NetExec/nxc/modules/enum_dns.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from datetime import datetime
from nxc.helpers.logger import write_log


class NXCModule:
    """
    Uses WMI to dump DNS from an AD DNS Server.
    Module by @fang0654
    """

    name = "enum_dns"
    description = "Uses WMI to dump DNS from an AD DNS Server"
    supported_protocols = ["smb", "wmi"]
    opsec_safe = True
    multiple_hosts = True

    def __init__(self, context=None, module_options=None):
        self.context = context
        self.module_options = module_options
        self.domains = None

    def options(self, context, module_options):
        """
        DOMAIN  Domain to enumerate DNS for. Defaults to all zones.
        """
        self.domains = None
        if module_options and "DOMAIN" in module_options:
            self.domains = module_options["DOMAIN"]

    def on_admin_login(self, context, connection):
        if not self.domains:
            domains = []
            output = connection.wmi("Select Name FROM MicrosoftDNS_Zone", "root\\microsoftdns")

            if output:
                for result in output:
                    domains.append(result["Name"]["value"])

                context.log.success("Domains retrieved: {}".format(domains))
        else:
            domains = [self.domains]
        data = ""
        for domain in domains:
            output = connection.wmi(
                f"Select TextRepresentation FROM MicrosoftDNS_ResourceRecord WHERE DomainName = {domain}",
                "root\\microsoftdns",
            )

            if output:
                domain_data = {}
                context.log.highlight(f"Results for {domain}")
                data += f"Results for {domain}\n"
                for entry in output:
                    text = entry["TextRepresentation"]["value"]
                    rname = text.split(" ")[0]
                    rtype = text.split(" ")[2]
                    rvalue = " ".join(text.split(" ")[3:])
                    if domain_data.get(rtype, False):
                        domain_data[rtype].append(f"{rname}: {rvalue}")
                    else:
                        domain_data[rtype] = [f"{rname}: {rvalue}"]

                for k, v in sorted(domain_data.items()):
                    context.log.highlight(f"Record Type: {k}")
                    data += f"Record Type: {k}\n"
                    for d in sorted(v):
                        context.log.highlight("\t" + d)
                        data += "\t" + d + "\n"

        log_name = "DNS-Enum-{}-{}.log".format(connection.host, datetime.now().strftime("%Y-%m-%d_%H%M%S"))
        write_log(data, log_name)
        context.log.display(f"Saved raw output to ~/.nxc/logs/{log_name}")
Adding shebang and encoding utf-8 for all python files 2022-07-18 23:59:14 +00:00			`#!/usr/bin/env python3`
			`# -- coding: utf-8 --`

Fixed dependency hell, added Github actions workflow - Got rid of netaddr in favor of built in ipaddress module - cme/cmedb binaries are now built with shiv - Removed http protocol as it was basically useless and added another dependency 2020-04-20 16:19:55 +00:00			`from datetime import datetime`
rename folders, files, functions, classes, etc to NetExec/nxc 2023-09-14 21:07:15 +00:00			`from nxc.helpers.logger import write_log`
Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00

Rename Module Classname to match python convention 2023-09-17 20:20:40 +00:00			`class NXCModule:`
clean up some modules 2023-03-31 17:49:25 +00:00			`"""`
			`Uses WMI to dump DNS from an AD DNS Server.`
			`Module by @fang0654`
			`"""`
black formating 2023-05-02 15:17:59 +00:00
fix(modules): refactor how modules are loaded, not initializing all objects before loading 2023-04-04 13:39:54 +00:00			`name = "enum_dns"`
			`description = "Uses WMI to dump DNS from an AD DNS Server"`
[wmi] neff review I Signed-off-by: XiaoliChan <2209553467@qq.com> 2023-09-01 13:49:57 +00:00			`supported_protocols = ["smb", "wmi"]`
fix(modules): refactor how modules are loaded, not initializing all objects before loading 2023-04-04 13:39:54 +00:00			`opsec_safe = True`
			`multiple_hosts = True`

clean up some modules 2023-03-31 17:49:25 +00:00			`def __init__(self, context=None, module_options=None):`
			`self.context = context`
			`self.module_options = module_options`
			`self.domains = None`
Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00
			`def options(self, context, module_options):`
clean up some modules 2023-03-31 17:49:25 +00:00			`"""`
			`DOMAIN Domain to enumerate DNS for. Defaults to all zones.`
			`"""`
Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00			`self.domains = None`
black formating 2023-05-02 15:17:59 +00:00			`if module_options and "DOMAIN" in module_options:`
			`self.domains = module_options["DOMAIN"]`
Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00
			`def on_admin_login(self, context, connection):`
			`if not self.domains:`
			`domains = []`
black v2 formating 2023-05-08 18:39:36 +00:00			`output = connection.wmi("Select Name FROM MicrosoftDNS_Zone", "root\\microsoftdns")`
Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00
			`if output:`
			`for result in output:`
black formating 2023-05-02 15:17:59 +00:00			`domains.append(result["Name"]["value"])`
Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00
black formating 2023-05-02 15:17:59 +00:00			`context.log.success("Domains retrieved: {}".format(domains))`
Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00			`else:`
			`domains = [self.domains]`
			`data = ""`
			`for domain in domains:`
black formating 2023-05-02 15:17:59 +00:00			`output = connection.wmi(`
			`f"Select TextRepresentation FROM MicrosoftDNS_ResourceRecord WHERE DomainName = {domain}",`
			`"root\\microsoftdns",`
			`)`

Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00			`if output:`
			`domain_data = {}`
clean up some modules 2023-03-31 17:49:25 +00:00			`context.log.highlight(f"Results for {domain}")`
			`data += f"Results for {domain}\n"`
Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00			`for entry in output:`
black formating 2023-05-02 15:17:59 +00:00			`text = entry["TextRepresentation"]["value"]`
			`rname = text.split(" ")[0]`
			`rtype = text.split(" ")[2]`
			`rvalue = " ".join(text.split(" ")[3:])`
Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00			`if domain_data.get(rtype, False):`
clean up some modules 2023-03-31 17:49:25 +00:00			`domain_data[rtype].append(f"{rname}: {rvalue}")`
Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00			`else:`
clean up some modules 2023-03-31 17:49:25 +00:00			`domain_data[rtype] = [f"{rname}: {rvalue}"]`
Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00
update python3 2019-11-10 23:12:35 +00:00			`for k, v in sorted(domain_data.items()):`
clean up some modules 2023-03-31 17:49:25 +00:00			`context.log.highlight(f"Record Type: {k}")`
			`data += f"Record Type: {k}\n"`
Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00			`for d in sorted(v):`
black formating 2023-05-02 15:17:59 +00:00			`context.log.highlight("\t" + d)`
Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00			`data += "\t" + d + "\n"`

[wmi] self review: remove useless try in wmi query & bugs fix in modules Signed-off-by: XiaoliChan <2209553467@qq.com> 2023-08-30 03:43:02 +00:00			`log_name = "DNS-Enum-{}-{}.log".format(connection.host, datetime.now().strftime("%Y-%m-%d_%H%M%S"))`
Added module for enumerating AD DNS via WMI. 2018-01-23 00:45:56 +00:00			`write_log(data, log_name)`
rename folders, files, functions, classes, etc to NetExec/nxc 2023-09-14 21:07:15 +00:00			`context.log.display(f"Saved raw output to ~/.nxc/logs/{log_name}")`