Active Directory - WINDAPSEARCH.py

Windapsearch is a tool to enumeration windows Domains
Requires authentication details.



Installation

sudo apt-get install libsasl2-dev python-dev libldap2-dev libssl-dev
 
 
$ git clone https://github.com/ropnop/windapsearch.git
$ pip install python-ldap #or apt-get install python-ldap
$ ./windapsearch.py
 
  
 ./windapsearch.py  -d active.htb -G -U -C --dc-ip 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18

 [+] Using Domain Controller at: 10.10.10.100                                        
[+] Getting defaultNamingContext from Root DSE
[+]     Found: DC=active,DC=htb
[+] Attempting bind                                                       
[+]     ...success! Binded as:
[+]      u:ACTIVE\SVC_TGS
                                                                                     
[+] Enumerating all AD groups            
[+]     Found 37 groups:
---snip----
---snip----
---snip----
[+] Enumerating all AD users
[+]     Found 4 users:

cn: Administrator

cn: Guest

cn: krbtgt

cn: SVC_TGS
userPrincipalName: SVC_TGS@active.htb


[+] Enumerating all AD computers
[+]     Found 1 computers:

operatingSystemVersion: 6.1 (7601)
dNSHostName: DC.active.htb
operatingSystemServicePack: Service Pack 1
cn: DC
operatingSystem: Windows Server 2008 R2 Standard

 -----------------------------------------------------------------------------------------------------------------------------

Enumerate Computer information

 ./windapsearch.py  -d active.htb -C --dc-ip 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18 --full

[+] Using Domain Controller at: 10.10.10.100
[+] Getting defaultNamingContext from Root DSE                       
[+]     Found: DC=active,DC=htb
[+] Attempting bind                                                    
[+]     ...success! Binded as:                                  
[+]      u:ACTIVE\SVC_TGS                                                               
                                                              
[+] Enumerating all AD computers
[+]     Found 1 computers:                                 
                           
operatingSystemServicePack: Service Pack 1                   
cn: DC                                          
codePage: 0                                     
badPwdCount: 0                           
objectSid: AQUAAAAAAAUVAAAArxktGAS1AL49Gv126AMAAA==
whenCreated: 20180718185035.0Z                                     
uSNCreated: 12293        
rIDSetReferences: CN=RID Set,CN=DC,OU=Domain Controllers,DC=active,DC=htb
operatingSystemVersion: 6.1 (7601)        
msDFSR-ComputerReferenceBL: CN=DC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=active,DC=htb
operatingSystem: Windows Server 2008 R2 Standard                 
dSCorePropagationData: 16010101000000.0Z                        
isCriticalSystemObject: TRUE            
countryCode: 0
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=active,DC=htb
whenChanged: 20181010110426.0Z
accountExpires: 9223372036854775807
serverReferenceBL: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=active,DC=htb
distinguishedName: CN=DC,OU=Domain Controllers,DC=active,DC=htb
pwdLastSet: 131836430610052799
sAMAccountName: DC$
objectGUID: 8+IJCvv15EeIY91yEStv/Q==
dNSHostName: DC.active.htb
lastLogon: 131837294430058019
msDS-SupportedEncryptionTypes: 31
uSNChanged: 90139
lastLogoff: 0
primaryGroupID: 516
logonCount: 104
name: DC
lastLogonTimestamp: 131836430669956904
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
userAccountControl: 532480
localPolicyFlags: 0
sAMAccountType: 805306369
servicePrincipalName: ldap/DC.active.htb/ForestDnsZones.active.htb
servicePrincipalName: ldap/DC.active.htb/DomainDnsZones.active.htb
servicePrincipalName: TERMSRV/DC
servicePrincipalName: TERMSRV/DC.active.htb
servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC.active.htb
servicePrincipalName: DNS/DC.active.htb
servicePrincipalName: GC/DC.active.htb/active.htb
servicePrincipalName: RestrictedKrbHost/DC.active.htb
servicePrincipalName: RestrictedKrbHost/DC
servicePrincipalName: HOST/DC/ACTIVE
servicePrincipalName: HOST/DC.active.htb/ACTIVE
servicePrincipalName: HOST/DC
servicePrincipalName: HOST/DC.active.htb
servicePrincipalName: HOST/DC.active.htb/active.htb
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/f4953ea5-0f30-4041-b4dd-1a00693a8510/active.htb
servicePrincipalName: ldap/DC/ACTIVE
servicePrincipalName: ldap/f4953ea5-0f30-4041-b4dd-1a00693a8510._msdcs.active.htb
servicePrincipalName: ldap/DC.active.htb/ACTIVE
servicePrincipalName: ldap/DC
servicePrincipalName: ldap/DC.active.htb
servicePrincipalName: ldap/DC.active.htb/active.htb
instanceType: 4
badPasswordTime: 0


[*] Bye!

No comments:

Post a Comment