kevin-robertson / powermad Goto Github PK
View Code? Open in Web Editor NEWPowerShell MachineAccountQuota and DNS exploit tools
License: BSD 3-Clause "New" or "Revised" License
PowerShell MachineAccountQuota and DNS exploit tools
License: BSD 3-Clause "New" or "Revised" License
I'm trying to add a DNS entry into ADIDNS with the example shown in https://blog.netspi.com/exploiting-adidns/
Windows 10 client, Server 2019 DNS/DC
I have no idea where to begin troubleshooting this one...
Hi,
i just tried to add an ADIDNS-Node Entry for two different AD-Environments. The script was executed with a valid AD-User. But the default distinguished Names "CN=MicrosoftDNS,DC=DomainDNSZones" are not available on both Environments. So theese containers are not enabled in the default settings? I could not find another valid distinguished Name for the ADIDNS Zones.
The verbose Error Message for trying to add a note:
Exception when calling "SendRequest" with 1 argument(s): "The object does not exist".
Greetings
I added a machine on a remote domain controller through a socks proxy using the command:
New-MachineAccount -MachineAccount acctname -Password $(ConvertTo-SecureString 'password' -AsPlainText -Force) -Domain remote.domain -DomainController dc.remote.domain
However when I went to remove the account using the command:
New-MachineAccount -MachineAccount acctname -Credential $DomainAdminCred -Domain remote.domain -DomainController dc.remote.domain
I got this error:
[-] Exception calling "GetCurrentDomain" with "0" argument(s): "Current security context is not associated with an Active Directory domain or forest."
Exception calling "GetCurrentDomain" with "0" argument(s): "Current security context is not associated with an Active
Directory domain or forest."
At C:\Users\ritzbitz\Desktop\Powermad-master\Powermad.ps1:1037 char:13
$current_domain = [System.DirectoryServices.ActiveDirecto ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I believe this is due to the 'or' in the catch statement here:
if(!$DomainController -or !$Domain -or !$Zone)
{
try
{
$current_domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
}
catch
{
Write-Output "[-] $($_.Exception.Message)"
throw
}
}
When I removed the check for or !$Zone and reloaded the Powermad module, the request completed successfully and removed the machine
I think a useful feature to be added is to be able to add a machine for a different domain.
Example:
constr
, a test.local
domain user via a certificate I have dumped.constr
had GenericWrite
permissions on the test.local
DC, which is the only computer in that domain.constr
can laundh a RBCD attack to compromise the test.local
DC.constr
has access to a machine that belongs to a child domain, say hello.test.local
New-MachineAccount
the machine will be added to our current domain (hello.test.local
).It would be interesting to have the choice to add the new computer to the domain we want.
SharpAllowedToAct.exe
offers that capability in order to perform the RBCD abuse when we have access to another trusted domain than the one we want to compromise.
Hello,
I've tried to create a record via
Invoke-DNSUpdate -Zone "sub.myzone.net" -DNSName host1.sub.myzone.net -DNSData 192.168.1.103 -DNSType A -Verbose
and got an error (the DNS zone from client is myzone.net, thats the reason why I need to use DNSZone).
After an short look in the source, I've seen
[parameter(Mandatory=$false)][String]$Zone,
but the help writes:
.PARAMETER DNSZone
DNS zone.
If I use the paramter "Zone", every thing is working fine.
Could this be a mistake?
Thanks Meike
Do you know what ldap attribute can be used to create a zone that will allow "Secure and Non-Secure Updates".
I'm using ldap api to create the dnsZone record ..Appreciate your help
I'm trying out the examples in the "Adding ADIDNS Records" wiki and they are not working for me.
PS C:\Users\Administrator> New-ADIDNSNode -Node foo
[+] ADIDNS node foo added
PS C:\Users\Administrator> Enable-ADIDNSNode -Node foo
[+] foo enabled
PS C:\Users\Administrator> Set-ADIDNSNodeAttribute -Node foo -DNSRecord (New-DNSRecordArray -DNSData 1.2.3.4)
ScriptHalted
At C:\Users\Administrator\Documents\adidns.ps1:3132 char:9
+ throw
+ ~~~~~
+ CategoryInfo : OperationStopped: (:) [], RuntimeException
+ FullyQualifiedErrorId : ScriptHalted
Looking at the documentation for New-DNSRecordArray
, I see that the DNSData
parameter is no longer used, yet is still being referenced in the console output. Legacy code, I guess? I suppose you're already aware of this and it's on the roadmap.
So I used the new parameters and tried again:
PS C:\Users\Administrator> Set-ADIDNSNodeAttribute -node foo -Attribute dnsRecord -value (New-DNSRecordArray -Type A -Data 1.2.3.4)
[-] Exception calling "InvokeSet" with "2" argument(s): "Number of parameters specified does not match the expected number."
I found out that this is because the returned value for New-DNSRecordArray
is Object[]
but it really needs to be Byte[]
. I was able to change the record manually with this cheap hack:
PS C:\Users\Administrator> Set-ADIDNSNodeAttribute -node foo -Attribute dnsRecord -value ([Byte[]] (New-DNSRecordArray -Type A -Data 1.2.3.4))
[+] dnsRecord updated for foo
So basically, the return-type for New-DNSRecordArray
probably needs to be Byte[] and the documentation for that function should be updated. I have zero PowerShell experience and don't feel confident enough to submit a pull request for this. I could try, however, if you don't have the time.
Not possible to request a the records from a non-domain joined machine even though the -domain -credential -domaincontroller
parameters are supplied. Please close if this is expected behaviour.
Get-ADIDNSNodeAttribute -Node * -Attribute DNSRecord -DomainController $Server -Domain $Domain -Credential $Creds -Verbose
[-] Exception calling "GetCurrentDomain" with "0" argument(s): "Current security context is not associated with an Active Directory domain or forest."
Exception calling "GetCurrentDomain" with "0" argument(s): "Current security context is not associated with an Active Directory domain or forest."
At C:\Tools\AD\Powermad\Powermad.ps1:1755 char:13
+ $current_domain = [System.DirectoryServices.ActiveDirecto ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ActiveDirectoryOperationException
When using New-ADIDNSNode -Node * -Tombstone -Verbose, I receive the error message:
'Exception calling sendRequest with (1) arguments. The object does not exist'
This is from a domain joined machine. Looking through the Powermad.ps1 file, this error message does not appear to be thrown directly from the script, but instead the SendMethod method called.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.