One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 877 |
| Date de publication | 2016-04-28 01:08:46 (vue: 2016-04-28 01:08:46) |
| Titre | DNS and DHCP Recon using Powershell, (Thu, Apr 28th) |
| Texte | I recently had a client pose an interesting problem. They wanted to move all their thin clients to a separate VLAN. In order to do that, I needed to identify which switch port each was on. Since there were several device vendors involved, I couldnt use OUI portion of the MAC. Fortunately, they were using only a few patterns in their thin client hostnames, so that gives me an in.Great you say, use nmap -sn, sweep for the names, get the MAC addresses and map those to switch ports - easy right? Yup, it would be, except that this wont tell me about any devices that are powered off at the time. Which got me to thinking about DNS and DHCP - and how you could use these methods to mine Microsoft DHCP and DNS databases for Recon info in a much stealthier (and more complete) way than sweeping the network would be.DNS ApproachWe can get part of what we need out of DNS - first, let">$dns = Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName DC01 -Filter DomainName = example.com -Credential (Get-Credential)(the Get-Credential cmdlet will prompt you for credentials)Yes, I know that there are get-dns cmdlets in the newest versions of powershell + OS combos (see references), but I haven">">Name MemberType Definition ---- ---------- ---------- PSComputerName AliasProperty PSComputerName = __SERVER CreateInstanceFromTextRepresentation Method System.Management.ManagementBaseObject CreateInstanceFromTextRepresentation(System.String DnsServerName, System.Strin...GetObjectByTextRepresentation Method System.Management.ManagementBaseObject GetObjectByTextRepresentation(System.String DnsServerName, System.String Conta...Modify Method System.Management.ManagementBaseObject Modify(System.UInt32 TTL, System.String IPAddress) Caption Property} ContainerName Property} Description Property} DnsServerName Property} DomainName Property} InstallDate Property} IPAddress Property} Name Property} OwnerName Property} RecordClass Property} RecordData Property} Status Property} TextRepresentation Property} Timestamp Property} TTL Property} __CLASS Property} __DERIVATION Property} __DYNASTY Property} __GENUS Property} __NAMESPACE Property} __PATH Property} __PROPERTY_COUNT Property} __RELPATH Property} __SERVER Property} __SUPERCLASS Property} ConvertFromDateTime ScriptMethod ConvertToDateTime ScriptMethod Let">$dns2 = Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName DC01 -Filter DomainName = example.com -Credential (Get-Credential)">$ipsofinterest = $dns | where { ($_.Ownername -like *TP*) -or ($_.Ownername -like *THIN*) -or ($_.Ownername -like *THP*) }$ipsofinterestOwnername ipaddress --------- --------- THP-01.example.com 10.71.32.5 THP-02.example.com 10.71.32.13 THP-03.example.com 10.71.32.23 THP-05.example.com 10.71.32.21 THP-07.example.com 10.71.4.18 THP-08.example.com 10.71.4.17 "> Finally, what we really want is the MAC addresses and switch ports. Ping the IPs, and while that">Ping statistics for 10.71.32.5: Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),Approximate round trip times in milli-seconds: Minimum = 44ms, Maximum = 44ms, Average = 44msThis last thing is pretty cludgy though, you still need to get the ARP entry (from whatever subnet you are pinging), and relate that MAC back to the MACs on the switch - this started to sound like more work than I wanted to take on. Plus its totally counter to the stealthy approach we want to take in a penetration test. Lets look at the DHCP database instead:DHCP ApproachDHCP is more attractive for hosts that use DHCP - you">ScopeId SubnetMask Name State StartRange EndRange LeaseDuration------- ---------- ---- ----- ---------- -------- |
| Envoyé | Oui |
| Condensat | $dns $ipsofinterestownername *everything* *thin* *thp* *tp* 00:00:0010 01:00:0010 139 200 2016 250 255 28th 28v=wps 44ms 44msthis 4:29:16 50if 50now 630 ===========references:https://technet >$dns >$dns2 >$ipsofinterest >$targethosts >get >hostname >ipaddress >name >ping >scopeid a06 a12 a18 a25 a30 about access active activereservation activereservation10 addresses addressstate admins affected aliasproperty all allleases another any anything approach approachdhcp approachwe approximate apr are arp aspx===============rob aspxhttps://technet attractive attribution atype average back because better but can caption center changing class client clientid clients cludgy cmdlet cmdlets com com/en combos comment commons company complete computername conta containername convertfromdatetime converttodatetime couchdb could couldnt count counter createinstancefromtextrepresentation creative credential credentials cycles data data:umm database databases dc01 definition derivation description device devices dhcp dhcpserverv4lease dhcpserverv4scope did different dns dnsservername domainname dont dynasty each easy edu else embedded endrange engage entry especially even exactly example except execs executive experiences fctpc filter finally find first foreach form fortunately forward found from fun genus get getobjectbytextrepresentation gives good got great had have haven hof host hostname hostnames hosts how https://isc identify inactivereservation10 include info installdate instead:dhcp interesting internet involved iot ipaddress ips ipv6 its know known l08 l19 l93 last leaseduration leaseexpirytime let lets license like linux log look looking loss lost mac macfor macs management managementbaseobject map maximum may maybe media membertype method methods microsoft microsoftdns milli mine minimum modify more move moving much name names namespace need needed network new newest nmap noncommercial nonexistent nosql off often older one only operating ops order oss other oui out ownername packets: page part patch path patterns penetration perhaps ping pinging place please plus pm10 point port portion ports pose powered powershell pretty printer problem prompt property pscomputername pull python really reason received recently recon recordclass recorddata references relate relpath right root round sans say scope1 scopeid scopes scriptmethod seconds: see sent separate server several share since single slower snmp social some something sound sql started starting startrange state states statistics status stealthier stealthy storm strin string strings subnet subnetmask subnets superclass sweep sweeping switch syslog system systems take target targeting team tell test textrepresentation than these thin thing thinking thinpc20 those though thp thu time times timestamp toolhowever totally tpc trip ttl uint32 united us/library/jj590751 us/library/jj649850 use used uses using vandenbrinkcompugen vendors versions vlan vms vulnerability want wanted way website what whatever where which will win2k3 windows wireless wmiobject wont words work workstations would yetother youd your yup |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.