Updated description and help.

sense-of-security · Jul 30, 2018 · 7cc2af5 · 7cc2af5
1 parent 787329f
commit 7cc2af5
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 69 deletions.
diff --git a/ADRecon.ps1 b/ADRecon.ps1
@@ -6,10 +6,10 @@
 
 .DESCRIPTION
 
-    ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis.
-    The report can provide a holistic picture of the current state of the target AD environment.
+    ADRecon is a tool which extracts and combines various artefacts (as highlighted below) out of an AD environment. The information can be presented in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis and provide a holistic picture of the current state of the target AD environment.
     The tool is useful to various classes of security professionals like auditors, DFIR, students, administrators, etc. It can also be an invaluable post-exploitation tool for a penetration tester.
-    It can be run from any workstation that is connected to the environment even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) accounts. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts.
+    It can be run from any workstation that is connected to the environment, even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) account.
+    Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts.
     The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP.
     The following information is gathered by the tool:
     - Forest;
@@ -21,7 +21,7 @@
     - Fine Grained Password Policy (if implemented);
     - Domain Controllers, SMB versions, whether SMB Signing is supported and FSMO roles;
     - Users and their attributes;
-    - Service Principal Names;
+    - Service Principal Names (SPNs);
     - Groups and memberships;
     - Organizational Units (OUs) and their ACLs;
     - Group Policy Object details;
@@ -30,7 +30,7 @@
     - Computers and their attributes;
     - LAPS passwords (if implemented);
     - BitLocker Recovery Keys (if implemented); and
-    - Domain GPO Report (requires RSAT).
+    - GPOReport (requires RSAT).
 
     Author     : Prashant Mahajan
     Company    : https://www.senseofsecurity.com.au
@@ -74,7 +74,7 @@
 	Path for ADRecon output folder to save the files and the ADRecon-Report.xlsx. (The folder specified will be created if it doesn't exist)
 
 .PARAMETER Collect
-    What attributes to collect; Comma separated; e.g Forest,Domain (Default all)
+    Which modules to run; Comma separated; e.g Forest,Domain (Default all)
     Valid values include: Forest, Domain, Trusts, Sites, Subnets, PasswordPolicy, FineGrainedPasswordPolicy, DomainControllers, Users, UserSPNs, Groups, GroupMembers, OUs, OUPermissions, GPOs, GPOReport, DNSZones, Printers, Computers, ComputerSPNs, LAPS, BitLocker.
 
 .PARAMETER OutputType
@@ -84,6 +84,9 @@
 .PARAMETER DormantTimeSpan
     Timespan for Dormant accounts. (Default 90 days)
 
+.PARAMETER PassMaxAge
+    Maximum machine account password age. (Default 30 days)
+
 .PARAMETER PageSize
     The PageSize to set for the LDAP searcher object.
 
@@ -132,24 +135,27 @@
     [*] Commencing - <timestamp>
     [-] Domain
     [-] Forest
+    [-] Trusts
+    [-] Sites
+    [-] Subnets
     [-] Default Password Policy
     [-] Fine Grained Password Policy - May need a Privileged Account
     [-] Domain Controllers
-    [-] Domain Users - May take some time
-    [-] Domain User SPNs
-    [-] Domain Groups - May take some time
-    [-] Domain Group Memberships - May take some time
-    [-] Domain OrganizationalUnits (OUs)
+    [-] Users - May take some time
+    [-] User SPNs
+    [-] Groups - May take some time
+    [-] Group Memberships - May take some time
+    [-] OrganizationalUnits (OUs)
     [-] Domain OrganizationalUnits Permissions - May take some time
-    [-] Domain GPOs
-    [-] Domain DNS Zones and Records
-    [-] Domain Printers
-    [-] Domain Computers - May take some time
-    [-] Domain Computer SPNs
+    [-] GPOs
+    [-] DNS Zones and Records
+    [-] Printers
+    [-] Computers - May take some time
+    [-] Computer SPNs
     [-] LAPS - Needs Privileged Account
     WARNING: [*] LAPS is not implemented.
     [-] BitLocker Recovery Keys - Needs Privileged Account
-    [-] Domain GPO Report - May take some time
+    [-] GPOReport - May take some time
     WARNING: [EXCEPTION] Current security context is not associated with an Active Directory domain or forest.
     WARNING: [*] Run the tool using RUNAS.
     WARNING: [*] runas /user:<Domain FQDN>\<Username> /netonly powershell.exe
@@ -169,32 +175,29 @@
     [*] Commencing - <timestamp>
     [-] Domain
     [-] Forest
+    [-] Trusts
+    [-] Sites
+    [-] Subnets
     [-] Default Password Policy
     [-] Fine Grained Password Policy - May need a Privileged Account
     [-] Domain Controllers
-    [-] Domain Users - May take some time
-    [-] Domain User SPNs
-    [-] Domain Groups - May take some time
-    [-] Domain Group Memberships - May take some time
-    [-] Domain OrganizationalUnits (OUs)
+    [-] Users - May take some time
+    [-] User SPNs
+    [-] Groups - May take some time
+    [-] Group Memberships - May take some time
+    [-] OrganizationalUnits (OUs)
     [-] Domain OrganizationalUnits Permissions - May take some time
-    [-] Domain GPOs
-    [-] Domain DNS Zones and Records
-    WARNING: [*] DomainDnsZones, try running with a Privileged Account
-    WARNING: [EXCEPTION] Exception calling "FindAll" with "0" argument(s): "The specified directory service attribute or
-    value does not exist.
-    "
-    WARNING: [*] ForestDnsZones, try running with a Privileged Account
-    WARNING: [EXCEPTION] Exception calling "FindAll" with "0" argument(s): "The specified directory service attribute or
-    value does not exist.
-    "
-    [-] Domain Printers
-    [-] Domain Computers - May take some time
-    [-] Domain Computer SPNs
+    [-] GPOs
+    [-] DNS Zones and Records
+    WARNING: [Get-ADRDNSZone] Error while accessing CN=MicrosoftDNS,DC=DomainDnsZones,<Domain DN>. Try running with a Privileged Account.
+    WARNING: [Get-ADRDNSZone] Error while accessing CN=MicrosoftDNS,DC=ForestDnsZones,<Domain DN>. Try running with a Privileged Account.
+    [-] Printers
+    [-] Computers - May take some time
+    [-] Computer SPNs
     [-] LAPS - Needs Privileged Account
     WARNING: [*] LAPS is not implemented.
     [-] BitLocker Recovery Keys - Needs Privileged Account
-    [-] Domain GPO Report - May take some time
+    [-] GPOReport - May take some time
     WARNING: [*] Currently, the module is only supported with ADWS.
     [*] Total Execution Time (mins): <minutes>
     [*] Output Directory: C:\ADRecon-Report-<timestamp>
@@ -3954,11 +3957,15 @@ Function Export-ADR
     [array]
     Output Type.
 
+.PARAMETER ADRModuleName
+    [String]
+    Module Name.
+
 .OUTPUTS
     STDOUT, CSV, XML, JSON and/or HTML file, etc.
 #>
     param(
-        [Parameter(Mandatory = $false)]
+        [Parameter(Mandatory = $true)]
         [PSObject] $ADRObj,
 
         [Parameter(Mandatory = $true)]
@@ -3967,8 +3974,8 @@ Function Export-ADR
         [Parameter(Mandatory = $true)]
         [array] $OutputType,
 
-        [Parameter(Mandatory = $false)]
-        [string] $ADRModuleName
+        [Parameter(Mandatory = $true)]
+        [String] $ADRModuleName
     )
 
     Switch ($OutputType)
@@ -3992,22 +3999,22 @@ Function Export-ADR
         'CSV'
         {
             $ADFileName  = -join($ADROutputDir,'\','CSV-Files','\',$ADRModuleName,'.csv')
-            Export-ADRCSV $ADRObj $ADFileName
+            Export-ADRCSV -ADRObj $ADRObj -ADFileName $ADFileName
         }
         'XML'
         {
             $ADFileName  = -join($ADROutputDir,'\','XML-Files','\',$ADRModuleName,'.xml')
-            Export-ADRXML $ADRObj $ADFileName
+            Export-ADRXML -ADRObj $ADRObj -ADFileName $ADFileName
         }
         'JSON'
         {
             $ADFileName  = -join($ADROutputDir,'\','JSON-Files','\',$ADRModuleName,'.json')
-            Export-ADRXML $ADRObj $ADFileName
+            Export-ADRXML -ADRObj $ADRObj -ADFileName $ADFileName
         }
         'HTML'
         {
             $ADFileName  = -join($ADROutputDir,'\','HTML-Files','\',$ADRModuleName,'.html')
-            Export-ADRHTML $ADRObj $ADFileName
+            Export-ADRHTML -ADRObj $ADRObj -ADFileName $ADFileName
         }
     }
 }
@@ -8311,10 +8318,6 @@ Function Get-ADRAbout
     [string]
     Which protocol to use; ADWS (default) or LDAP.
 
-.PARAMETER UseAltCreds
-    [bool]
-    Whether to use provided credentials or not.
-
 .PARAMETER date
     [DateTime]
     Date
@@ -8342,9 +8345,6 @@ Function Get-ADRAbout
         [Parameter(Mandatory = $true)]
         [string] $Protocol,
 
-        [Parameter(Mandatory = $true)]
-        [bool] $UseAltCreds,
-
         [Parameter(Mandatory = $true)]
         [DateTime] $date,
 
@@ -8489,7 +8489,7 @@ Function Invoke-ADRecon
         [bool] $UseAltCreds = $false
     )
 
-    [string] $ADReconVersion = "v180707"
+    [string] $ADReconVersion = "v180708"
     Write-Output "[*] ADRecon $ADReconVersion by Prashant Mahajan (@prashant3535) from Sense of Security."
 
     If ($GenExcel)
@@ -8499,7 +8499,7 @@ Function Invoke-ADRecon
             Write-Output "[Invoke-ADRecon] Invalid Path ... Exiting"
             Return $null
         }
-        Export-ADRExcel $GenExcel
+        Export-ADRExcel -ExcelPath $GenExcel
         Return $null
     }
 
@@ -8809,7 +8809,7 @@ Function Invoke-ADRecon
             }
         }
         $ADROutputDir = $((Convert-Path $ADROutputDir).TrimEnd("\"))
-        Write-Verbose $ADROutputDir
+        Write-Verbose "[*] Output Directory: $ADROutputDir"
     }
     ElseIf ($ADRCreate)
     {
@@ -9200,15 +9200,15 @@ Function Invoke-ADRecon
         Remove-Variable ADRGPOReport
     }
 
-    $TotalTime = "{0:N2}" -f ((Get-DateDiff (Get-Date) $date).TotalMinutes)
+    $TotalTime = "{0:N2}" -f ((Get-DateDiff -Date1 (Get-Date) -Date2 $date).TotalMinutes)
 
-    $AboutADRecon = Get-ADRAbout $Protocol $UseAltCreds $date $ADReconVersion $Credential $RanonComputer $TotalTime
+    $AboutADRecon = Get-ADRAbout -Protocol $Protocol -date $date -ADReconVersion $ADReconVersion -Credential $Credential -RanonComputer $RanonComputer -TotalTime $TotalTime
 
     If ( ($OutputType -Contains "CSV") -or ($OutputType -Contains "XML") -or ($OutputType -Contains "JSON") -or ($OutputType -Contains "HTML") )
     {
         If ($AboutADRecon)
         {
-            Export-ADR $AboutADRecon $ADROutputDir $OutputType "AboutADRecon"
+            Export-ADR -ADRObj $AboutADRecon -ADROutputDir $ADROutputDir -OutputType $OutputType -ADRModuleName "AboutADRecon"
         }
         Write-Output "[*] Total Execution Time (mins): $($TotalTime)"
         Write-Output "[*] Output Directory: $ADROutputDir"

diff --git a/README.md b/README.md
@@ -1,10 +1,11 @@
 # ADRecon: Active Directory Recon [![Follow ADRecon on Twitter](https://img.shields.io/twitter/follow/ad_recon.svg?style=social&label=Follow%20%40ad_recon)](https://twitter.com/intent/user?screen_name=ad_recon "Follow ADRecon on Twitter")
 
-ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis.
-The report can provide a holistic picture of the current state of the target AD environment.
+ADRecon is a tool which extracts and combines various artefacts (as highlighted below) out of an AD environment. The information can be presented in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis and provide a holistic picture of the current state of the target AD environment.
+
 The tool is useful to various classes of security professionals like auditors, DFIR, students, administrators, etc. It can also be an invaluable post-exploitation tool for a penetration tester.
-It can be run from any workstation that is connected to the environment, even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) accounts. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts.
-The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP.
+
+It can be run from any workstation that is connected to the environment, even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) account. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts. The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP.
+
 The following information is gathered by the tool:
 
 - Forest;
@@ -16,7 +17,7 @@ The following information is gathered by the tool:
 - Fine Grained Password Policy (if implemented);
 - Domain Controllers, SMB versions, whether SMB Signing is supported and FSMO roles;
 - Users and their attributes;
-- Service Principal Names;
+- Service Principal Names (SPNs);
 - Groups and memberships;
 - Organizational Units (OUs) and their ACLs;
 - Group Policy Object details;
@@ -25,7 +26,7 @@ The following information is gathered by the tool:
 - Computers and their attributes;
 - LAPS passwords (if implemented);
 - BitLocker Recovery Keys (if implemented); and
-- Domain GPO Report (requires RSAT).
+- GPOReport (requires RSAT).
 
 ADRecon was presented at: [![Black Hat Arsenal Asia 2018](https://github.com/toolswatch/badges/blob/master/arsenal/asia/2018.svg)](https://www.blackhat.com/asia-18/arsenal.html#adrecon-active-directory-recon) - [Slidedeck](https://www.slideshare.net/prashant3535/adrecon-bh-asia-2018-arsenal-presentation)
 
@@ -107,19 +108,22 @@ When you run ADRecon, a `ADRecon-Report-<timestamp>` folder will be created whic
     Path for ADRecon output folder containing the CSV files to generate the ADRecon-Report.xlsx. Use it to generate the ADRecon-Report.xlsx when Microsoft Excel is not installed on the host used to run ADRecon.
 
 -OutputDir <String>
-    Path for ADRecon output folder to save the CSV files and the ADRecon-Report.xlsx. (The folder specified will be created if it doesn't exist) (Default pwd)
+    Path for ADRecon output folder to save the CSV/XML/JSON/HTML files and the ADRecon-Report.xlsx. (The folder specified will be created if it doesn't exist) (Default pwd)
 
 -Collect <String>
-    What attributes to collect (Comma separated; e.g Forest,Domain)
+    Which modules to run (Comma separated; e.g Forest,Domain. Default all)
     Valid values include: Forest, Domain, Trusts, Sites, Subnets, PasswordPolicy, FineGrainedPasswordPolicy, DomainControllers, Users, UserSPNs, Groups, GroupMembers, OUs, OUPermissions, GPOs, GPOReport, DNSZones, Printers, Computers, ComputerSPNs, LAPS, BitLocker.
 
 -OutputType <String>
-    Output Type; Comma seperated; e.g STDOUT,CSV,XML,JSON,HTML,Excel (Default STDOUT with -Collect parameter, else CSV and Excel).
+    Output Type; Comma seperated; e.g CSV,STDOUT,Excel (Default STDOUT with -Collect parameter, else CSV and Excel).
     Valid values include: STDOUT, CSV, XML, JSON, HTML, Excel, All (excludes STDOUT).
 
 -DormantTimeSpan <Int>
     Timespan for Dormant accounts. (Default 90 days)
 
+-PassMaxAge <Int>
+    Maximum machine account password age. (Default 30 days)
+
 -PageSize <Int>
     The PageSize to set for the LDAP searcher object. (Default 200)
 
@@ -133,10 +137,11 @@ When you run ADRecon, a `ADRecon-Report-<timestamp>` folder will be created whic
 ### Future Plans
 
 - Replace System.DirectoryServices.DirectorySearch with System.DirectoryServices.Protocols and add support for LDAP STARTTLS and LDAPS (TCP port 636).
-- Add Domain Trust Enumeration.
-- Gather ACLs for the useraccountcontrol attribute and the ms-mcs-admpwd LAPS attribute to determine which users can read the values.
-- Gather DS_CONTROL_ACCESS and Extended Rights, such as User-Force-Change-Password, DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, etc. which can be used as alternative attack vectors.
-- Additional export and storage option: export to ~STDOUT~, SQLite, ~xml~, ~html~, ~json~.
+- ~~Add Domain Trust Enumeration.~~
+- Add option to filter default ACLs.
+- Gather ACLs for other objects such as Users, Group, etc.
+- Additional export and storage option: export to ~~STDOUT~~, SQLite, ~~xml~~, ~~json~~, ~~html~~.
+- Use the EPPlus library for Excel Report generation and remove the dependency on MS Excel.
 - List issues identified and provide recommended remediation advice based on analysis of the data.
 
 ### Bugs, Issues and Feature Requests