First Commit

Outflank-Recon-AD/Recon-AD.cna

@@ -0,0 +1,193 @@
+#Recon-AD
+#author Cornelis de Plaa
+#@outflank.nl
+
+#Using Active Directory Service Interfaces (ADSI) to query Active Directory objects and corresponding attributes.
+
+#register help
+beacon_command_register("Recon-AD-Domain", "Using Active Directory Domain Services to enumerate domain information.",
+	"Using Active Directory Domain Services to enumerate domain information.\n\n" .
+	"Synopsis: Recon-AD-Domain\n\n");
+
+beacon_command_register("Recon-AD-Users", "Use ADSI to query Active Directory user objects and attributes.",
+	"Use Active Directory Service Interfaces (ADSI) to query user objects and corresponding attributes.\n\n" .
+	"Synopsis: Recon-AD-Users [username], to query a specific user object including attributes.\n" .
+	"          Recon-AD-Users [*admin*], to query for usernames containing admin.\n" .
+	"          Recon-AD-Users All, to query all user objects including attributes.\n");
+
+beacon_command_register("Recon-AD-Computers", "Use ADSI to query Active Directory computer objects and attributes.",
+	"Use Active Directory Service Interfaces (ADSI) to query computer objects and corresponding attributes.\n\n" .
+	"Synopsis: Recon-AD-Computers [computername], to query a specific computer object including attributes.\n" .
+	"          Recon-AD-Computers [*dc*], to query for computernames containing dc.\n" .
+	"          Recon-AD-Computers All, to query all computer objects including attributes.\n");
+
+beacon_command_register("Recon-AD-Groups", "Use ADSI to query Active Directory group objects and attributes.",
+	"Use Active Directory Service Interfaces (ADSI) to query group objects and corresponding attributes.\n\n" .
+	"Synopsis: Recon-AD-Groups [groupname], to query a specific group object including attributes.\n" .
+	"          Recon-AD-Groups [*admin*], to query for groupnames containing admin.\n" .
+	"          Recon-AD-Groups All, to query all group objects including attributes.\n");
+
+beacon_command_register("Recon-AD-LocalGroups", "Use ADSI to query a computer for specific localgroups.",
+	"Use Active Directory Service Interfaces (ADSI) to query a computer for specific localgroups (default Administrators group).\n\n" .
+	"Synopsis: Recon-AD-LocalGroups [computername] [groupname], to query a specific computer and localgroup.\n");
+
+beacon_command_register("Recon-AD-AllLocalGroups", "Use ADSI to query a computer for all localgroups.",
+	"Use Active Directory Service Interfaces (ADSI) to query a computer for all localgroups.\n\n" .
+	"Synopsis: Recon-AD-AllLocalGroups [computername], to query a specific computer for all localgroups.\n");
+
+beacon_command_register("Recon-AD-SPNs", "Use ADSI to query Active Directory user objects with Service Principal Names (SPN) configured.",
+	"Use Active Directory Service Interfaces (ADSI) to query user objects with Service Principal Names (SPN) configured.\n\n" .
+	"Synopsis: Recon-AD-SPNs\n\n");
+
+
+alias Recon-AD-Domain {
+	$bid = $1;
+	blog($bid, "Let's enumerate the domain\n");
+	bdllspawn($bid, script_resource("Recon-AD-Domain.dll"), "", "Recon-AD-Domain", 5000, false);
+}
+
+alias Recon-AD-Users {
+	$bid = $1;
+
+	$input = substr($0, 15);
+	@args = split(' ', $input);
+
+	$object = @args[0];
+
+	if ($object eq "") {
+		berror($bid, "Please specify a username or all.");
+		return;
+	}
+	else if ($object eq "all") {
+		blog($bid, "Let's enumerate all users\n");
+		bdllspawn($bid, script_resource("Recon-AD-Users.dll"), "", "Recon-AD-Users", 5000, false);
+	}
+	else{
+		$param = "(sAMAccountName=" . $object . ")";
+		blog($bid, "Let's enumerate user " . $object . "\n");
+		bdllspawn($bid, script_resource("Recon-AD-Users.dll"), $param, "Recon-AD-Users", 5000, false);
+	}
+}
+
+alias Recon-AD-Computers {
+	$bid = $1;
+
+	$input = substr($0, 19);
+	@args = split(' ', $input);
+
+	$object = @args[0];
+
+	if ($object eq "") {
+		berror($bid, "Please specify a computername or all.");
+		return;
+	}
+	else if ($object eq "all") {
+		blog($bid, "Let's enumerate all computers\n");
+		bdllspawn($1, script_resource("Recon-AD-Computers.dll"), "", "Recon-AD-Computers", 5000, false);
+	}
+	else {
+		$param = "(cn=" . $object . ")";
+		blog($bid, "Let's enumerate computer " . $object . "\n");
+		bdllspawn($1, script_resource("Recon-AD-Computers.dll"), $param, "Recon-AD-Computers", 5000, false);
+	}
+}
+
+alias Recon-AD-Groups {
+	$bid = $1;
+
+	$input = substr($0, 16);
+	@args = split(' ', $input);
+
+	#For Groups with spaces in Groupname...
+	$object = @args[0];
+	$object1 = @args[1];
+	$object2 = @args[2];
+	$object3 = @args[3];
+	$object4 = @args[4];
+	$object5 = @args[5];
+
+	if ($object eq "") {
+		berror($bid, "Please specify a groupname or all.");
+		return;
+	}
+	else if ($object eq "all") {
+		blog($bid, "Let's enumerate all groups\n");
+		bdllspawn($1, script_resource("Recon-AD-Groups.dll"), "", "Recon-AD-Groups", 5000, false);
+	}
+	else if (@args[1] eq ""){
+		$param = "(sAMAccountName=" . $object . ")";
+	}
+	else if (@args[2] eq ""){
+		$param = "(sAMAccountName=" . $object . " " . $object1 . ")";
+	}
+	else if (@args[3] eq ""){
+		$param = "(sAMAccountName=" . $object . " " . $object1 . " " . $object2 . ")";
+	}
+	else if (@args[4] eq ""){
+		$param = "(sAMAccountName=" . $object . " " . $object1 . " " . $object2 . " " . $object3 . ")";
+	}
+	else if (@args[5] eq ""){
+		$param = "(sAMAccountName=" . $object . " " . $object1 . " " . $object2 . " " . $object3 . " " . $object4 . ")";
+	}
+	else {
+		$param = "(sAMAccountName=" . $object . " " . $object1 . " " . $object2 . " " . $object3 . " " . $object4 . " " . $object5 . ")";
+	}
+	blog($bid, "Let's enumerate group " . $object . " " . $object1 . " " . $object2 . " " . $object3 . " " . $object4 . " " . $object5"\n");
+	bdllspawn($1, script_resource("Recon-AD-Groups.dll"), $param, "Recon-AD-Groups", 5000, false);
+}
+
+alias Recon-AD-AllLocalGroups {
+	$bid = $1;
+
+	$input = substr($0, 24);
+	@args = split(' ', $input);
+
+	$object = @args[0];
+
+	if ($object eq "") {
+		berror($bid, "Please specify a computername.");
+		return;
+	}
+	else{
+		$param = $object;
+	}
+	blog($bid, "Let's enumerate computer " . $object . " for localgroups\n");
+	bdllspawn($bid, script_resource("Recon-AD-AllLocalGroups.dll"), $param, "Recon-AD-AllLocalGroups", 5000, false);
+}
+
+alias Recon-AD-LocalGroups {
+	$bid = $1;
+
+	$input = substr($0, 21);
+	@args = split(' ', $input);
+
+	$object = @args[0];
+	$object1 = @args[1];
+	$object2 = @args[2];
+	$object3 = @args[3];
+
+	if ($object eq "") {
+		berror($bid, "Please specify a computername and localgroup.");
+		return;
+	}
+	else if (@args[1] eq ""){
+		$param = $object;
+	}
+	else if (@args[2] eq ""){
+		$param = $object . " " . $object1;
+	}
+	else if (@args[3] eq ""){
+		$param = $object . " " . $object1 . " " . $object2;
+	}
+	else {
+		$param = $object . " " . $object1 . " " . $object2 . " " . $object3;
+	}
+	blog($bid, "Let's enumerate computer " . $object . " for localgroup " . $object1 . " " . $object2 . " " . $object3"\n");
+	bdllspawn($1, script_resource("Recon-AD-LocalGroups.dll"), $param, "Recon-AD-LocalGroups", 5000, false);
+}
+
+alias Recon-AD-SPNs {
+	$bid = $1;
+	blog($bid, "Let's enumerate all users with SPNs configured.\n");
+	bdllspawn($bid, script_resource("Recon-AD-SPNs.dll"), "servicePrincipalName=*", "Recon-AD-SPNs", 5000, false);
+}

README.md

@@ -1,2 +1,34 @@
-# Recon-AD
-
+# Recon-AD, an AD recon tool based on ADSI and reflective DLL’s
+New monitoring and defense optics are being applied within Microsoft operating systems and security products. This should help defenders in detecting malicious behavior within their environments. While PowerShell has long been very popular for post exploitation, now it’s something attackers try to avoid. .NET is the current hype for offensive tradecraft, but Microsoft is rapidly developing new measures by adding optics to catch malicious behavior on this platform. 
+
+As a proof of concept, we developed an C/C++ Active Directory reconnaissance tool based on ADSI and reflective DLLs which can be used within Cobalt Strike. The tool is called “Recon-AD” and at this moment consist of seven Reflective DLLs and a corresponding aggressor script.
+
+More info about the used techniques can be found on the following Blog: 
+https://outflank.nl/blog/2019/10/20/red-team-tactics-active-directory-recon-using-adsi-and-reflective-dlls/
+
+The following functionality is included in the toolkit:
+
+```
+Recon-AD-Domain: to enumerate Domain information (Domain name, GUID, site name, password policy, DC list e.g.).
+Recon-AD-Users: to query for user objects and corresponding attributes.
+Recon-AD-Groups: to query for group objects and corresponding attributes.
+Recon-AD-Computers: to query for computer objects and corresponding attributes.
+Recon-AD-SPNs: to query for user objects with Service Principal Names (SPN) configured and display useful attributes.
+Recon-AD-AllLocalGroups: to query a computer for all local groups and group-members.
+Recon-AD-LocalGroups: to query a computer for specific local groups and group-members (default Administrators group).
+```
+
+Usage:
+
+```
+Download the Outflank-Recon-AD folder and load the Recon-AD.cna script within the Cobalt Strike Script Manager.
+Use the Beacon help command to display syntax information.
+```
+
+```
+This project is written in C/C++
+You can use Visual Studio to compile the reflective dll's from source.
+```
+
+## Credits
+Author: Cornelis de Plaa (@Cneelis) / Outflank

Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups.sln

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.28307.852
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Recon-AD-AllLocalGroups", "Recon-AD-AllLocalGroups\Recon-AD-AllLocalGroups.vcxproj", "{D30C9D6B-1F45-47BD-825B-389FE8CC9069}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {ACBE159D-66DD-4330-B464-35D40C540652}
+	EndGlobalSection
+EndGlobal

Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups.vcxproj

@@ -0,0 +1,131 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{D30C9D6B-1F45-47BD-825B-389FE8CC9069}</ProjectGuid>
+    <RootNamespace>ReconADDomain</RootNamespace>
+    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
+    <ProjectName>Recon-AD-AllLocalGroups</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v141</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v141</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="ReflectiveDLLInjection.h" />
+    <ClInclude Include="ReflectiveLoader.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="ReflectiveDll.cpp" />
+    <ClCompile Include="ReflectiveLoader.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>