Comments (35)
To be fair, I do not remember why I'm used Get-DnsServerZone for ADI zones instead of pulling that info from AD. That's something to work on!
from bluetuxedo.
BTW: As much as I'm a defender, I love helping you filthy red teamers get the goods (🤣), so expect an enhancement sometime in the next couple weeks.
from bluetuxedo.
WEIRD. Well, I just updated the Get-BTADIZone function to pull zone information from AD instead of directly from the DNS servers (less privs required, supports more varied infra!).
If y'all have a moment, please test the version in testing
. :D
from bluetuxedo.
Me rn
from bluetuxedo.
Have the same kind of error. Do the test from a DC with God level privileges.
PS C:\Users\Administrator\Downloads\BlueTuxedo-main> Invoke-BlueTuxedo ::::::::: ::: ::: ::::::::::::::::::::::::::: :::::: :::::::::::::::::::::: :::::::: :+: :+::+: :+: :+::+: :+: :+: :+::+: :+::+: :+: :+::+: :+: +:+ +:++:+ +:+ +:++:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:++:+ +:+ +#++:++#+ +#+ +#+ +:++#++:++# +#+ +#+ +:+ +#++:+ +#++:++# +#+ +:++#+ +:+ +#+ +#++#+ +#+ +#++#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+ +#++#+ +#+ #+# #+##+# #+# #+##+# #+# #+# #+##+# #+##+# #+# #+##+# #+# ######### ################## ########## ### ######## ### ###################### ######## v2023.11 Please hold. Collecting DNS data from the following domains: acad.fakedomain.local fakedomain.local acronym.local Get-DnsServerZone : Failed to enumerate zones from the server fakedomain.local. At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTADIZone.ps1:14 char:18 + $Zones = Get-DnsServerZone -ComputerName $domain | Where-Obje ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (fakedomain.local:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException + FullyQualifiedErrorId : WIN32 5,Get-DnsServerZone Get-DnsServerZone : Failed to enumerate zones from the server acronym.local. At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTADIZone.ps1:14 char:18 + $Zones = Get-DnsServerZone -ComputerName $domain | Where-Obje ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (acronym.local:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException + FullyQualifiedErrorId : WIN32 1722,Get-DnsServerZone Get-DnsServerZone : Failed to enumerate zones from the server 10.10.33.1. At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTConditionalForwarder.ps1:16 char:22 + ... $Zones = Get-DnsServerZone -ComputerName $dnsServer.IP4Address | W ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (10.10.33.1:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException + FullyQualifiedErrorId : WIN32 5,Get-DnsServerZone Get-DnsServerResourceRecord : Failed to get the zone information for fakedomain.local on server fakedomain.local. At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTDanglingSPN.ps1:33 char:29 + ... if (Get-DnsServerResourceRecord -ComputerName $domain -ZoneNa ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (fakedomain.local:root/Microsoft/...rResourceRecord) [Get-DnsServerResourceRecord], CimException + FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord
[Edted by @TrimarcJake to remove possibly private data]
Dont worry is a homelab environment
from bluetuxedo.
Hello Jake and the Trimarc team. Hope you are doing okay and you had a good end of year!
I am facing the same issue as described, same error messages. I run it from a Windows 10 Pro VM as well, which is domain-joined, and from an elevated prompt with Domain Admin account. The context which I am using this tool consists of a single domain. If you need more details or test results from me, I am willing to provide them.
PS: I don't run into the same issue with Locksmith, which works great!
from bluetuxedo.
@rebelinux Are you running BT from a child domain? If yes, are there different results when running BT from the root domain?
Also, sorry for the slow response. Thanksgiving and burnout are real.
I ran it from the root domain.
from bluetuxedo.
@rebelinux Ahhh, this is what it should look like!
- ADI Zones are collected, but the "Dynamic Update" field is not collected (yet)
- Failures during Dangling SPN checks because those still check the DNS servers directly for records instead of checking AD for records
from bluetuxedo.
Hi @benji1000. I took a look at your log, and it is exactly as I expect it to look after making my last modifications.
I plan to continue replacing any Get-DnsServer*
cmdlets with Get-ADObject
or whatever else is needed.
Once those replacements are complete, I will consider this ticket closed.
Thanks so much to all of you for reporting issues!
from bluetuxedo.
Since Jim and I are defenders at heart, we did not take into consideration attempting to run BT from a non-domain-joined machine. I'll need to ruminate on this a bit.
from bluetuxedo.
Have the same kind of error. Do the test from a DC with God level privileges.
PS C:\Users\Administrator\Downloads\BlueTuxedo-main> Invoke-BlueTuxedo
::::::::: ::: ::: ::::::::::::::::::::::::::: :::::: :::::::::::::::::::::: ::::::::
:+: :+::+: :+: :+::+: :+: :+: :+::+: :+::+: :+: :+::+: :+:
+:+ +:++:+ +:+ +:++:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:++:+ +:+
+#++:++#+ +#+ +#+ +:++#++:++# +#+ +#+ +:+ +#++:+ +#++:++# +#+ +:++#+ +:+
+#+ +#++#+ +#+ +#++#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+ +#++#+ +#+
#+# #+##+# #+# #+##+# #+# #+# #+##+# #+##+# #+# #+##+# #+#
######### ################## ########## ### ######## ### ###################### ########
v2023.11
Please hold. Collecting DNS data from the following domains:
acad.fakedomain.local fakedomain.local acronym.local
Get-DnsServerZone : Failed to enumerate zones from the server fakedomain.local.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTADIZone.ps1:14 char:18
+ $Zones = Get-DnsServerZone -ComputerName $domain | Where-Obje ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (fakedomain.local:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException
+ FullyQualifiedErrorId : WIN32 5,Get-DnsServerZone
Get-DnsServerZone : Failed to enumerate zones from the server acronym.local.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTADIZone.ps1:14 char:18
+ $Zones = Get-DnsServerZone -ComputerName $domain | Where-Obje ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (acronym.local:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException
+ FullyQualifiedErrorId : WIN32 1722,Get-DnsServerZone
Get-DnsServerZone : Failed to enumerate zones from the server 10.10.33.1.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTConditionalForwarder.ps1:16 char:22
+ ... $Zones = Get-DnsServerZone -ComputerName $dnsServer.IP4Address | W ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (10.10.33.1:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException
+ FullyQualifiedErrorId : WIN32 5,Get-DnsServerZone
Get-DnsServerResourceRecord : Failed to get the zone information for fakedomain.local on server fakedomain.local.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTDanglingSPN.ps1:33 char:29
+ ... if (Get-DnsServerResourceRecord -ComputerName $domain -ZoneNa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (fakedomain.local:root/Microsoft/...rResourceRecord) [Get-DnsServerResourceRecord], CimException
+ FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord
[Edted by @TrimarcJake to remove possibly private data]
from bluetuxedo.
For the non-domain joined machine, I’m gonna have my team try and add the domain as a DNS search in the interface. I know many PowerShell/Python equivalent tools have you specify a DC for “guaranteed” name resolution. That might help for a long term fix.
from bluetuxedo.
@Zamanry - Assuming all the DNS servers in the environment are also Domain Controllers, Get-DnsServerZone requires Domain Admin (single-domain forest) or Enterprise Admin (multi-domain forest). Does the user you popped have those rights?
@rebelinux - I can see you are in a multi-domain environment and that you had no issues getting zones from acad.fakedomain.local, so I bet the user you are running your test is only a DA. Try one with EA and report back!
from bluetuxedo.
@Zamanry - Assuming all the DNS servers in the environment are also Domain Controllers, Get-DnsServerZone requires Domain Admin (single-domain forest) or Enterprise Admin (multi-domain forest). Does the user you popped have those rights?
@rebelinux - I can see you are in a multi-domain environment and that you had no issues getting zones from acad.fakedomain.local, so I bet the user you are running your test is only a DA. Try one with EA and report back!
My user does not. It’s a standard domain user. So this is likely a privilege issue hence the access denieds.
from bluetuxedo.
The user is Ent Admin
The test was performed in this AD lab which is built/destroyed with automation producing the error results. Additionally I used the script in another environment with the same results. Possibly some situation related to multi domain forest
PS C:\Users\Administrator> whoami -user
USER INFORMATION
----------------
User Name SID
===================== ============================================
pharmax\administrator S-1-5-21-2867495315-1194516362-180967319-500
PS C:\Users\Administrator> whoami -groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================== ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
PHARMAX\Domain Admins Group S-1-5-21-2867495315-1194516362-180967319-512 Mandatory group, Enabled by default, Enabled group
PHARMAX\ESX Admins Group S-1-5-21-2867495315-1194516362-180967319-1190 Mandatory group, Enabled by default, Enabled group
PHARMAX\BitLocker Helpdesk Admins Group S-1-5-21-2867495315-1194516362-180967319-2625 Mandatory group, Enabled by default, Enabled group
PHARMAX\Group Policy Creator Owners Group S-1-5-21-2867495315-1194516362-180967319-520 Mandatory group, Enabled by default, Enabled group
PHARMAX\Enterprise Admins Group S-1-5-21-2867495315-1194516362-180967319-519 Mandatory group, Enabled by default, Enabled group
PHARMAX\Schema Admins Group S-1-5-21-2867495315-1194516362-180967319-518 Mandatory group, Enabled by default, Enabled group
PHARMAX\VEEAM AD-1-1401084541 Group S-1-5-21-2867495315-1194516362-180967319-7763 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
PHARMAX\Denied RODC Password Replication Group Alias S-1-5-21-2867495315-1194516362-180967319-572 Mandatory group, Enabled by default, Enabled group, Local Group
PHARMAX\LAPS Admins Alias S-1-5-21-2867495315-1194516362-180967319-2638 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PS C:\Users\Administrator>
from bluetuxedo.
@rebelinux Are you running BT from a child domain? If yes, are there different results when running BT from the root domain?
Also, sorry for the slow response. Thanksgiving and burnout are real.
from bluetuxedo.
@rebelinux and @benji1000:
Are you running DNS on your DCs or on separate machines?
from bluetuxedo.
DNS service is hosted in the DC servers
from bluetuxedo.
Same here.
from bluetuxedo.
Thanks for the update, but the same thing happens unfortunately, using a standard account as well as a DA account. I pulled the repo and switched branch to testing, before importing the .psd1
file and invoking BlueTuxedo.
::::::::: ::: ::: ::::::::::::::::::::::::::: :::::: :::::::::::::::::::::: ::::::::
:+: :+::+: :+: :+::+: :+: :+: :+::+: :+::+: :+: :+::+: :+:
+:+ +:++:+ +:+ +:++:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:++:+ +:+
+#++:++#+ +#+ +#+ +:++#++:++# +#+ +#+ +:+ +#++:+ +#++:++# +#+ +:++#+ +:+
+#+ +#++#+ +#+ +#++#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+ +#++#+ +#+
#+# #+##+# #+# #+##+# #+# #+# #+##+# #+##+# #+# #+##+# #+#
######### ################## ########## ### ######## ### ###################### ########
v2024.1
Please hold. Collecting DNS data from the following domains:
[REDACTED]
Get-DnsServerResourceRecord : Échec de l’obtention des informations de zone pour [REDACTED] sur le serveur [REDACTED].
Au caractère Z:\BlueTuxedo\Private\Get\Get-BTDanglingSPN.ps1:33 : 29
+ ... if (Get-DnsServerResourceRecord -ComputerName $domain -ZoneNa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: ([REDACTED]:root/Microsoft/...rResourceRecord) [Get-DnsServerResourceRecord], CimException
+ FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord
As you can see, the AD I'm testing it on is in French. Is it something that can block the tool from working appropriately?
from bluetuxedo.
Hi @benji1000! Is this the full error?
If so, this is progress as I have not updated Get-BTDanglingSPNs
yet, only Get-BTADIZone
.
from bluetuxedo.
No I'm sorry, I didn't post the full log. It just loops on "Permission denied" errors after that, so I assumed it wasn't relevant and hit Ctrl+C after a few errors. Sorry if it gave the impression that some things were fixed... Are you interested in the full logs?
from bluetuxedo.
I love full logs. :D Feel free to send to [email protected] if it's big.
That being said, did you Get-Module -Name BlueTuxedo | Remove-Module
first before loading the new version?
from bluetuxedo.
Generated the log using Start-Transcript:
This is an environment I used to develop the AsbuiltReport for AD, so no sensitive or important data!
https://github.com/AsBuiltReport/AsBuiltReport.Microsoft.AD
from bluetuxedo.
Oooh, I'm starring that repo immediately. It looks very handy.
From the log, it looks like you are running the main
version of the module instead of what I'm currently working on in testing
. Would you mind doing the following?
git clone https://github.com/TrimarcJake/BlueTuxedo.git
cd BlueTuxedo
git checkout testing
Import-Module .\BlueTuxedo.psd1
Invoke-BlueTuxedo -Verbose
I'd love to get a look at that log.
from bluetuxedo.
I used the testing repository to perform that test. I see that there are new commits in the repository so I will test again with the new changes.
I added the Start-Transcript cmdlet example for everyone's benefit:
PS BlueTuxedo> Start-Transcript -Append .\BlueTuxedo.log
PS BlueTuxedo> Invoke-BlueTuxedo -Verbose
PS BlueTuxedo> Stop-Transcript
from bluetuxedo.
Done with latest changes!
from bluetuxedo.
Hey, sorry it took me so long to post the rest of the log. You can find it here, it expires in a week.
These are not really the full log, as it is in continuation of the first logs I posted (I didn't know about the Start-Transcript
technique rebelinux posted when I generated them...), and I had to redact some data. Also, when it came to the part when fixed were offered, I exited the program. I hope it can still help you.
Thank you for your hard work!
from bluetuxedo.
No problem, glad I could be of some help!
from bluetuxedo.
Hi @benji1000 and @rebelinux - if either of you are free today, would you mind pulling down the testing branch and trying it out to see if your errors are mostly resolved?
from bluetuxedo.
Hello, sorry I don't have access to the environment at the moment. I will try to get access to it as soon as possible, but I don't know when it will be. Possibly at the end of this week.
from bluetuxedo.
Thanks, @benji1000 ! I hope you're having a great day.
from bluetuxedo.
Here is the log with the most recent version of the testing repo :)
BlueTuxedo.log
from bluetuxedo.
How is this worse?!?!
from bluetuxedo.
Maybe a DC issue. I will run the script again and let you know the results!
from bluetuxedo.
Related Issues (11)
- Look for Zones with identical names in different Partitions
- Look for GlobalNames zone HOT 2
- Problem with 'DhcpServer' module HOT 10
- no HOT 1
- Create Repair- function for Dangling SPNs HOT 19
- Create Repair- function for Legacy Zones. HOT 1
- Add Logic to Repair-BTADIZone to Select Domain- or Forest-replicated Destination Zone
- Specify domain HOT 5
- Update Show- functions.
- Run script automated and output to file? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bluetuxedo.