TL;DR: I’ve written a Windows Domain Enumeration Tool, you can get it from here: https://bitbucket.org/grimhacker/nettynum.
Enumerating information from the Windows Domain is nothing new and has been quite extensively covered in books, blog posts and academic papers.
So what is the point off this post you ask? To release my first tool to the community!
There are a lot of very good tools to extract information from the Windows Domain, some of which have been especially created for use by Penetration Testers while others were created for administration.
However when on tests there are a lot of things that I need to be doing and taking the output of one tool, and feeding into another is not one of them. I wanted a tool that I could set running with no information and have it find everything it could about the Windows Domain, including the Domain Name, Domain Controllers, Domain Groups, Domain Admins, and Accounts Policies. i.e.
“Replace myself with a small shell script.”
This lead me to create Nettynum, a Python script that automates enumeration of information from the Windows Domain for my final year project at Northumbria University. It currently uses the pywin32 to access the Windows API functions and is therefore a Windows only tool – but I have plans to address this.
For those interested all 190 pages of my dissertation including UML diagrams can be found here: ‘Oliver Morton Individual Project Nettynum‘.
It was accompanied by the first version of Nettynum (those au fait with git can checkout the first commit in the main branch of the BitBucket repository).
The automated domain enumeration option will:
- Discover the NetBIOS and DNS style domain names on the network.
- Discover the domain controllers for these domains (IP address, NetBIOS name, and DNS name).
- Authenticate to the domain controller (with a NULL session by default).
- Enumerate a List of Domain Groups (and their comment).
- Enumerate the members of groups that match a regular expression (.*admin.*) by default.
- Also attempt to enumerate the members of certain groups (“Domain Admins” and “Enterprise Admins” by default) regardless of whether they were in the list of groups or not. – This is to work around the 100 group limit of the Windows API.
- For each of the discovered users, enumerate the account information (including comment, whether it is disabled, SID, Bad Password Count, Password Age, and more.)
- Enumerate the groups of which these users are a member. (At the time of writing I am not aware of another tool that does this.)
- Enumerate the Accounts Policies (Lockout Threshold, Duration and Observation Window, Minimum/Maximum Password Age, Minimum Password Length, and Password History Length).
- Deauthenticate from the domain controller.
- Output this information as an XML file (so it can be easily parsed for use by other tools [I have ideas, watch this space]) with a style sheet applied (so that the file can be opened in a browser and read easily by a human).
So in short, if the domain controller has NULL sessions enabled this:
python nettynum.py -A
Results in this:
There is also an automated option for ‘local’ enumeration which discovers hosts and then proceeds to enumerate information on a ‘local’ level before generating a report.
Nettynum also offers targeting options to limit the scope to specified Domain Names, Domain Controllers, or Groups. It also allows the user to specify authentication credentials, or will use a previously established session with the host (and leave it intact afterwards).
Finally there is also a ‘manual’ mode which allows the user to specify a particular category of information to enumerate but requires prerequisite information to be provided.
Where to get it: clone or download from BitBucket https://bitbucket.org/grimhacker/nettynum
Dependencies and usage are in the README file.
I have no doubt that there are bugs hiding in the code partly due the nightmare that is Windows documentation and partly because of my mediocre programming skills, so if you find any please let me know!
As always, if you have any comments or suggestions please feel free to get in touch.