Windapsearch is a tool to enumeration windows Domains
Requires authentication details.
Installation
[+] Using Domain Controller at: 10.10.10.100
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=active,DC=htb
[+] Attempting bind
[+] ...success! Binded as:
[+] u:ACTIVE\SVC_TGS
[+] Enumerating all AD groups
[+] Found 37 groups:
---snip----
---snip----
---snip----
[+] Enumerating all AD users
[+] Found 4 users:
cn: Administrator
cn: Guest
cn: krbtgt
cn: SVC_TGS
userPrincipalName: SVC_TGS@active.htb
[+] Enumerating all AD computers
[+] Found 1 computers:
operatingSystemVersion: 6.1 (7601)
dNSHostName: DC.active.htb
operatingSystemServicePack: Service Pack 1
cn: DC
operatingSystem: Windows Server 2008 R2 Standard
-----------------------------------------------------------------------------------------------------------------------------
Enumerate Computer information
./windapsearch.py -d active.htb -C --dc-ip 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18 --full
[+] Using Domain Controller at: 10.10.10.100
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=active,DC=htb
[+] Attempting bind
[+] ...success! Binded as:
[+] u:ACTIVE\SVC_TGS
[+] Enumerating all AD computers
[+] Found 1 computers:
operatingSystemServicePack: Service Pack 1
cn: DC
codePage: 0
badPwdCount: 0
objectSid: AQUAAAAAAAUVAAAArxktGAS1AL49Gv126AMAAA==
whenCreated: 20180718185035.0Z
uSNCreated: 12293
rIDSetReferences: CN=RID Set,CN=DC,OU=Domain Controllers,DC=active,DC=htb
operatingSystemVersion: 6.1 (7601)
msDFSR-ComputerReferenceBL: CN=DC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=active,DC=htb
operatingSystem: Windows Server 2008 R2 Standard
dSCorePropagationData: 16010101000000.0Z
isCriticalSystemObject: TRUE
countryCode: 0
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=active,DC=htb
whenChanged: 20181010110426.0Z
accountExpires: 9223372036854775807
serverReferenceBL: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=active,DC=htb
distinguishedName: CN=DC,OU=Domain Controllers,DC=active,DC=htb
pwdLastSet: 131836430610052799
sAMAccountName: DC$
objectGUID: 8+IJCvv15EeIY91yEStv/Q==
dNSHostName: DC.active.htb
lastLogon: 131837294430058019
msDS-SupportedEncryptionTypes: 31
uSNChanged: 90139
lastLogoff: 0
primaryGroupID: 516
logonCount: 104
name: DC
lastLogonTimestamp: 131836430669956904
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
userAccountControl: 532480
localPolicyFlags: 0
sAMAccountType: 805306369
servicePrincipalName: ldap/DC.active.htb/ForestDnsZones.active.htb
servicePrincipalName: ldap/DC.active.htb/DomainDnsZones.active.htb
servicePrincipalName: TERMSRV/DC
servicePrincipalName: TERMSRV/DC.active.htb
servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC.active.htb
servicePrincipalName: DNS/DC.active.htb
servicePrincipalName: GC/DC.active.htb/active.htb
servicePrincipalName: RestrictedKrbHost/DC.active.htb
servicePrincipalName: RestrictedKrbHost/DC
servicePrincipalName: HOST/DC/ACTIVE
servicePrincipalName: HOST/DC.active.htb/ACTIVE
servicePrincipalName: HOST/DC
servicePrincipalName: HOST/DC.active.htb
servicePrincipalName: HOST/DC.active.htb/active.htb
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/f4953ea5-0f30-4041-b4dd-1a00693a8510/active.htb
servicePrincipalName: ldap/DC/ACTIVE
servicePrincipalName: ldap/f4953ea5-0f30-4041-b4dd-1a00693a8510._msdcs.active.htb
servicePrincipalName: ldap/DC.active.htb/ACTIVE
servicePrincipalName: ldap/DC
servicePrincipalName: ldap/DC.active.htb
servicePrincipalName: ldap/DC.active.htb/active.htb
instanceType: 4
badPasswordTime: 0
[*] Bye!
Requires authentication details.
Installation
sudo apt-get install libsasl2-dev python-dev libldap2-dev libssl-dev
$ git clone https://github.com/ropnop/windapsearch.git
$ pip install python-ldap #or apt-get install python-ldap
$ ./windapsearch.py
./windapsearch.py -d active.htb -G -U -C --dc-ip 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18[+] Using Domain Controller at: 10.10.10.100
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=active,DC=htb
[+] Attempting bind
[+] ...success! Binded as:
[+] u:ACTIVE\SVC_TGS
[+] Enumerating all AD groups
[+] Found 37 groups:
---snip----
---snip----
---snip----
[+] Enumerating all AD users
[+] Found 4 users:
cn: Administrator
cn: Guest
cn: krbtgt
cn: SVC_TGS
userPrincipalName: SVC_TGS@active.htb
[+] Enumerating all AD computers
[+] Found 1 computers:
operatingSystemVersion: 6.1 (7601)
dNSHostName: DC.active.htb
operatingSystemServicePack: Service Pack 1
cn: DC
operatingSystem: Windows Server 2008 R2 Standard
-----------------------------------------------------------------------------------------------------------------------------
Enumerate Computer information
./windapsearch.py -d active.htb -C --dc-ip 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18 --full
[+] Using Domain Controller at: 10.10.10.100
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=active,DC=htb
[+] Attempting bind
[+] ...success! Binded as:
[+] u:ACTIVE\SVC_TGS
[+] Enumerating all AD computers
[+] Found 1 computers:
operatingSystemServicePack: Service Pack 1
cn: DC
codePage: 0
badPwdCount: 0
objectSid: AQUAAAAAAAUVAAAArxktGAS1AL49Gv126AMAAA==
whenCreated: 20180718185035.0Z
uSNCreated: 12293
rIDSetReferences: CN=RID Set,CN=DC,OU=Domain Controllers,DC=active,DC=htb
operatingSystemVersion: 6.1 (7601)
msDFSR-ComputerReferenceBL: CN=DC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=active,DC=htb
operatingSystem: Windows Server 2008 R2 Standard
dSCorePropagationData: 16010101000000.0Z
isCriticalSystemObject: TRUE
countryCode: 0
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=active,DC=htb
whenChanged: 20181010110426.0Z
accountExpires: 9223372036854775807
serverReferenceBL: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=active,DC=htb
distinguishedName: CN=DC,OU=Domain Controllers,DC=active,DC=htb
pwdLastSet: 131836430610052799
sAMAccountName: DC$
objectGUID: 8+IJCvv15EeIY91yEStv/Q==
dNSHostName: DC.active.htb
lastLogon: 131837294430058019
msDS-SupportedEncryptionTypes: 31
uSNChanged: 90139
lastLogoff: 0
primaryGroupID: 516
logonCount: 104
name: DC
lastLogonTimestamp: 131836430669956904
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
userAccountControl: 532480
localPolicyFlags: 0
sAMAccountType: 805306369
servicePrincipalName: ldap/DC.active.htb/ForestDnsZones.active.htb
servicePrincipalName: ldap/DC.active.htb/DomainDnsZones.active.htb
servicePrincipalName: TERMSRV/DC
servicePrincipalName: TERMSRV/DC.active.htb
servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC.active.htb
servicePrincipalName: DNS/DC.active.htb
servicePrincipalName: GC/DC.active.htb/active.htb
servicePrincipalName: RestrictedKrbHost/DC.active.htb
servicePrincipalName: RestrictedKrbHost/DC
servicePrincipalName: HOST/DC/ACTIVE
servicePrincipalName: HOST/DC.active.htb/ACTIVE
servicePrincipalName: HOST/DC
servicePrincipalName: HOST/DC.active.htb
servicePrincipalName: HOST/DC.active.htb/active.htb
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/f4953ea5-0f30-4041-b4dd-1a00693a8510/active.htb
servicePrincipalName: ldap/DC/ACTIVE
servicePrincipalName: ldap/f4953ea5-0f30-4041-b4dd-1a00693a8510._msdcs.active.htb
servicePrincipalName: ldap/DC.active.htb/ACTIVE
servicePrincipalName: ldap/DC
servicePrincipalName: ldap/DC.active.htb
servicePrincipalName: ldap/DC.active.htb/active.htb
instanceType: 4
badPasswordTime: 0
[*] Bye!
i love it. May be you love reading my blogpost about Instagram caption
ReplyDeleteHere is my another blog and i hope you love read this postAdult Find a friend
Thanks for sharing Active Directory Recovery Tool tips. for more info i rfer cion systems Active Directory Recovery Tool in USA.
ReplyDelete