0x00 Preface
---
In the previous article 'Domain Penetration - Obtaining DNS Records', methods for acquiring DNS records after gaining DNS administrator privileges in domain penetration were introduced. However, a more common scenario involves having only regular domain user privileges while still needing to obtain DNS records.
This article will reference publicly available materials to summarize methods for regular domain users to obtain DNS records and fix bugs in dns-dump.ps1 on newer versions of Windows systems.
0x01 Introduction
---
This article will cover the following topics:
- Implementation Principles
- Open-source Tools and Methods
0x02 Implementation Principles
---
1. Implementation Principles of SharpAdidnsdump
First, obtain the names of computers within the domain through LDAP queries, then retrieve their corresponding IP addresses via DNS queries.
For detailed implementation, refer to:
https://github.com/b4rtik/SharpAdidnsdump
Test environment: test.com
(1) Obtain the names of computers within the domain via LDAP query
The corresponding LDAP query parameters are as follows:
LDAP://test.com/DC=test.com,CN=microsoftdns,DC=DomainDnsZones,DC=test,DC=com |
(2) Obtain the IP addresses corresponding to domain computers via DNS query
Using the Dns.GetHostEntry method, reference materials:
https://docs.microsoft.com/en-us/dotnet/api/system.net.dns.gethostentry?redirectedfrom=MSDN&view=netframework-3.5#System_Net_Dns_GetHostEntry_System_String_
2. Implementation principle of dns-dump
First, obtain DNS records via LDAP query, then decode the binary DNS records to retrieve the actual content
For details on DNS record decoding, refer to:
https://github.com/mmessano/PowerShell/blob/master/dns-dump.ps1#L483
0x03 Open-source tools and methods
---
Test Environment:
- test.com
- Server2012 R2
1. First obtain the names of computers within the domain via LDAP query, then obtain corresponding IPs via DNS query
(1) SharpAdidnsdump
https://github.com/b4rtik/SharpAdidnsdump
C# implementation for querying DNS records
Usage:
SharpAdidnsdump test.com |
The results obtained are complete and consistent with dnscmd results
Note:
For dnscmd usage, refer to the previous article 'Domain Penetration - Obtaining DNS Records'
(2) adidnsdump
https://github.com/dirkjanm/adidnsdump
https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/
Python implementation for querying DNS records
Suitable for Linux; cannot be used directly on Windows systems due to the need to install impacket
Installation method:
git clone https://github.com/SecureAuthCorp/impacket.git |
First, obtain credentials for a domain user (plaintext password or NTLM hash)
Usage 1. Direct remote query:
adidnsdump -u test\\testuser1 -p test123! dc.test.com -r |
Usage 2. Query via SOCKS proxy:
proxychains adidnsdump -u test\\testuser1 -p test123! dc.test.com -r --dns-tcp |
Note:
You can also use NTLM hash as login credentials
2. First obtain DNS records via LDAP query, decode the binary DNS records to get the actual content
(1) dns-dump
https://github.com/mmessano/PowerShell/blob/master/dns-dump.ps1
Implemented in PowerShell, used to query DNS records
This PowerShell script is relatively old and failed in my test environments Server 2008 R2 and Server 2012 R2
After analysis, the LDAP query statement needs to be modified. The new script has been uploaded to GitHub, address as follows:
An open-source project
Usage:
Powershell -ep bypass -f dns-dump.ps1 -zone test.com |
The results obtained are complete and consistent with those from dnscmd
(2) PowerView
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Can also be used to query DNS records
The Convert-DNSRecord can be used to decode binary DNS records:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1#L1814
Usage is as follows:
import-module PowerView.ps1 |
3. Other Tools
(1) AdFind
C++ implementation (not open source), used for querying domain information
http://www.joeware.net/freetools/tools/adfind/index.htm
Common commands are as follows:
List domain controller names:
AdFind -sc dclist |
Query online computers in the current domain:
AdFind -sc computers_active |
Note:
The corresponding LDAP query conditions are as follows:
Transformed Filter: (&(objectcategory=computer)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(pwdlastset>=131932198595370000)(|(!lastlogontimestamp=*)(&(lastlogontimestamp=*)(lastlogontimestamp>=131932198595370000)))) |
Query online computers in the current domain (display only name and operating system):
AdFind -sc computers_active name operatingSystem |
Query all computers in the current domain:
AdFind -f "objectcategory=computer" |
Query all computers in the current domain (display only name and operating system):
AdFind -f "objectcategory=computer" name operatingSystem |
Query all users in the domain:
AdFind -users name |
Query all GPOs:
AdFind -sc gpodmp |
or
AdFind -gpo |
Note:
Query GPO corresponding to the previous article 'Domain Penetration - Remote Execution via Scheduled Tasks in GPO'
0x04 Summary
---
This article introduces multiple methods for domain ordinary users to obtain DNS records, applicable to different environments. In practical use, AdFind's query efficiency is relatively low in certain situations.