ADRecon - Tool Which Gathers Information About The Active Directory
ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis. The report can provide a holistic picture of the current state of the target AD environment. The tool is useful to various classes of security professionals like auditors, DIFR, students, administrators, etc. It can also be an invaluable post-exploitation tools for a penetration tester. It can be ran from any workstation that is connected to the environment even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) accounts. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts. The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP. The following information is gathered by the tool:
- Forest;
- Domains in the Forest and other attributes such as Sites;
- Domain Password Policy;
- Domain Controllers and their roles;
- Users and their attributes;
- Service Principal Names;
- Groups and and their members;
- Organizational Units and their ACLs;
- Group Policy Object details;
- DNS Zones;
- Printers;
- Computers and their attributes;
- LAPS passwords (if implemented); and
- BitLocker Recovery Keys (if implemented).
Getting Started
These instructions will get you a copy of the tool up and running on your local machine.
Prerequisites
- .NET Framework 3.0 or later (Windows 7 includes 3.0)
- PowerShell 2.0 or later (Windows 7 includes 2.0)
Optional
- Microsoft Excel (to generate the report)
- Remote Server Administration Tools (RSAT):
Installing
If you have git installed, you can start by cloning the repository:
git clone https://github.com/sense-of-security/ADRecon.git
Otherwise, you can download a zip archive of the latest release. The intent is to always keep the master branch in a working state.Usage
Examples
To run ADRecon on a domain member host.
PS C:\> .\ADRecon.ps1
To run ADRecon on a domain member host as a different user.PS C:\>.\ADRecon.ps1 -DomainController -Credential
To run ADRecon on a non-member host using LDAP.PS C:\>.\ADRecon.ps1 -Protocol LDAP -DomainController -Credential
To run ADRecon with specific modules on a non-member host with RSAT.PS C:\>.\ADRecon.ps1 -Protocol ADWS -DomainController -Credential -Collect Domian, DCs
To generate the ADRecon-Report.xlsx based on ADRecon output.PS C:\>.\ADRecon.ps1 -GenExcel C:\ADRecon-Report-
When you run ADRecon, a ADRecon-Report-
folder will be created which will contain ADRecon-Report.xlsx and CSV-Folder with the raw files.Parameters
-Protocol
Which protocol to use; ADWS (default) or LDAP
-DomainController
Domain Controller IP Address or Domain FQDN.
-Credential
Domain Credentials.
-GenExcel
Path for ADRecon output folder containing the CSV files to generate the ADRecon-Report.xlsx. Use it to generate the ADRecon-Report.xlsx when Microsoft Excel is not installed on the host used to run ADRecon.
-Collect
What attributes to collect (Comma separated; e.g Forest,Domain)
Valid values include: Forest, Domain, PasswordPolicy, DCs, Users, UserSPNs, Groups, GroupMembers, OUs, OUPermissions, GPOs, DNSZones, Printers, Computers, ComputerSPNs, LAPS, BitLocker.
-DormantTimeSpan
Timespan for Dormant accounts.
-PageSize
The PageSize to set for the LDAP searcher object. (Default 200)
-Threads
The number of threads to use during processing objects (Default 10)
-FlushCount
The number of processed objects which will be flushed to disk. (Default -1 - Flush after all objects are processed).
Future Plans
- Replace System.DirectoryServices.DirectorySearch with System.DirectoryServices.Protocols and add support for LDAP STARTTLS and LDAPS (TCP port 636).
- Add Domain Trust Enumeration.
- Gather ACLs for the useraccountcontrol attribute and the ms-mcs-admpwd LAPS attribute to determine which users can read the values.
- Gather DS_CONTROL_ACCESS and Extended Rights, such as User-Force-Change-Password, DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, etc. which can be used as alternative attack vectors.
- Additional export and storage option: export to STDOUT, SQLite, xml, html.
- List issues identified and provide recommended remediation advice based on analysis of the data.