NetExec/nxc/modules/enum_dns.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from datetime import datetime
from nxc.helpers.logger import write_log


class NXCModule:
    """
    Uses WMI to dump DNS from an AD DNS Server.
    Module by @fang0654
    """

    name = "enum_dns"
    description = "Uses WMI to dump DNS from an AD DNS Server"
    supported_protocols = ["smb", "wmi"]
    opsec_safe = True
    multiple_hosts = True

    def __init__(self, context=None, module_options=None):
        self.context = context
        self.module_options = module_options
        self.domains = None

    def options(self, context, module_options):
        """
        DOMAIN  Domain to enumerate DNS for. Defaults to all zones.
        """
        self.domains = None
        if module_options and "DOMAIN" in module_options:
            self.domains = module_options["DOMAIN"]

    def on_admin_login(self, context, connection):
        if not self.domains:
            domains = []
            output = connection.wmi("Select Name FROM MicrosoftDNS_Zone", "root\\microsoftdns")

            if output:
                for result in output:
                    domains.append(result["Name"]["value"])

                context.log.success("Domains retrieved: {}".format(domains))
        else:
            domains = [self.domains]
        data = ""
        for domain in domains:
            output = connection.wmi(
                f"Select TextRepresentation FROM MicrosoftDNS_ResourceRecord WHERE DomainName = {domain}",
                "root\\microsoftdns",
            )

            if output:
                domain_data = {}
                context.log.highlight(f"Results for {domain}")
                data += f"Results for {domain}\n"
                for entry in output:
                    text = entry["TextRepresentation"]["value"]
                    rname = text.split(" ")[0]
                    rtype = text.split(" ")[2]
                    rvalue = " ".join(text.split(" ")[3:])
                    if domain_data.get(rtype, False):
                        domain_data[rtype].append(f"{rname}: {rvalue}")
                    else:
                        domain_data[rtype] = [f"{rname}: {rvalue}"]

                for k, v in sorted(domain_data.items()):
                    context.log.highlight(f"Record Type: {k}")
                    data += f"Record Type: {k}\n"
                    for d in sorted(v):
                        context.log.highlight("\t" + d)
                        data += "\t" + d + "\n"

        log_name = "DNS-Enum-{}-{}.log".format(connection.host, datetime.now().strftime("%Y-%m-%d_%H%M%S"))
        write_log(data, log_name)
        context.log.display(f"Saved raw output to ~/.nxc/logs/{log_name}")