NetExec/cme/modules/enum_dns.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from datetime import datetime
from cme.helpers.logger import write_log

class CMEModule:
    '''
        Uses WMI to dump DNS from an AD DNS Server.
        Module by @fang0654

    '''

    name = 'enum_dns'
    description = 'Uses WMI to dump DNS from an AD DNS Server'
    supported_protocols = ['smb']
    opsec_safe= True
    multiple_hosts = True

    def options(self, context, module_options):
        '''
        DOMAIN             Domain to enumerate DNS for. Defaults to all zones.
        '''
        self.domains = None
        if module_options and 'DOMAIN' in module_options:
            self.domains = module_options['DOMAIN']

    def on_admin_login(self, context, connection):

        if not self.domains:
            domains = []
            output = connection.wmi('Select Name FROM MicrosoftDNS_Zone', 'root\\microsoftdns')

            if output:
                for result in output:
                    domains.append(result['Name']['value'])

                context.log.success('Domains retrieved: {}'.format(domains))
        else:
            domains = [self.domains]
        data = ""
        for domain in domains:
            output = connection.wmi('Select TextRepresentation FROM MicrosoftDNS_ResourceRecord WHERE DomainName = "{}"'.format(domain), 'root\\microsoftdns')
            
            if output:
                domain_data = {}
                context.log.highlight("Results for {}".format(domain))
                data += "Results for {}\n".format(domain)
                for entry in output:
                    text = entry['TextRepresentation']['value']
                    rname = text.split(' ')[0]
                    rtype = text.split(' ')[2]
                    rvalue = ' '.join(text.split(' ')[3:])
                    if domain_data.get(rtype, False):
                        domain_data[rtype].append("{}: {}".format(rname, rvalue))
                    else:
                        domain_data[rtype] = ["{}: {}".format(rname, rvalue)]

                for k, v in sorted(domain_data.items()):
                    context.log.highlight("Record Type: {}".format(k))
                    data += "Record Type: {}\n".format(k)
                    for d in sorted(v):
                        context.log.highlight("\t"+d)
                        data += "\t" + d + "\n"

        log_name = 'DNS-Enum-{}-{}.log'.format(connection.args.target[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
        write_log(data, log_name)
        context.log.info("Saved raw output to {}".format(log_name))