Dumping DNS Records with adidnsdump

Active Directory Integrated DNS Dump (adidnsdump)

GitHub Repository

Installation

python3 -m pip install git+https://github.com/dirkjanm/adidnsdump#egg=adidnsdump

Usage Examples

Requires a username and password to work. Outputs to records.csv .

# Show help message
adidnsdump -h

# Dump all records from the domain controller
# Requires a credential, may be a low-level user if default domain settings
adidnsdump -u 'domain.tld\username' -p 'password' -r ldap://dc-ip:389

# Post-compromise through a proxy host
proxychains -q adidnsdump -u 'domain.tld\username' -p 'password' -r --dns-tcp ldap://dc-ip:389

Enumerating Hosts and Identifying the Domain Controllers

LLMNR Poisoning (Internal)

SMB Relay (Internal/External)

IPv6 DNS Spoofing (Internal)

NULL Session Enumeration (Internal/External)

Using Faketime for Ad-Hoc Kerberos Authentication

Kerberos Pre-Auth Username Enumeration

AS-REP Roasting (Internal/External)

Passback Attacks (Internal/External)

PrintNightmare (Internal/External)

NTLM Credential Stuffing (Internal/External)

PowerShell AD Module on Any Domain Host as Any User

Dumping DNS Records with adidnsdump

CrackMapExec

PowerView

BloodHound

Remote Bloodhound

LdapDomainDump

LdapSearch

Enum4Linux

GetADUsers.py

GetUserSPNs.py

Manual Enumeration

Extracting Kerberos AS-REQ Pre-Auth Hashes from PCAPs

Mimikatz

Dumping Passwords from Windows Credential Manager

Dumping Hashes without Mimikatz

Impacket-Addcomputer

DCSync

Pass the Password

Pass the Hash

Pass the Ticket

Pass the Key

Password & Credential Brute Force

Token Impersonation

Spawn Processes as Other Users

Kerberoasting

Group Policy Preferences (GPP)

PrintNightmare

ZeroLogon

xfreerdp

Dumping DNS Records with adidnsdump

Active Directory Integrated DNS Dump (adidnsdump)

GitHub Repository

Installation

Usage Examples