https://github.com/lzzbb/Adinfo

域信息收集工具
https://github.com/lzzbb/Adinfo

Last synced: about 1 month ago
JSON representation

域信息收集工具

• Host: GitHub
• URL: https://github.com/lzzbb/Adinfo
• Owner: lzzbb
• Created: 2022-09-10T03:09:36.000Z (about 2 years ago)
• Default Branch: main
• Last Pushed: 2022-09-16T07:52:37.000Z (about 2 years ago)
• Last Synced: 2024-05-08T01:33:56.539Z (4 months ago)
• Language: Go
• Homepage:
• Size: 8.71 MB
• Stars: 370
• Watchers: 7
• Forks: 31
• Open Issues: 0
• Metadata Files:
  • Readme: readme.md

Awesome Lists containing this project

• awesome-hacking-lists - lzzbb/Adinfo - 域信息收集工具 (Go)

README

        
# Adinfo

此为去年实习时依照goddi二开的基于go的ldap查询工具

修复了连接时可能会存在的bug、依照攻防及域信息收集经验dump快而有用的域信息

刚学go的时候写的，能跑就行

### Usage

1.输出所有信息

```

./Adinfo -d redteam.lab --dc 192.168.131.130 -u fff -H 5e95607216d9a4b7654d831beb9ee95c

./Adinfo -d redteam.lab --dc 192.168.131.130 -u fff -p Qq123456..

```

![](./use/usage.png)

2.当域很大或者目前只需要特定属性的值，可以指定下面的参数进行查询

```

      --getPolicy                get domain Policy

      --getDCandExchangeDNS      get DC and Exchange DNS

      --getAllDNS                get all domain DNS

      --getmaq                   get domain MAQ

      --getdomainVersion         get domain Version

      --getMail                  get domain Mail

      --getSID                   get domain SID

      --getExchangeInformation   get Exchange Information

      --getDomainTrusts          get trusts domain

      --getSPN                   get all SPN

      --getGPO                   get all GPO

      --getDomainAdmins          get all domain admins

      --dclocaladministrators    get dc local administrators

      --BackupOperators          get dc local Backup Operators

      --getDC                    get all DomainControllers

      --getAllUser               get all domain user

      --getUsefulUserName        get all not Disabled and Locked user(only name)

      --getHighlevelUser         get users that admincount=1(only name)

      --getNotusefulUser         get not useful user(Locked or Disabled)

      --getUsersNoExpire         get users not expire

      --getComputers             get all domain computers

      --getComputersName         get all domain computers(only name)

      --getDomainGroup           get all domain group

      --getCreatorSID            get all CreatorSID

      --getADCS                  get ADCS information

      --getOU                    get domain OU

      --checkLAPS                get is have LAPS, If the current user has permission, all LAPS passwords will be exported.

      --checkbackdoor            check backdoor：MAQ、AsReproast、Kerberoast、SIDHistory、GetRBCD、UnconstrainedDeligation、ConstrainedDeligation、SensitiveDelegateAccount

      --Krbtgttime               get Krbtgt password last set time

```

举以下三例说明：

(1).查看域内ADCS信息，并具体的FQDN和ip

```

./Adinfo_darwin -d redteam.lab --dc 192.168.131.130 -u fff -p Qq123456..  --getADCS

```

![](./use/adcs.png)

(2).获取域内所有的DNS信息

```

./Adinfo_darwin -d redteam.lab --dc 192.168.131.130 -u fff -p Qq123456.. --getAllDNS

```

![](./use/alldns.png)

![](./use/alldnsip.png)

(3).获取域内所有用户名（过滤掉了disabled和Locked user，只输出用户名到Users_OnlyName.csv中，将csv重命名为txt就能对所有有用的域用户进行密码喷洒）

```

./Adinfo_darwin -d redteam.lab --dc 192.168.131.130 -u fff -p Qq123456.. --getUsefulUserName

```

![](./use/getuser.png)

### Todo

1.nTSecurityDescriptor字段解析存在问题，后续再解决

2.添加对ldap增删改操作

### Reference

https://github.com/NetSPI/goddi

https://github.com/kgoins/go-winacl/

### 免责声明

本工具仅能在取得足够合法授权情况下使用，使用本工具的过程中存在任何非法行为将自行承担所有后果，本工具开发者不承担任何法律及连带责任。