{"id":13842777,"url":"https://github.com/phackt/Invoke-Recon","last_synced_at":"2025-07-11T15:33:06.427Z","repository":{"id":215907053,"uuid":"274450997","full_name":"phackt/Invoke-Recon","owner":"phackt","description":"\"Powershell script assisting with domain enumerating and in finding quick wins\" - Basically written while doing the 'Advanced Red Team' lab from pentesteracademy.","archived":false,"fork":false,"pushed_at":"2021-07-30T12:23:18.000Z","size":971,"stargazers_count":79,"open_issues_count":5,"forks_count":18,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-08-05T17:33:30.998Z","etag":null,"topics":["activedirectory","pentest","pentesteracademy","powershell","powerupsql","powerview","training-materials"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/phackt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2020-06-23T16:07:30.000Z","updated_at":"2024-07-21T09:26:09.000Z","dependencies_parsed_at":"2024-01-31T03:56:37.200Z","dependency_job_id":"3ff08e26-48fc-49e3-a453-c63f1ef9cdde","html_url":"https://github.com/phackt/Invoke-Recon","commit_stats":null,"previous_names":["phackt/invoke-recon"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phackt%2FInvoke-Recon","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phackt%2FInvoke-Recon/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phackt%2FInvoke-Recon/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phackt%2FInvoke-Recon/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/phackt","download_url":"https://codeload.github.com/phackt/Invoke-Recon/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225737115,"owners_count":17516288,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["activedirectory","pentest","pentesteracademy","powershell","powerupsql","powerview","training-materials"],"created_at":"2024-08-04T17:01:46.057Z","updated_at":"2024-11-21T13:31:07.580Z","avatar_url":"https://github.com/phackt.png","language":"PowerShell","funding_links":["https://www.buymeacoffee.com/phackt"],"categories":["PowerShell","PowerShell (153)"],"sub_categories":[],"readme":"# Invoke-Recon\nPowershell script as a first big step for AD enumeration. Quickwins focused.  \nBecause typing the same Powershell commands over and over is tedious.  \n\n# Prerequisites  \nGit clone and run:    \n```\ngit clone --recurse-submodules https://github.com/phackt/Invoke-Recon.git \u0026\u0026 cd .\\Invoke-Recon\n.\\Invoke-Recon.ps1 -Domain us.funcorp.local | Tee-Object -FilePath .\\us.funcorp.local.txt\n```  \n\n# What we are looking for ?  \n\n## Domain Enumeration  \n\n- Find all DCs\n\t- check if ADWS are accessible in order to be able to use the Active Directory powershell module\n\t- check if gap between findings with DNS (SRV) enumeration and members of 'Domain Controllers' group\n- Password domain policy (Default domain policy) + Password Settings Objects (PSO)\n- Domains / forests trusts\n- All domain users / groups / computers\n- Computer with LAPS installed\n- Privileged users with RID \u003e= 1000 (recursive lookups for nested members of privileged groups, not AdminCount = 1 to avoid orphans)\n- DNSAdmins group members\n- Principals with :\n\t- unconstrained delegation\n\t\t- looking for dangerous rights on computers with unconstrained delegation, see [https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/](https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/)\n\t- constrained delegation (also resource based - msDS-AllowedToActOnBehalfOfOtherIdentity)\n- Exchange servers\n\t- confirm WriteDAC on root domain without InheritOnly\n\t- list users with mailboxes  \n\n\n## But also...  \n\n- Exchange vulnerable to :\n\t- PrivExchange (CVE-2018-8581)\n\t- CVE-2020-0688  \n- Computers with deprecated OS\n- Users with Kerberos PreAuth disables (AS_REP Roasting)\n- Kerberoastable users\n- Trustees (RID \u003e= 1000) having the following rights on the **root domain**, **Users**, **Computers** and **Domain Controllers** containers:\n\t- DS-Replication-Get-Changes-All|WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner|User-Change-Password|User-Force-Change-Password\n- Trustees having Self-Membership on objects (ability to add themselves to a group for example)\n\n## And MSSQL Enumeration  \n\n- Enumerates MSSQL instances (looking for SPN service class MSSQL)\n- Find MSSQL instances accessible within current security context and get their versions\n- Find linked servers from each accessible MSSQL instances\n- Bruteforce common credentials\n- Look for xp_cmdshell enabled through linked servers of each accessible instances\n- Audit each accessible MSSQL Instances for common high impact vulnerabilities and weak configurations\n\n# Run  \nParameters:\n- ```-Domain```: domain to enumerate\n- ```-TargetDC```: specify target DC IP\n- ```-Quick```: skip raw enumeration for users, groups and computers (time consuming on large domains)\n  \nExample:  \n```\n.\\Invoke-Recon.ps1 -Domain us.funcorp.local | Tee-Object -FilePath .\\invoke-recon.txt\n\n[+] PowerSploit module not found. Importing ...\n[+] Microsoft.ActiveDirectory.Management.dll not found. Importing ...\n[+] ActiveDirectory module not found. Importing ...\n[+] PowerUpSQL module not found. Importing ...\n\n################################################################\n################################################################\n| Starting enumeration of domain us.funcorp.local\n################################################################\n################################################################\n\n+------+------------------------------------------------+------+\n| Searching PDC (DNS enum)\n+------+------------------------------------------------+------+\n\nName                                     Type   TTL   Section    NameTarget                     Priority Weight Port\n----                                     ----   ---   -------    ----------                     -------- ------ ----\n_ldap._tcp.pdc._msdcs.us.funcorp.local   SRV    600   Answer     UFC-DC1.us.funcorp.local       0        100    389\n\nName       : UFC-DC1.us.funcorp.local\nQueryType  : A\nTTL        : 600\nSection    : Additional\nIP4Address : 192.168.2.1\n\n\n+------+------------------------------------------------+------+\n| Searching all DCs (DNS enum)\n+------+------------------------------------------------+------+\n_ldap._tcp.dc._msdcs.us.funcorp.local    SRV    600   Answer     UFC-DC1.us.funcorp.local       0        100    389\n\nName       : UFC-DC1.us.funcorp.local\nQueryType  : A\nTTL        : 600\nSection    : Additional\nIP4Address : 192.168.2.1\n\n\n+------+------------------------------------------------+------+\n| Checking spooler service is up on DCs\n+------+------------------------------------------------+------+\n...\n\n\n+------+------------------------------------------------+------+\n| Nested privileged users (RID \u003e= 1000)\n+------+------------------------------------------------+------+\n\nGroupDomain             : us.funcorp.local\nGroupName               : Domain Admins\nGroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=us,DC=funcorp,DC=local\nMemberDomain            : us.funcorp.local\nMemberName              : servicesadmin\nMemberDistinguishedName : CN=services admin,CN=Users,DC=us,DC=funcorp,DC=local\nMemberObjectClass       : user\nMemberSID               : S-1-5-21-3965405831-1015596948-2589850225-1122\n\n\n+------+------------------------------------------------+------+\n| Looking for Exchange servers\n+------+------------------------------------------------+------+\n\nVersion       : 15.1.1531\nFQDN          : MAIL01.us.funcorp.local\nRoles         : UM CAS MB HT\nClass         : top server msExchExchangeServer\nPrivExchange  : True\nCVE-2020-0688 : True\n\n[!] Exchange server MAIL01.us.funcorp.local vulnerable to PrivExchange\n[!] Exchange server MAIL01.us.funcorp.local vulnerable to CVE-2020-0688\n\n[!] At least one WriteDacl right without InheritOnly on 'DC=us,DC=funcorp,DC=local' has been found (confirming privexchange attack)\n\n------+------------------------------------------------+------+\n| Computers with constrained delegation\n+------+------------------------------------------------+------+\n...\n\n\n------+------------------------------------------------+------+\n| Computers with constrained delegation and protocol transition\n+------+------------------------------------------------+------+\n...\n\n\n+------+------------------------------------------------+------+\n| Finding trustees (RID \u003e 1000) having dangerous rights on 'CN=Users,DC=us,DC=funcorp,DC=local' (DS-Replication-Get-Changes-All|WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner)\n+------+------------------------------------------------+------+\n[!] Filtering out 'OU=Microsoft Exchange Security Groups'\n\nAceType               : AccessAllowed\nObjectDN              : CN=Users,DC=us,DC=funcorp,DC=local\nActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite\nOpaqueLength          : 0\nObjectSID             :\nInheritanceFlags      : None\nBinaryLength          : 36\nIsInherited           : False\nIsCallback            : False\nPropagationFlags      : None\nSecurityIdentifier    : S-1-5-21-3965405831-1015596948-2589850225-1602\nAccessMask            : 131132\nAuditFlags            : None\nAceFlags              : None\nAceQualifier          : AccessAllowed\nPrincipalDN           : CN=user01,CN=Users,DC=us,DC=funcorp,DC=local\n\n\n+------+------------------------------------------------+------+\n| Auditing each accessible MSSQL Instances\n+------+------------------------------------------------+------+\n...\n\n\n[much more]\n```\n\n# Support\n\nThanks a lot for supporting me [here](https://www.buymeacoffee.com/phackt)\n\n# Todo\n- check the [issues](https://github.com/phackt/Invoke-Recon/issues)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphackt%2FInvoke-Recon","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphackt%2FInvoke-Recon","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphackt%2FInvoke-Recon/lists"}