: LDAPNoSuchObjectResult - 32 - noSuchObject - CN=MicrosoftDNS,DC=DomainDnsZones,DC=eur,DC=sub,DC=clientdomain,DC=com - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
        'CN=MicrosoftDNS,DC=DomainDnsZones,DC=eur,DC=sub,DC=clientdomain,DC=com'
 - searchResDone - None

The tool is running through proxychains.

ldap3.core.exceptions.LDAPUnknownAuthenticationMethodError: NTLM needs domain\username and a password

Hello,
I always get the error ldap3.core.exceptions.LDAPUnknownAuthenticationMethodError: NTLM needs domain\username and a password when I'm trying to enumerate on our DNS zone.

�[94m[-]�[0m Binding to host
Traceback (most recent call last):
  File "c:\python38\lib\runpy.py", line 193, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "c:\python38\lib\runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "C:\Python38\Scripts\adidnsdump.exe\__main__.py", line 7, in <module>
  File "c:\python38\lib\site-packages\adidnsdump\dnsdump.py", line 375, in main
    if not c.bind():
  File "c:\python38\lib\site-packages\ldap3\core\connection.py", line 607, in bind
    raise LDAPUnknownAuthenticationMethodError(self.last_error)
ldap3.core.exceptions.LDAPUnknownAuthenticationMethodError: NTLM needs domain\username and a password

but I'm correctly specifying the DOMAIN\\user and the password...

Thanks :)

Discussion: Would removing the password parameter be a good idea?

Hi,

Since there is not a discussion page, I wanted to ask about the password parameter. Since it is a well-known CWE, the rationale is obvious. The password can be leaked by just using ps or top command, to SIEMs thanks to auditd, bash history, etc. I believe it is better to remove the --password, -p for all.

It may not be an issue in the attacker perspective depending on their OPSEC, but it can be a problem with blue team members and accidents happen. During detection engineering, it is possible to leak credentials.

What do you think?

Tag the source

It would be very helpful if you could tag releases again. This would enable distributions who want to fetch the package from GitHub.

Thanks

dNSTombstoned issue

Hi, I found that host with attribute dNSTombstoned set to TRUE is still requested whether the --include-tombstoned is specified or not. I got the same issue when I develop C# version of adidnsdump. It works fine with DA account, but a lowpriv user cannot read attributes like dNSTombstoned

Alternate path

Hi,
we just tried your tool and looks like the ldap paths can differ on old installations.

It looks like these are the possible DNS paths:

CN=MicrosoftDNS,DC=DomainDNSZones,DC=<child domain>
CN=MicrosoftDNS,DC=ForestDNSZones,DC=<child domain>
CN=MicrosoftDNS,CN=System,DC=<child domain>

In our case there are some default entries in DomainDNSZones, but the main DNS data is located under System.

I modified this line locally to make it work, but maybe it would be best to add an option for this new path, or even enumerate both paths?

dnsroot = 'CN=MicrosoftDNS,CN=System,%s' % domainroot

dns.name.EmptyLabel: A DNS label is empty.

When running adidnsdump, sometimes the following error occurs:

Traceback (most recent call last):
File "/usr/local/bin/adidnsdump", line 10, in
sys.exit(main())
File "/usr/local/lib/python2.7/dist-packages/adidnsdump/dnsdump.py", line 422, in main
res = dnsresolver.query('%s.%s.' % (recordname, zone), 'A', tcp=args.dns_tcp)
File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 848, in query
qname = dns.name.from_text(qname, None)
File "/usr/lib/python2.7/dist-packages/dns/name.py", line 889, in from_text
return from_unicode(text, origin, idna_codec)
File "/usr/lib/python2.7/dist-packages/dns/name.py", line 852, in from_unicode
raise EmptyLabel
dns.name.EmptyLabel: A DNS label is empty.

This happens when using the following command and switches:
adidnsdump -u DOMAIN\USER -p PASSWORD -r -v FQDN.DC.COM

Is there anything I need to do on my end to help fix this?

UnicodeEncodeError

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Querying zone for records
[+] Found nnnnn records
Traceback (most recent call last):
  File "/usr/local/bin/adidnsdump", line 10, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/dist-packages/adidnsdump/dnsdump.py", line 445, in main
    outfile.write('{type},{name},{ip}\n'.format(**row))
UnicodeEncodeError: 'ascii' codec can't encode character u'\xa0' in position 12: ordinal not in range(128)

can't export any record when my domain exists in cn=system,dc=lab,dc=com

my domain's dns record is sotred in DC=alb.com,CN=MicrosoftDNS,CN=System,DC=lab,DC=com

but when I use adidnsdump to export dns record, I got 0 records.

ModuleNotFoundError: No module named 'future'

I needed to install the future package to be able to run it:
python3 -m pip install future

Traceback (most recent call last):
  File "/home/user/.local/bin/adidnsdump", line 5, in <module>
    from adidnsdump import main
  File "/home/user/.local/lib/python3.11/site-packages/adidnsdump/__init__.py", line 1, in <module>
    from adidnsdump.dnsdump import main
  File "/home/user/.local/lib/python3.11/site-packages/adidnsdump/dnsdump.py", line 43, in <module>
    from future.utils import itervalues, iteritems, native_str
ModuleNotFoundError: No module named 'future'