I recently had a client pose an interesting problem. They wanted to move all their thin clients to a separate VLAN. In order to do that, I needed to identify which switch port each was on. Since there were several device vendors involved, I couldn't use OUI portion of the MAC. Fortunately, they were using only a few patterns in their thin client hostnames, so that gives me an "in". Great you say, use "nmap -sn", sweep for the names, get the MAC addresses and map those to switch ports - easy right? Yup, it would be, except that this won't tell me about any devices that are powered off at the time. Which got me to thinking about DNS and DHCP - and how you could use these methods to "mine" Microsoft DHCP and DNS databases for Recon info in a much stealthier (and more complete) way than sweeping the network would be. DNS ApproachWe can get part of what we need out of DNS - first, let's dump DNS for all registered IPs: $dns = Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName DC01 -Filter "DomainName = 'example.com'" -Credential (Get-Credential) (the "Get-Credential" cmdlet will prompt you for credentials) Yes, I know that there are get-dns cmdlets in the newest versions of powershell + OS combos (see references), but I haven't gotten to a cmdlet that does as nice a job as the WMI equivalent above ... Look at what fields we have: $dns | gm
Name MemberType Definition
$dns2 = $dns | Select-Object -property Ownername, ipaddress or, more elegantly, do these two steps in one: $dns2 = Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName DC01 -Filter "DomainName = 'example.com'" -Credential (Get-Credential) | Select-Object -property Ownername, ipaddress Next, winnow down to just the systems we want: $ipsofinterest = $dns | where { ($_.Ownername -like "*TP*") -or ($_.Ownername -like "*THIN*") -or ($_.Ownername -like "*THP*") } $ipsofinterest | foreach { ping -n 2 $_.ipaddress } Pinging 10.71.32.5 with 32 bytes of data: Ping statistics for 10.71.32.5: This last thing is pretty cludgy though, you still need to get the ARP entry (from whatever subnet you are pinging), and relate that MAC back to the MACs on the switch - this started to sound like more work than I wanted to take on. Plus it's totally counter to the stealthy approach we want to take in a penetration test. Let's look at the DHCP database instead: DHCP ApproachDHCP is more attractive for hosts that use DHCP - you'll get the hostname, the IP and the MAC address all in one go. First, dump the scopes from the DHCP Server: Get-DhcpServerv4Scope ScopeId SubnetMask Name State StartRange EndRange LeaseDuration
Get-DhcpServerv4Scope | foreach { get-dhcpserverv4lease $_.ScopeId -allleases } IPAddress ScopeId ClientId HostName AddressState LeaseExpiryTime
Get-DhcpServerv4Scope | foreach { get-dhcpserverv4lease $_.ScopeId -allleases } | where { ($_.hostname -like "*TP*") -or ($_.hostname -like "*THIN*") -or ($_.hostname -like "*THP*") } Or, even better, do that and just pull the fields we want ... $targethosts = Get-DhcpServerv4Scope | foreach { get-dhcpserverv4lease $_.ScopeId -allleases } | where { ($_.hostname -like "*TP*") -or ($_.hostname -like "*THIN*") -or ($_.hostname -like "*THP*") } | select Hostname, IPAddress, Clientid Hostname IPAddress Clientid Now we have the hostname, the IP and the MAC For my ops problem, I'd pull the switch ports using some python fun or an SNMP tool However, in a penetration test, you'd have much different uses for this data:
How could you go one better? I have found new target subnets using this approach (*everything* is in DNS!). If you have an especially forward-thinking client, the DHCP cmdlets will work on IPv6 scopes by changing the "4" in the cmdlet to a "6". Have you used an approach like this? If so, did you find anything good? Or do you have a better cmdlet to get the DNS info? Please, use our comment form to share your experiences ..
===========
=============== |
Rob VandenBrink 578 Posts ISC Handler Apr 28th 2016 |
Thread locked Subscribe |
Apr 28th 2016 6 years ago |
When trying the DNS Approach:
I'm getting "The RPC server is unavailable" and "InvalidOperation: (:) [Get-WmiObject], COMException" under CategoryInfo When trying the DHCP Approach: I'm getting "The term 'Get-DhcpServer4Scope' is not recognized as the name of a cmdlet..." Both times I used our internal DNS or DHCP server name & domain name. |
AAInfoSec 51 Posts |
Quote |
Apr 28th 2016 6 years ago |
This is very likely a versioning issue.
The cmdlet links outline the version requirements - you'll likely want to be on Server 2012 or better for these to be there by default. The DHCP examples I ran on the DHCP server, to keep the cmd line simple. The DNS approach outlined works on my Windows 7 laptop, running the latest/greatest Powershell - download the Microsoft Management Framework v4.0 to get this, at microsoft.com/en-us/download/… |
Rob VandenBrink 578 Posts ISC Handler |
Quote |
Apr 28th 2016 6 years ago |
AAInfoSec ~ I'm getting "The term 'Get-DhcpServer4Scope' is not recognized as the name of a cmdlet..."
Looking at your error, it seems that you are leaving off the 'v' character on that term. The term is Get-DhcpServerv4Scope There should be a 'v' before the "4Scope" Hope that helps, SEN7INEL |
SEN7INEL 1 Posts |
Quote |
May 2nd 2016 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!