Dump Active Directory Domain Information: goddi
goddi (go dump domain info) dumps domain users, groups, domain controllers, and more in CSV output and it runs on Windows and Linux.
Functionality
StartTLS and TLS (tls.Client func) connections supported. Connections over TLS are default. All output goes to CSVs and are created in /csv/ in the current working directory. Dumps:
Domain users. Also searches Description for keywords and prints to a seperate csv ex. “Password” was found in the domain user description.
Users in priveleged user groups (DA, EA, FA).
Users with passwords not set to expire.
User accounts that have been locked or disabled.
Machine accounts with passwords older than 45 days.
Domain Computers.
Domain Controllers.
Sites and Subnets.
SPNs and includes csv flag if domain admin (a flag to note SPNs that are DAs in the SPN CSV output).
Trusted domain relationships.
Domain Groups.
Domain OUs.
Domain Account Policy.
Domain deligation users.
Domain GPOs.
Domain FSMO roles.
LAPS passwords.
GPP passwords. On Windows, defaults to mapping Q. If used, will try another mapping until success R, S, etc… On Linux, /mnt/goddi is used.
Install
Use the executables in the releases section. If you want to build it yourself, make sure that your go environment is setup according to the Go setup doc. The goddi package also uses the below package.
go get gopkg.in/ldap.v2
Windows
Tested on Windows 10 and 8.1 (go1.10 windows/amd64).
Linux
Tested on Kali Linux (go1.10 linux/amd64).
umount, mount, and cifs-utils need to be installed for mapping a share for GetGPP
apt-get update
apt-get install -y mount cifs-utils
make sure nothing is mounted at /mnt/goddi/
make sure to run with sudo
Why Go?
Go is fast and supports cross platform compilation. During testing, goddi managed to cut execution time down to a matter of seconds when compared to its PowerShell counterparts. Go binaries can also be built for Windows, Linux, and MacOS all on the same system. The full list of OS and architecture combinations are listed in the go GitHub repo. At the time of this blog’s release, goddi has been tested on Windows (10 and 8.1) and Kali Linux.
That isn’t to say that there aren’t any drawbacks with a Go implementation. The Microsoft ADSI API is much more flexible to work with, especially when creating LDAP queries to run under the current user’s security context. goddi requires domain credentials to be explicitly provided on the command line. This can be especially annoying in scenarios where a user’s credentials may not be known. If you get access to a box with local Administrator, but don’t have domain credentials yet, you can run PSExec to get local system. With local system, you can check if you have domain user privileges and then run PowerShell in this current context without domain credentials. This functionality is on the roadmap for future development.
Run
When run, will default to using TLS (tls.Client method) over 636. On Linux, make sure to run with sudo.
username: Target user. Required parameter.
password: Target user’s password. Required parameter.
domain: Full domain name. Required parameter.
dc: DC to target. Can be either an IP or full hostname. Required parameter.
startTLS: Use to StartTLS over 389.
unsafe: Use for a plaintext connection.
PS C:\Users\Administrator\Desktop> .\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -dc="dc.test.local" -unsafe
[i] Begin PLAINTEXT LDAP connection to 'dc.test.local'...
[i] PLAINTEXT LDAP connection to 'dc.test.local' successful...
[i] Begin BIND...
[i] BIND with 'testuser' successful...
[i] Begin dump domain info...
[i] Domain Trusts: 1 found
[i] Domain Controllers: 1 found
[i] Users: 12 found
[] Warning: keyword 'pass' found!
[] Warning: keyword 'fall' found!
[i] Domain Admins: 4 users found
[i] Enterprise Admins: 1 users found
[i] Forest Admins: 0 users found
[i] Locked Users: 0 found
[i] Disabled Users: 2 found
[i] Groups: 45 found
[i] Domain Sites: 1 found
[i] Domain Subnets: 0 found
[i] Domain Computers: 17 found
[i] Deligated Users: 0 found
[i] Users with passwords not set to expire: 6 found
[i] Machine Accounts with passwords older than 45 days: 18 found
[i] Domain OUs: 8 found
[i] Domain Account Policy found
[i] Domain GPOs: 7 found
[i] FSMO Roles: 3 found
[i] SPNs: 122 found
[i] LAPS passwords: 0 found
[i] GPP enumeration starting. This can take a bit...
[i] GPP passwords: 7 found
[i] CSVs written to 'csv' directory in C:\Users\Administrator\Desktop
[i] Execution took 1.4217256s...
[i] Exiting...
Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://n0where.net/dump-active-directory-domain-information-goddi
Congratulations @fortean! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
You published 4 posts in one day
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP