Contents

AD Zone Transfers as a user

Contents

cross posted from: http://carnal0wnage.attackresearch.com/2013/10/ad-zone-transfers-as-user.html

The tired and true method for Zone Transfers are using either nslookup:

1
2
nslookup
ls -d domain.com.local

Or dig:

1
dig -t AXFR domain.com.local @ns1.domain.com.local

In the Windows Enterprise world there are a few more options. If you are a DNS Admin you can use the ‘dnscmd’ command like so:

1
2
dnscmd /EnumZones
dnscmd /ZonePrint domain.com.local

Which is handy if you can pop the DNS server (usually the Domain Controller so you usually have better things to do at that point).

You can also use PowerShell:

PS C:\Users\jdoe> get-wmiobject -ComputerName dc1 -Namespace root\microsoftDNS -Class MicrosoftDNS_ResourceRecord -Filter "domainname='projectmentor.net'" | select textrepresentation

Again, this requires you to be a very high privileged account, which is no fun. I need these computer lists as part of my internal / post-exploitation recon, not an end step.

For the longest time I relied on a very awesome tool called “Adfind”:

1
adfind -sc computers_active -csv -nodn -nocsvq -nocsvheader

This command will output a list of computer accounts that have been active in the last 90 days in a straight line by line format (hence all of the no “this"and no “that” flags)

But that wasn’t good enough, this image kept haunting me:

/images/2013/ad-dns-zone.png

It’s Active Directory Explorer by SysInternals. It shows the complete list of DNS records, stored as objects in Active Directory that I was able to get to as a basic domain user. This means all of the static DNS records for the unix systems and mainframes and other systems outside of the purely Windows world are there as well.

I spent 4 days attempting to write my own script, ldap query, prayer to get all of the data out but was unsuccessful. On the 5th day I happened upon a very short post saying “I did it”, as I probably would have written the same. It comes in the form of a PowerShell script that you can find here:

Code: https://github.com/mmessano/PowerShell/blob/master/dns-dump.ps1

And is very easy to run:

PS C:\Users\jdoe> dns-dump.ps1 -zone projectmentor.net -dc dc1

or

C:\> powershell -ep bypass -f dnsdump.ps1 -zone projectmentor.net -dc dc1

If you put a -csv on the end of those the author has even given you the CSV format which makes the output extremely easy to parse. Now you can throw your list into your tool of choice instead of scanning random IP ranges on the targets network for important stuff you can scan directly against known good hosts.

– mubix

P.S. Yes I realize this isn’t actually “Zone Transfer"s but its close enough