Published: 04 Oct 2013 - 11:30 -0500
_cross posted from: http://carnal0wnage.attackresearch.com/2013/10/ad-zone-transfers-as-user.html_
The tired and true method for Zone Transfers are using either nslookup:
nslookup ls -d domain.com.local
dig -t AXFR domain.com.local @ns1.domain.com.local
In the Windows Enterprise world there are a few more options. If you are a DNS Admin you can use the ‘dnscmd’ command like so:
dnscmd /EnumZones dnscmd /ZonePrint domain.com.local
Which is handy if you can pop the DNS server (usually the Domain Controller so you usually have better things to do at that point).
You can also use PowerShell:
PS C:\Users\jdoe> get-wmiobject -ComputerName dc1 -Namespace root\microsoftDNS -Class MicrosoftDNS_ResourceRecord -Filter "domainname='projectmentor.net'" | select textrepresentation
Again, this requires you to be a very high privileged account, which is no fun. I need these computer lists as part of my internal / post-exploitation recon, not an end step.
For the longest time I relied on a very awesome tool called “Adfind”:
adfind -sc computers_active -csv -nodn -nocsvq -nocsvheader
This command will output a list of computer accounts that have been active in the last 90 days in a straight line by line format (hence all of the no “this"and no “that” flags)
But that wasn’t good enough, this image kept haunting me:
It’s Active Directory Explorer by SysInternals. It shows the complete list of DNS records, stored as objects in Active Directory that I was able to get to as a basic domain user. This means all of the static DNS records for the unix systems and mainframes and other systems outside of the purely Windows world are there as well.
I spent 4 days attempting to write my own script, ldap query, prayer to get all of the data out but was unsuccessful. On the 5th day I happened upon a very short post saying “I did it”, as I probably would have written the same. It comes in the form of a PowerShell script that you can find here:
And is very easy to run:
PS C:\Users\jdoe> dns-dump.ps1 -zone projectmentor.net -dc dc1
C:\> powershell -ep bypass -f dnsdump.ps1 -zone projectmentor.net -dc dc1
If you put a -csv on the end of those the author has even given you the CSV format which makes the output extremely easy to parse. Now you can throw your list into your tool of choice instead of scanning random IP ranges on the targets network for important stuff you can scan directly against known good hosts.
P.S. Yes I realize this isn’t actually “Zone Transfer"s but its close enough