Failed to Enumerate Zones about bluetuxedo HOT 35 OPEN

To be fair, I do not remember why I'm used Get-DnsServerZone for ADI zones instead of pulling that info from AD. That's something to work on!

from bluetuxedo.

BTW: As much as I'm a defender, I love helping you filthy red teamers get the goods (🤣), so expect an enhancement sometime in the next couple weeks.

from bluetuxedo.

WEIRD. Well, I just updated the Get-BTADIZone function to pull zone information from AD instead of directly from the DNS servers (less privs required, supports more varied infra!).

If y'all have a moment, please test the version in testing. :D

from bluetuxedo.

Me rn

from bluetuxedo.

Have the same kind of error. Do the test from a DC with God level privileges.

PS C:\Users\Administrator\Downloads\BlueTuxedo-main> Invoke-BlueTuxedo
      ::::::::: :::      :::    :::::::::::::::::::::::::::    ::::::    ::::::::::::::::::::::  ::::::::
     :+:    :+::+:      :+:    :+::+:           :+:    :+:    :+::+:    :+::+:       :+:    :+::+:    :+:
    +:+    +:++:+      +:+    +:++:+           +:+    +:+    +:+ +:+  +:+ +:+       +:+    +:++:+    +:+
   +#++:++#+ +#+      +#+    +:++#++:++#      +#+    +#+    +:+  +#++:+  +#++:++#  +#+    +:++#+    +:+
  +#+    +#++#+      +#+    +#++#+           +#+    +#+    +#+ +#+  +#+ +#+       +#+    +#++#+    +#+
 #+#    #+##+#      #+#    #+##+#           #+#    #+#    #+##+#    #+##+#       #+#    #+##+#    #+#
######### ################## ##########    ###     ######## ###    ######################  ########
                                                                                           v2023.11
Please hold. Collecting DNS data from the following domains:
acad.fakedomain.local fakedomain.local acronym.local
Get-DnsServerZone : Failed to enumerate zones from the server fakedomain.local.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTADIZone.ps1:14 char:18
+         $Zones = Get-DnsServerZone -ComputerName $domain | Where-Obje ...
+                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (fakedomain.local:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException
    + FullyQualifiedErrorId : WIN32 5,Get-DnsServerZone

Get-DnsServerZone : Failed to enumerate zones from the server acronym.local.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTADIZone.ps1:14 char:18
+         $Zones = Get-DnsServerZone -ComputerName $domain | Where-Obje ...
+                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (acronym.local:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException
    + FullyQualifiedErrorId : WIN32 1722,Get-DnsServerZone

Get-DnsServerZone : Failed to enumerate zones from the server 10.10.33.1.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTConditionalForwarder.ps1:16 char:22
+ ...    $Zones = Get-DnsServerZone -ComputerName $dnsServer.IP4Address | W ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (10.10.33.1:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException
    + FullyQualifiedErrorId : WIN32 5,Get-DnsServerZone

Get-DnsServerResourceRecord : Failed to get the zone information for fakedomain.local on server fakedomain.local.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTDanglingSPN.ps1:33 char:29
+ ...         if (Get-DnsServerResourceRecord -ComputerName $domain -ZoneNa ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (fakedomain.local:root/Microsoft/...rResourceRecord) [Get-DnsServerResourceRecord], CimException
    + FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord

[Edted by @TrimarcJake to remove possibly private data]

Dont worry is a homelab environment

from bluetuxedo.

Hello Jake and the Trimarc team. Hope you are doing okay and you had a good end of year!

I am facing the same issue as described, same error messages. I run it from a Windows 10 Pro VM as well, which is domain-joined, and from an elevated prompt with Domain Admin account. The context which I am using this tool consists of a single domain. If you need more details or test results from me, I am willing to provide them.

PS: I don't run into the same issue with Locksmith, which works great!

from bluetuxedo.

@rebelinux Are you running BT from a child domain? If yes, are there different results when running BT from the root domain?

Also, sorry for the slow response. Thanksgiving and burnout are real.

I ran it from the root domain.

from bluetuxedo.

@rebelinux Ahhh, this is what it should look like!

1. ADI Zones are collected, but the "Dynamic Update" field is not collected (yet)
2. Failures during Dangling SPN checks because those still check the DNS servers directly for records instead of checking AD for records

from bluetuxedo.

Hi @benji1000. I took a look at your log, and it is exactly as I expect it to look after making my last modifications.

I plan to continue replacing any Get-DnsServer* cmdlets with Get-ADObject or whatever else is needed.

Once those replacements are complete, I will consider this ticket closed.

Thanks so much to all of you for reporting issues!

from bluetuxedo.

Since Jim and I are defenders at heart, we did not take into consideration attempting to run BT from a non-domain-joined machine. I'll need to ruminate on this a bit.

from bluetuxedo.

Have the same kind of error. Do the test from a DC with God level privileges.

PS C:\Users\Administrator\Downloads\BlueTuxedo-main> Invoke-BlueTuxedo
      ::::::::: :::      :::    :::::::::::::::::::::::::::    ::::::    ::::::::::::::::::::::  ::::::::
     :+:    :+::+:      :+:    :+::+:           :+:    :+:    :+::+:    :+::+:       :+:    :+::+:    :+:
    +:+    +:++:+      +:+    +:++:+           +:+    +:+    +:+ +:+  +:+ +:+       +:+    +:++:+    +:+
   +#++:++#+ +#+      +#+    +:++#++:++#      +#+    +#+    +:+  +#++:+  +#++:++#  +#+    +:++#+    +:+
  +#+    +#++#+      +#+    +#++#+           +#+    +#+    +#+ +#+  +#+ +#+       +#+    +#++#+    +#+
 #+#    #+##+#      #+#    #+##+#           #+#    #+#    #+##+#    #+##+#       #+#    #+##+#    #+#
######### ################## ##########    ###     ######## ###    ######################  ########
                                                                                           v2023.11
Please hold. Collecting DNS data from the following domains:
acad.fakedomain.local fakedomain.local acronym.local
Get-DnsServerZone : Failed to enumerate zones from the server fakedomain.local.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTADIZone.ps1:14 char:18
+         $Zones = Get-DnsServerZone -ComputerName $domain | Where-Obje ...
+                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (fakedomain.local:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException
    + FullyQualifiedErrorId : WIN32 5,Get-DnsServerZone

Get-DnsServerZone : Failed to enumerate zones from the server acronym.local.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTADIZone.ps1:14 char:18
+         $Zones = Get-DnsServerZone -ComputerName $domain | Where-Obje ...
+                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (acronym.local:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException
    + FullyQualifiedErrorId : WIN32 1722,Get-DnsServerZone

Get-DnsServerZone : Failed to enumerate zones from the server 10.10.33.1.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTConditionalForwarder.ps1:16 char:22
+ ...    $Zones = Get-DnsServerZone -ComputerName $dnsServer.IP4Address | W ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (10.10.33.1:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException
    + FullyQualifiedErrorId : WIN32 5,Get-DnsServerZone

Get-DnsServerResourceRecord : Failed to get the zone information for fakedomain.local on server fakedomain.local.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTDanglingSPN.ps1:33 char:29
+ ...         if (Get-DnsServerResourceRecord -ComputerName $domain -ZoneNa ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (fakedomain.local:root/Microsoft/...rResourceRecord) [Get-DnsServerResourceRecord], CimException
    + FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord

[Edted by @TrimarcJake to remove possibly private data]

from bluetuxedo.

For the non-domain joined machine, I’m gonna have my team try and add the domain as a DNS search in the interface. I know many PowerShell/Python equivalent tools have you specify a DC for “guaranteed” name resolution. That might help for a long term fix.

from bluetuxedo.

@Zamanry - Assuming all the DNS servers in the environment are also Domain Controllers, Get-DnsServerZone requires Domain Admin (single-domain forest) or Enterprise Admin (multi-domain forest). Does the user you popped have those rights?

@rebelinux - I can see you are in a multi-domain environment and that you had no issues getting zones from acad.fakedomain.local, so I bet the user you are running your test is only a DA. Try one with EA and report back!

from bluetuxedo.

@Zamanry - Assuming all the DNS servers in the environment are also Domain Controllers, Get-DnsServerZone requires Domain Admin (single-domain forest) or Enterprise Admin (multi-domain forest). Does the user you popped have those rights?

@rebelinux - I can see you are in a multi-domain environment and that you had no issues getting zones from acad.fakedomain.local, so I bet the user you are running your test is only a DA. Try one with EA and report back!

My user does not. It’s a standard domain user. So this is likely a privilege issue hence the access denieds.

from bluetuxedo.

The user is Ent Admin

The test was performed in this AD lab which is built/destroyed with automation producing the error results. Additionally I used the script in another environment with the same results. Possibly some situation related to multi domain forest

PS C:\Users\Administrator> whoami -user

USER INFORMATION
----------------

User Name             SID
===================== ============================================
pharmax\administrator S-1-5-21-2867495315-1194516362-180967319-500
PS C:\Users\Administrator> whoami -groups

GROUP INFORMATION
-----------------

Group Name                                     Type             SID                                           Attributes
============================================== ================ ============================================= ===============================================================
Everyone                                       Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                         Alias            S-1-5-32-544                                  Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                  Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access     Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access        Alias            S-1-5-32-574                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON          Well-known group S-1-5-14                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                       Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users               Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                 Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                          Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
PHARMAX\Domain Admins                          Group            S-1-5-21-2867495315-1194516362-180967319-512  Mandatory group, Enabled by default, Enabled group
PHARMAX\ESX Admins                             Group            S-1-5-21-2867495315-1194516362-180967319-1190 Mandatory group, Enabled by default, Enabled group
PHARMAX\BitLocker Helpdesk Admins              Group            S-1-5-21-2867495315-1194516362-180967319-2625 Mandatory group, Enabled by default, Enabled group
PHARMAX\Group Policy Creator Owners            Group            S-1-5-21-2867495315-1194516362-180967319-520  Mandatory group, Enabled by default, Enabled group
PHARMAX\Enterprise Admins                      Group            S-1-5-21-2867495315-1194516362-180967319-519  Mandatory group, Enabled by default, Enabled group
PHARMAX\Schema Admins                          Group            S-1-5-21-2867495315-1194516362-180967319-518  Mandatory group, Enabled by default, Enabled group
PHARMAX\VEEAM AD-1-1401084541                  Group            S-1-5-21-2867495315-1194516362-180967319-7763 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity     Well-known group S-1-18-1                                      Mandatory group, Enabled by default, Enabled group
PHARMAX\Denied RODC Password Replication Group Alias            S-1-5-21-2867495315-1194516362-180967319-572  Mandatory group, Enabled by default, Enabled group, Local Group
PHARMAX\LAPS Admins                            Alias            S-1-5-21-2867495315-1194516362-180967319-2638 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level           Label            S-1-16-12288
PS C:\Users\Administrator>

from bluetuxedo.

@rebelinux Are you running BT from a child domain? If yes, are there different results when running BT from the root domain?

Also, sorry for the slow response. Thanksgiving and burnout are real.

from bluetuxedo.

@rebelinux and @benji1000:

Are you running DNS on your DCs or on separate machines?

from bluetuxedo.

DNS service is hosted in the DC servers

from bluetuxedo.

Same here.

from bluetuxedo.

Thanks for the update, but the same thing happens unfortunately, using a standard account as well as a DA account. I pulled the repo and switched branch to testing, before importing the .psd1 file and invoking BlueTuxedo.

      ::::::::: :::      :::    :::::::::::::::::::::::::::    ::::::    ::::::::::::::::::::::  ::::::::
     :+:    :+::+:      :+:    :+::+:           :+:    :+:    :+::+:    :+::+:       :+:    :+::+:    :+:
    +:+    +:++:+      +:+    +:++:+           +:+    +:+    +:+ +:+  +:+ +:+       +:+    +:++:+    +:+
   +#++:++#+ +#+      +#+    +:++#++:++#      +#+    +#+    +:+  +#++:+  +#++:++#  +#+    +:++#+    +:+
  +#+    +#++#+      +#+    +#++#+           +#+    +#+    +#+ +#+  +#+ +#+       +#+    +#++#+    +#+
 #+#    #+##+#      #+#    #+##+#           #+#    #+#    #+##+#    #+##+#       #+#    #+##+#    #+#
######### ################## ##########    ###     ######## ###    ######################  ########
                                                                                           v2024.1
Please hold. Collecting DNS data from the following domains:
[REDACTED]
Get-DnsServerResourceRecord : Échec de l’obtention des informations de zone pour [REDACTED] sur le serveur [REDACTED].
Au caractère Z:\BlueTuxedo\Private\Get\Get-BTDanglingSPN.ps1:33 : 29
+ ...         if (Get-DnsServerResourceRecord -ComputerName $domain -ZoneNa ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: ([REDACTED]:root/Microsoft/...rResourceRecord) [Get-DnsServerResourceRecord], CimException
    + FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord

As you can see, the AD I'm testing it on is in French. Is it something that can block the tool from working appropriately?

from bluetuxedo.

Hi @benji1000! Is this the full error?

If so, this is progress as I have not updated Get-BTDanglingSPNs yet, only Get-BTADIZone.

from bluetuxedo.

No I'm sorry, I didn't post the full log. It just loops on "Permission denied" errors after that, so I assumed it wasn't relevant and hit Ctrl+C after a few errors. Sorry if it gave the impression that some things were fixed... Are you interested in the full logs?

from bluetuxedo.

I love full logs. :D Feel free to send to [email protected] if it's big.

That being said, did you Get-Module -Name BlueTuxedo | Remove-Module first before loading the new version?

from bluetuxedo.

Generated the log using Start-Transcript:

BlueTuxedo.log

This is an environment I used to develop the AsbuiltReport for AD, so no sensitive or important data!

https://github.com/AsBuiltReport/AsBuiltReport.Microsoft.AD

from bluetuxedo.

@rebelinux:

Oooh, I'm starring that repo immediately. It looks very handy.

From the log, it looks like you are running the main version of the module instead of what I'm currently working on in testing. Would you mind doing the following?

git clone https://github.com/TrimarcJake/BlueTuxedo.git
cd BlueTuxedo
git checkout testing
Import-Module .\BlueTuxedo.psd1
Invoke-BlueTuxedo -Verbose

I'd love to get a look at that log.

from bluetuxedo.

I used the testing repository to perform that test. I see that there are new commits in the repository so I will test again with the new changes.

I added the Start-Transcript cmdlet example for everyone's benefit:

PS BlueTuxedo> Start-Transcript -Append .\BlueTuxedo.log
PS BlueTuxedo> Invoke-BlueTuxedo -Verbose
PS BlueTuxedo> Stop-Transcript

from bluetuxedo.

Done with latest changes!

BlueTuxedo.log

from bluetuxedo.

Hey, sorry it took me so long to post the rest of the log. You can find it here, it expires in a week.

These are not really the full log, as it is in continuation of the first logs I posted (I didn't know about the Start-Transcript technique rebelinux posted when I generated them...), and I had to redact some data. Also, when it came to the part when fixed were offered, I exited the program. I hope it can still help you.

Thank you for your hard work!

from bluetuxedo.

No problem, glad I could be of some help!

from bluetuxedo.

Hi @benji1000 and @rebelinux - if either of you are free today, would you mind pulling down the testing branch and trying it out to see if your errors are mostly resolved?

from bluetuxedo.

Hello, sorry I don't have access to the environment at the moment. I will try to get access to it as soon as possible, but I don't know when it will be. Possibly at the end of this week.

from bluetuxedo.

Thanks, @benji1000 ! I hope you're having a great day.

from bluetuxedo.

Here is the log with the most recent version of the testing repo :)
BlueTuxedo.log

from bluetuxedo.

How is this worse?!?!

from bluetuxedo.

Maybe a DC issue. I will run the script again and let you know the results!

from bluetuxedo.