Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/lzzbb/Adinfo
域信息收集工具
https://github.com/lzzbb/Adinfo
Last synced: 21 days ago
JSON representation
域信息收集工具
- Host: GitHub
- URL: https://github.com/lzzbb/Adinfo
- Owner: lzzbb
- Created: 2022-09-10T03:09:36.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2022-09-16T07:52:37.000Z (about 2 years ago)
- Last Synced: 2024-08-05T17:29:31.280Z (4 months ago)
- Language: Go
- Homepage:
- Size: 8.71 MB
- Stars: 379
- Watchers: 7
- Forks: 34
- Open Issues: 0
-
Metadata Files:
- Readme: readme.md
Awesome Lists containing this project
- awesome-hacking-lists - lzzbb/Adinfo - 域信息收集工具 (Go)
README
# Adinfo
此为去年实习时依照goddi二开的基于go的ldap查询工具
修复了连接时可能会存在的bug、依照攻防及域信息收集经验dump快而有用的域信息
刚学go的时候写的,能跑就行
### Usage
1.输出所有信息
```
./Adinfo -d redteam.lab --dc 192.168.131.130 -u fff -H 5e95607216d9a4b7654d831beb9ee95c./Adinfo -d redteam.lab --dc 192.168.131.130 -u fff -p Qq123456..
```
![](./use/usage.png)2.当域很大或者目前只需要特定属性的值,可以指定下面的参数进行查询
```
--getPolicy get domain Policy
--getDCandExchangeDNS get DC and Exchange DNS
--getAllDNS get all domain DNS
--getmaq get domain MAQ
--getdomainVersion get domain Version
--getMail get domain Mail
--getSID get domain SID
--getExchangeInformation get Exchange Information
--getDomainTrusts get trusts domain
--getSPN get all SPN
--getGPO get all GPO
--getDomainAdmins get all domain admins
--dclocaladministrators get dc local administrators
--BackupOperators get dc local Backup Operators
--getDC get all DomainControllers
--getAllUser get all domain user
--getUsefulUserName get all not Disabled and Locked user(only name)
--getHighlevelUser get users that admincount=1(only name)
--getNotusefulUser get not useful user(Locked or Disabled)
--getUsersNoExpire get users not expire
--getComputers get all domain computers
--getComputersName get all domain computers(only name)
--getDomainGroup get all domain group
--getCreatorSID get all CreatorSID
--getADCS get ADCS information
--getOU get domain OU
--checkLAPS get is have LAPS, If the current user has permission, all LAPS passwords will be exported.
--checkbackdoor check backdoor:MAQ、AsReproast、Kerberoast、SIDHistory、GetRBCD、UnconstrainedDeligation、ConstrainedDeligation、SensitiveDelegateAccount
--Krbtgttime get Krbtgt password last set time
```举以下三例说明:
(1).查看域内ADCS信息,并具体的FQDN和ip
```
./Adinfo_darwin -d redteam.lab --dc 192.168.131.130 -u fff -p Qq123456.. --getADCS
```![](./use/adcs.png)
(2).获取域内所有的DNS信息
```
./Adinfo_darwin -d redteam.lab --dc 192.168.131.130 -u fff -p Qq123456.. --getAllDNS
```![](./use/alldns.png)
![](./use/alldnsip.png)(3).获取域内所有用户名(过滤掉了disabled和Locked user,只输出用户名到Users_OnlyName.csv中,将csv重命名为txt就能对所有有用的域用户进行密码喷洒)
```
./Adinfo_darwin -d redteam.lab --dc 192.168.131.130 -u fff -p Qq123456.. --getUsefulUserName
```
![](./use/getuser.png)### Todo
1.nTSecurityDescriptor字段解析存在问题,后续再解决
2.添加对ldap增删改操作
### Reference
https://github.com/NetSPI/goddi
https://github.com/kgoins/go-winacl/
### 免责声明
本工具仅能在取得足够合法授权情况下使用,使用本工具的过程中存在任何非法行为将自行承担所有后果,本工具开发者不承担任何法律及连带责任。