Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/phackt/Invoke-Recon
"Powershell script assisting with domain enumerating and in finding quick wins" - Basically written while doing the 'Advanced Red Team' lab from pentesteracademy.
https://github.com/phackt/Invoke-Recon
activedirectory pentest pentesteracademy powershell powerupsql powerview training-materials
Last synced: 21 days ago
JSON representation
"Powershell script assisting with domain enumerating and in finding quick wins" - Basically written while doing the 'Advanced Red Team' lab from pentesteracademy.
- Host: GitHub
- URL: https://github.com/phackt/Invoke-Recon
- Owner: phackt
- Created: 2020-06-23T16:07:30.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2021-07-30T12:23:18.000Z (over 3 years ago)
- Last Synced: 2024-08-05T17:33:30.998Z (4 months ago)
- Topics: activedirectory, pentest, pentesteracademy, powershell, powerupsql, powerview, training-materials
- Language: PowerShell
- Homepage:
- Size: 948 KB
- Stars: 79
- Watchers: 3
- Forks: 18
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - phackt/Invoke-Recon - "Powershell script assisting with domain enumerating and in finding quick wins" - Basically written while doing the 'Advanced Red Team' lab from pentesteracademy. (PowerShell)
README
# Invoke-Recon
Powershell script as a first big step for AD enumeration. Quickwins focused.
Because typing the same Powershell commands over and over is tedious.
# Prerequisites
Git clone and run:
```
git clone --recurse-submodules https://github.com/phackt/Invoke-Recon.git && cd .\Invoke-Recon
.\Invoke-Recon.ps1 -Domain us.funcorp.local | Tee-Object -FilePath .\us.funcorp.local.txt
```
# What we are looking for ?
## Domain Enumeration
- Find all DCs
- check if ADWS are accessible in order to be able to use the Active Directory powershell module
- check if gap between findings with DNS (SRV) enumeration and members of 'Domain Controllers' group
- Password domain policy (Default domain policy) + Password Settings Objects (PSO)
- Domains / forests trusts
- All domain users / groups / computers
- Computer with LAPS installed
- Privileged users with RID >= 1000 (recursive lookups for nested members of privileged groups, not AdminCount = 1 to avoid orphans)
- DNSAdmins group members
- Principals with :
- unconstrained delegation
- looking for dangerous rights on computers with unconstrained delegation, see [https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/](https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/)
- constrained delegation (also resource based - msDS-AllowedToActOnBehalfOfOtherIdentity)
- Exchange servers
- confirm WriteDAC on root domain without InheritOnly
- list users with mailboxes
## But also...
- Exchange vulnerable to :
- PrivExchange (CVE-2018-8581)
- CVE-2020-0688
- Computers with deprecated OS
- Users with Kerberos PreAuth disables (AS_REP Roasting)
- Kerberoastable users
- Trustees (RID >= 1000) having the following rights on the **root domain**, **Users**, **Computers** and **Domain Controllers** containers:
- DS-Replication-Get-Changes-All|WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner|User-Change-Password|User-Force-Change-Password
- Trustees having Self-Membership on objects (ability to add themselves to a group for example)
## And MSSQL Enumeration
- Enumerates MSSQL instances (looking for SPN service class MSSQL)
- Find MSSQL instances accessible within current security context and get their versions
- Find linked servers from each accessible MSSQL instances
- Bruteforce common credentials
- Look for xp_cmdshell enabled through linked servers of each accessible instances
- Audit each accessible MSSQL Instances for common high impact vulnerabilities and weak configurations
# Run
Parameters:
- ```-Domain```: domain to enumerate
- ```-TargetDC```: specify target DC IP
- ```-Quick```: skip raw enumeration for users, groups and computers (time consuming on large domains)
Example:
```
.\Invoke-Recon.ps1 -Domain us.funcorp.local | Tee-Object -FilePath .\invoke-recon.txt
[+] PowerSploit module not found. Importing ...
[+] Microsoft.ActiveDirectory.Management.dll not found. Importing ...
[+] ActiveDirectory module not found. Importing ...
[+] PowerUpSQL module not found. Importing ...
################################################################
################################################################
| Starting enumeration of domain us.funcorp.local
################################################################
################################################################
+------+------------------------------------------------+------+
| Searching PDC (DNS enum)
+------+------------------------------------------------+------+
Name Type TTL Section NameTarget Priority Weight Port
---- ---- --- ------- ---------- -------- ------ ----
_ldap._tcp.pdc._msdcs.us.funcorp.local SRV 600 Answer UFC-DC1.us.funcorp.local 0 100 389
Name : UFC-DC1.us.funcorp.local
QueryType : A
TTL : 600
Section : Additional
IP4Address : 192.168.2.1
+------+------------------------------------------------+------+
| Searching all DCs (DNS enum)
+------+------------------------------------------------+------+
_ldap._tcp.dc._msdcs.us.funcorp.local SRV 600 Answer UFC-DC1.us.funcorp.local 0 100 389
Name : UFC-DC1.us.funcorp.local
QueryType : A
TTL : 600
Section : Additional
IP4Address : 192.168.2.1
+------+------------------------------------------------+------+
| Checking spooler service is up on DCs
+------+------------------------------------------------+------+
...
+------+------------------------------------------------+------+
| Nested privileged users (RID >= 1000)
+------+------------------------------------------------+------+
GroupDomain : us.funcorp.local
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=us,DC=funcorp,DC=local
MemberDomain : us.funcorp.local
MemberName : servicesadmin
MemberDistinguishedName : CN=services admin,CN=Users,DC=us,DC=funcorp,DC=local
MemberObjectClass : user
MemberSID : S-1-5-21-3965405831-1015596948-2589850225-1122
+------+------------------------------------------------+------+
| Looking for Exchange servers
+------+------------------------------------------------+------+
Version : 15.1.1531
FQDN : MAIL01.us.funcorp.local
Roles : UM CAS MB HT
Class : top server msExchExchangeServer
PrivExchange : True
CVE-2020-0688 : True
[!] Exchange server MAIL01.us.funcorp.local vulnerable to PrivExchange
[!] Exchange server MAIL01.us.funcorp.local vulnerable to CVE-2020-0688
[!] At least one WriteDacl right without InheritOnly on 'DC=us,DC=funcorp,DC=local' has been found (confirming privexchange attack)
------+------------------------------------------------+------+
| Computers with constrained delegation
+------+------------------------------------------------+------+
...
------+------------------------------------------------+------+
| Computers with constrained delegation and protocol transition
+------+------------------------------------------------+------+
...
+------+------------------------------------------------+------+
| Finding trustees (RID > 1000) having dangerous rights on 'CN=Users,DC=us,DC=funcorp,DC=local' (DS-Replication-Get-Changes-All|WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner)
+------+------------------------------------------------+------+
[!] Filtering out 'OU=Microsoft Exchange Security Groups'
AceType : AccessAllowed
ObjectDN : CN=Users,DC=us,DC=funcorp,DC=local
ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
OpaqueLength : 0
ObjectSID :
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-3965405831-1015596948-2589850225-1602
AccessMask : 131132
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
PrincipalDN : CN=user01,CN=Users,DC=us,DC=funcorp,DC=local
+------+------------------------------------------------+------+
| Auditing each accessible MSSQL Instances
+------+------------------------------------------------+------+
...
[much more]
```
# Support
Thanks a lot for supporting me [here](https://www.buymeacoffee.com/phackt)
# Todo
- check the [issues](https://github.com/phackt/Invoke-Recon/issues)