├── .gitattributes
├── Outflank-Recon-AD
├── Recon-AD-SPNs.dll
├── Recon-AD-Users.dll
├── Recon-AD-Domain.dll
├── Recon-AD-Groups.dll
├── Recon-AD-Computers.dll
├── Recon-AD-LocalGroups.dll
├── Recon-AD-AllLocalGroups.dll
└── Recon-AD.cna
├── Src
├── Recon-AD-SPNs
│ ├── Recon-AD-SPNs
│ │ ├── Recon-AD-SPNs.vcxproj.user
│ │ ├── Recon-AD-SPNs.vcxproj.filters
│ │ ├── ReflectiveDLLInjection.h
│ │ ├── Recon-AD-SPNs.vcxproj
│ │ └── ReflectiveLoader.h
│ └── Recon-AD-SPNs.sln
├── Recon-AD-Users
│ ├── Recon-AD-Users
│ │ ├── Recon-AD-Users.vcxproj.user
│ │ ├── Recon-AD-Users.vcxproj.filters
│ │ ├── ReflectiveDLLInjection.h
│ │ ├── Recon-AD-Users.vcxproj
│ │ ├── ReflectiveLoader.h
│ │ └── ReflectiveDll.cpp
│ └── Recon-AD-Users.sln
├── Recon-AD-Domain
│ ├── Recon-AD-Domain
│ │ ├── Recon-AD-Domain.vcxproj.user
│ │ ├── Recon-AD-Domain.vcxproj.filters
│ │ ├── ReflectiveDLLInjection.h
│ │ ├── ReflectiveDll.cpp
│ │ ├── Recon-AD-Domain.vcxproj
│ │ └── ReflectiveLoader.h
│ └── Recon-AD-Domain.sln
├── Recon-AD-Groups
│ ├── Recon-AD-Groups
│ │ ├── Recon-AD-Groups.vcxproj.user
│ │ ├── Recon-AD-Groups.vcxproj.filters
│ │ ├── ReflectiveDLLInjection.h
│ │ ├── Recon-AD-Groups.vcxproj
│ │ ├── ReflectiveLoader.h
│ │ └── ReflectiveDll.cpp
│ └── Recon-AD-Groups.sln
├── Recon-AD-Computers
│ ├── Recon-AD-Computers
│ │ ├── Recon-AD-Computers.vcxproj.user
│ │ ├── Recon-AD-Computers.vcxproj.filters
│ │ ├── ReflectiveDLLInjection.h
│ │ ├── Recon-AD-Computers.vcxproj
│ │ ├── ReflectiveLoader.h
│ │ └── ReflectiveDll.cpp
│ └── Recon-AD-Computers.sln
├── Recon-AD-LocalGroups
│ ├── Recon-AD-LocalGroups
│ │ ├── Recon-AD-LocalGroups.vcxproj.user
│ │ ├── Recon-AD-LocalGroups.vcxproj.filters
│ │ ├── ReflectiveDLLInjection.h
│ │ ├── Recon-AD-LocalGroups.vcxproj
│ │ ├── ReflectiveDll.cpp
│ │ └── ReflectiveLoader.h
│ └── Recon-AD-LocalGroups.sln
└── Recon-AD-AllLocalGroups
│ ├── Recon-AD-AllLocalGroups
│ ├── Recon-AD-AllLocalGroups.vcxproj.user
│ ├── Recon-AD-AllLocalGroups.vcxproj.filters
│ ├── ReflectiveDLLInjection.h
│ ├── Recon-AD-AllLocalGroups.vcxproj
│ ├── ReflectiveLoader.h
│ └── ReflectiveDll.cpp
│ └── Recon-AD-AllLocalGroups.sln
└── README.md
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
--------------------------------------------------------------------------------
/Outflank-Recon-AD/Recon-AD-SPNs.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/outflanknl/Recon-AD/HEAD/Outflank-Recon-AD/Recon-AD-SPNs.dll
--------------------------------------------------------------------------------
/Outflank-Recon-AD/Recon-AD-Users.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/outflanknl/Recon-AD/HEAD/Outflank-Recon-AD/Recon-AD-Users.dll
--------------------------------------------------------------------------------
/Outflank-Recon-AD/Recon-AD-Domain.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/outflanknl/Recon-AD/HEAD/Outflank-Recon-AD/Recon-AD-Domain.dll
--------------------------------------------------------------------------------
/Outflank-Recon-AD/Recon-AD-Groups.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/outflanknl/Recon-AD/HEAD/Outflank-Recon-AD/Recon-AD-Groups.dll
--------------------------------------------------------------------------------
/Outflank-Recon-AD/Recon-AD-Computers.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/outflanknl/Recon-AD/HEAD/Outflank-Recon-AD/Recon-AD-Computers.dll
--------------------------------------------------------------------------------
/Outflank-Recon-AD/Recon-AD-LocalGroups.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/outflanknl/Recon-AD/HEAD/Outflank-Recon-AD/Recon-AD-LocalGroups.dll
--------------------------------------------------------------------------------
/Outflank-Recon-AD/Recon-AD-AllLocalGroups.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/outflanknl/Recon-AD/HEAD/Outflank-Recon-AD/Recon-AD-AllLocalGroups.dll
--------------------------------------------------------------------------------
/Src/Recon-AD-SPNs/Recon-AD-SPNs/Recon-AD-SPNs.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Users/Recon-AD-Users/Recon-AD-Users.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Domain/Recon-AD-Domain/Recon-AD-Domain.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Groups/Recon-AD-Groups/Recon-AD-Groups.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Computers/Recon-AD-Computers/Recon-AD-Computers.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups/Recon-AD-LocalGroups.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Src/Recon-AD-SPNs/Recon-AD-SPNs.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Express 14 for Windows Desktop
4 | VisualStudioVersion = 14.0.25420.1
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Recon-AD-SPNs", "Recon-AD-SPNs\Recon-AD-SPNs.vcxproj", "{D30C9D6B-1F45-47BD-825B-389FE8CC9069}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64
17 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64
18 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32
19 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32
20 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64
21 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64
22 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32
23 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | EndGlobal
29 |
--------------------------------------------------------------------------------
/Src/Recon-AD-SPNs/Recon-AD-SPNs/Recon-AD-SPNs.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 | Source Files
31 |
32 |
33 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Users/Recon-AD-Users/Recon-AD-Users.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 | Source Files
31 |
32 |
33 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Domain/Recon-AD-Domain/Recon-AD-Domain.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 | Source Files
31 |
32 |
33 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Groups/Recon-AD-Groups/Recon-AD-Groups.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 | Source Files
31 |
32 |
33 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Users/Recon-AD-Users.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Express 14 for Windows Desktop
4 | VisualStudioVersion = 14.0.25420.1
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Recon-AD-Users", "Recon-AD-Users\Recon-AD-Users.vcxproj", "{D30C9D6B-1F45-47BD-825B-389FE8CC9069}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64
17 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64
18 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32
19 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32
20 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64
21 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64
22 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32
23 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | EndGlobal
29 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Domain/Recon-AD-Domain.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Express 14 for Windows Desktop
4 | VisualStudioVersion = 14.0.25420.1
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Recon-AD-Domain", "Recon-AD-Domain\Recon-AD-Domain.vcxproj", "{D30C9D6B-1F45-47BD-825B-389FE8CC9069}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64
17 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64
18 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32
19 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32
20 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64
21 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64
22 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32
23 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | EndGlobal
29 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Groups/Recon-AD-Groups.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Express 14 for Windows Desktop
4 | VisualStudioVersion = 14.0.25420.1
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Recon-AD-Groups", "Recon-AD-Groups\Recon-AD-Groups.vcxproj", "{D30C9D6B-1F45-47BD-825B-389FE8CC9069}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64
17 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64
18 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32
19 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32
20 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64
21 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64
22 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32
23 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | EndGlobal
29 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Computers/Recon-AD-Computers/Recon-AD-Computers.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 | Source Files
31 |
32 |
33 |
--------------------------------------------------------------------------------
/Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups/Recon-AD-LocalGroups.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 | Source Files
31 |
32 |
33 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Computers/Recon-AD-Computers.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Express 14 for Windows Desktop
4 | VisualStudioVersion = 14.0.25420.1
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Recon-AD-Computers", "Recon-AD-Computers\Recon-AD-Computers.vcxproj", "{D30C9D6B-1F45-47BD-825B-389FE8CC9069}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64
17 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64
18 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32
19 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32
20 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64
21 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64
22 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32
23 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | EndGlobal
29 |
--------------------------------------------------------------------------------
/Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 | Source Files
31 |
32 |
33 |
--------------------------------------------------------------------------------
/Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.28307.852
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Recon-AD-LocalGroups", "Recon-AD-LocalGroups\Recon-AD-LocalGroups.vcxproj", "{D30C9D6B-1F45-47BD-825B-389FE8CC9069}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64
17 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64
18 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32
19 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32
20 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64
21 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64
22 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32
23 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {ACBE159D-66DD-4330-B464-35D40C540652}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.28307.852
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Recon-AD-AllLocalGroups", "Recon-AD-AllLocalGroups\Recon-AD-AllLocalGroups.vcxproj", "{D30C9D6B-1F45-47BD-825B-389FE8CC9069}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64
17 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64
18 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32
19 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32
20 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64
21 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64
22 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32
23 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {ACBE159D-66DD-4330-B464-35D40C540652}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Recon-AD, an AD recon tool based on ADSI and reflective DLL’s
2 | New monitoring and defense optics are being applied within Microsoft operating systems and security products. This should help defenders in detecting malicious behavior within their environments. While PowerShell has long been very popular for post exploitation, now it’s something attackers try to avoid. .NET is the current hype for offensive tradecraft, but Microsoft is rapidly developing new measures by adding optics to catch malicious behavior on this platform.
3 |
4 | As a proof of concept, we developed an C/C++ Active Directory reconnaissance tool based on ADSI and reflective DLLs which can be used within Cobalt Strike. The tool is called “Recon-AD” and at this moment consist of seven Reflective DLLs and a corresponding aggressor script. This tool should help you moving away from PowerShell and .NET when enumerating Active Directory and help you stay under the radar from the latest monitoring and defense technologies being applied within modern environments.
5 |
6 | More info about the used techniques can be found on the following Blog:
7 | https://outflank.nl/blog/2019/10/20/red-team-tactics-active-directory-recon-using-adsi-and-reflective-dlls/
8 |
9 | ## The following functionality is included in the toolkit:
10 |
11 | ```
12 | Recon-AD-Domain: to enumerate Domain information (Domain name, GUID, site name, password policy, DC list e.g.).
13 | Recon-AD-Users: to query for user objects and corresponding attributes.
14 | Recon-AD-Groups: to query for group objects and corresponding attributes.
15 | Recon-AD-Computers: to query for computer objects and corresponding attributes.
16 | Recon-AD-SPNs: to query for user objects with Service Principal Names (SPN) configured and display useful attributes.
17 | Recon-AD-AllLocalGroups: to query a computer for all local groups and group-members.
18 | Recon-AD-LocalGroups: to query a computer for specific local groups and group-members (default Administrators group).
19 | ```
20 |
21 | ## Usage:
22 |
23 | ```
24 | Download the Outflank-Recon-AD folder and load the Recon-AD.cna script within the Cobalt Strike Script Manager.
25 | Use the Beacon help command to display syntax information.
26 | ```
27 |
28 | ```
29 | This project is written in C/C++
30 | You can use Visual Studio to compile the reflective dll's from source.
31 | ```
32 |
33 | ## Credits
34 | Author: Cornelis de Plaa (@Cneelis) / Outflank
35 |
36 | Shout out to: Stan Hegt (@StanHacked) and all my other great collegues at Outflank
--------------------------------------------------------------------------------
/Src/Recon-AD-SPNs/Recon-AD-SPNs/ReflectiveDLLInjection.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 |
34 | // we declare some common stuff in here...
35 |
36 | #define DLL_QUERY_HMODULE 6
37 |
38 | #define DEREF( name )*(UINT_PTR *)(name)
39 | #define DEREF_64( name )*(DWORD64 *)(name)
40 | #define DEREF_32( name )*(DWORD *)(name)
41 | #define DEREF_16( name )*(WORD *)(name)
42 | #define DEREF_8( name )*(BYTE *)(name)
43 |
44 | typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);
45 | typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
46 |
47 | #define DLLEXPORT __declspec( dllexport )
48 |
49 | //===============================================================================================//
50 | #endif
51 | //===============================================================================================//
52 |
53 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Users/Recon-AD-Users/ReflectiveDLLInjection.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 |
34 | // we declare some common stuff in here...
35 |
36 | #define DLL_QUERY_HMODULE 6
37 |
38 | #define DEREF( name )*(UINT_PTR *)(name)
39 | #define DEREF_64( name )*(DWORD64 *)(name)
40 | #define DEREF_32( name )*(DWORD *)(name)
41 | #define DEREF_16( name )*(WORD *)(name)
42 | #define DEREF_8( name )*(BYTE *)(name)
43 |
44 | typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);
45 | typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
46 |
47 | #define DLLEXPORT __declspec( dllexport )
48 |
49 | //===============================================================================================//
50 | #endif
51 | //===============================================================================================//
52 |
53 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Domain/Recon-AD-Domain/ReflectiveDLLInjection.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 |
34 | // we declare some common stuff in here...
35 |
36 | #define DLL_QUERY_HMODULE 6
37 |
38 | #define DEREF( name )*(UINT_PTR *)(name)
39 | #define DEREF_64( name )*(DWORD64 *)(name)
40 | #define DEREF_32( name )*(DWORD *)(name)
41 | #define DEREF_16( name )*(WORD *)(name)
42 | #define DEREF_8( name )*(BYTE *)(name)
43 |
44 | typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);
45 | typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
46 |
47 | #define DLLEXPORT __declspec( dllexport )
48 |
49 | //===============================================================================================//
50 | #endif
51 | //===============================================================================================//
52 |
53 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Groups/Recon-AD-Groups/ReflectiveDLLInjection.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 |
34 | // we declare some common stuff in here...
35 |
36 | #define DLL_QUERY_HMODULE 6
37 |
38 | #define DEREF( name )*(UINT_PTR *)(name)
39 | #define DEREF_64( name )*(DWORD64 *)(name)
40 | #define DEREF_32( name )*(DWORD *)(name)
41 | #define DEREF_16( name )*(WORD *)(name)
42 | #define DEREF_8( name )*(BYTE *)(name)
43 |
44 | typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);
45 | typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
46 |
47 | #define DLLEXPORT __declspec( dllexport )
48 |
49 | //===============================================================================================//
50 | #endif
51 | //===============================================================================================//
52 |
53 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Computers/Recon-AD-Computers/ReflectiveDLLInjection.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 |
34 | // we declare some common stuff in here...
35 |
36 | #define DLL_QUERY_HMODULE 6
37 |
38 | #define DEREF( name )*(UINT_PTR *)(name)
39 | #define DEREF_64( name )*(DWORD64 *)(name)
40 | #define DEREF_32( name )*(DWORD *)(name)
41 | #define DEREF_16( name )*(WORD *)(name)
42 | #define DEREF_8( name )*(BYTE *)(name)
43 |
44 | typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);
45 | typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
46 |
47 | #define DLLEXPORT __declspec( dllexport )
48 |
49 | //===============================================================================================//
50 | #endif
51 | //===============================================================================================//
52 |
53 |
--------------------------------------------------------------------------------
/Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups/ReflectiveDLLInjection.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 |
34 | // we declare some common stuff in here...
35 |
36 | #define DLL_QUERY_HMODULE 6
37 |
38 | #define DEREF( name )*(UINT_PTR *)(name)
39 | #define DEREF_64( name )*(DWORD64 *)(name)
40 | #define DEREF_32( name )*(DWORD *)(name)
41 | #define DEREF_16( name )*(WORD *)(name)
42 | #define DEREF_8( name )*(BYTE *)(name)
43 |
44 | typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);
45 | typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
46 |
47 | #define DLLEXPORT __declspec( dllexport )
48 |
49 | //===============================================================================================//
50 | #endif
51 | //===============================================================================================//
52 |
53 |
--------------------------------------------------------------------------------
/Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups/ReflectiveDLLInjection.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 |
34 | // we declare some common stuff in here...
35 |
36 | #define DLL_QUERY_HMODULE 6
37 |
38 | #define DEREF( name )*(UINT_PTR *)(name)
39 | #define DEREF_64( name )*(DWORD64 *)(name)
40 | #define DEREF_32( name )*(DWORD *)(name)
41 | #define DEREF_16( name )*(WORD *)(name)
42 | #define DEREF_8( name )*(BYTE *)(name)
43 |
44 | typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);
45 | typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
46 |
47 | #define DLLEXPORT __declspec( dllexport )
48 |
49 | //===============================================================================================//
50 | #endif
51 | //===============================================================================================//
52 |
53 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Domain/Recon-AD-Domain/ReflectiveDll.cpp:
--------------------------------------------------------------------------------
1 | #undef _UNICODE
2 | #define _UNICODE
3 | #undef UNICODE
4 | #define UNICODE
5 |
6 | #include "ReflectiveLoader.h"
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 |
15 | #pragma comment(lib, "Ws2_32.lib")
16 | #pragma comment(lib, "Netapi32.lib")
17 |
18 | #define DS_NOTIFY_AFTER_SITE_RECORDS 0x02
19 |
20 | // Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are
21 | // defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own
22 | // DllMain and use the LoadRemoteLibraryR() API to inject this DLL.
23 |
24 | // You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c)
25 | extern HINSTANCE hAppInstance;
26 |
27 |
28 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
29 | {
30 | BOOL bReturnValue = TRUE;
31 |
32 | switch (dwReason)
33 | {
34 | case DLL_QUERY_HMODULE:
35 | if (lpReserved != NULL)
36 | *(HMODULE *)lpReserved = hAppInstance;
37 | break;
38 | case DLL_PROCESS_ATTACH:
39 | hAppInstance = hinstDLL;
40 |
41 | // Get a Domain Controller for the Domain this computer is on.
42 | DWORD dwRet;
43 | PDOMAIN_CONTROLLER_INFO pdcInfo;
44 |
45 | dwRet = DsGetDcName(NULL, NULL, NULL, NULL, 0, &pdcInfo);
46 | if (ERROR_SUCCESS == dwRet)
47 | {
48 | // Open the enumeration.
49 | HANDLE hGetDc;
50 | dwRet = DsGetDcOpen(pdcInfo->DomainName,
51 | DS_NOTIFY_AFTER_SITE_RECORDS,
52 | NULL,
53 | NULL,
54 | NULL,
55 | 0,
56 | &hGetDc);
57 | if (ERROR_SUCCESS == dwRet)
58 | {
59 | LPTSTR pszDnsHostName;
60 | GUID guid;
61 | CoCreateGuid(&guid);
62 |
63 | OLECHAR* guidString;
64 | StringFromCLSID(pdcInfo->DomainGuid, &guidString);
65 |
66 | wprintf(L"--------------------------------------------------------------------\n");
67 |
68 | wprintf(L"[+] DomainName:\n");
69 | wprintf(L" %ls\n", pdcInfo->DomainName);
70 |
71 | wprintf(L"[+] DomainGuid:\n");
72 | wprintf(L" %ls\n", guidString);
73 |
74 | wprintf(L"[+] DnsForestName:\n");
75 | wprintf(L" %ls\n", pdcInfo->DnsForestName);
76 |
77 | wprintf(L"[+] DcSiteName:\n");
78 | wprintf(L" %ls\n", pdcInfo->DcSiteName);
79 |
80 | wprintf(L"[+] ClientSiteName:\n");
81 | wprintf(L" %ls\n", pdcInfo->ClientSiteName);
82 |
83 | wprintf(L"[+] DomainControllerName (PDC):\n");
84 | wprintf(L" %ls\n", pdcInfo->DomainControllerName);
85 |
86 | wprintf(L"[+] DomainControllerAddress (PDC):\n");
87 | wprintf(L" %ls\n", pdcInfo->DomainControllerAddress);
88 |
89 | CoTaskMemFree(guidString);
90 |
91 | // Enumerate Domain password policy.
92 | DWORD dwLevel = 0;
93 | USER_MODALS_INFO_0 *pBuf0 = NULL;
94 | USER_MODALS_INFO_3 *pBuf3 = NULL;
95 | NET_API_STATUS nStatus;
96 |
97 | // Call the NetUserModalsGet function; specify level 0.
98 | nStatus = NetUserModalsGet(pdcInfo->DomainControllerName,
99 | dwLevel,
100 | (LPBYTE *)&pBuf0);
101 |
102 | // If the call succeeds, print the global information.
103 | if (nStatus == NERR_Success)
104 | {
105 | if (pBuf0 != NULL)
106 | {
107 | wprintf(L"[+] Default Domain Password Policy:\n");
108 |
109 | wprintf(L" Password history length: %d\n", pBuf0->usrmod0_password_hist_len);
110 | wprintf(L" Maximum password age (d): %d\n", pBuf0->usrmod0_max_passwd_age / 86400);
111 | wprintf(L" Minimum password age (d): %d\n", pBuf0->usrmod0_min_passwd_age / 86400);
112 | wprintf(L" Minimum password length: %d\n", pBuf0->usrmod0_min_passwd_len);
113 | }
114 | }
115 |
116 | // Free the allocated memory.
117 | if (pBuf0 != NULL)
118 | NetApiBufferFree(pBuf0);
119 |
120 | // Call the NetUserModalsGet function; specify level 3.
121 | dwLevel = 3;
122 | nStatus = NetUserModalsGet(pdcInfo->DomainControllerName,
123 | dwLevel,
124 | (LPBYTE *)&pBuf3);
125 |
126 | // If the call succeeds, print the global information.
127 | if (nStatus == NERR_Success)
128 | {
129 | if (pBuf3 != NULL)
130 | {
131 | wprintf(L"[+] Account Lockout Policy:\n");
132 |
133 | wprintf(L" Account lockout threshold: %d\n", pBuf3->usrmod3_lockout_threshold);
134 | wprintf(L" Account lockout duration (m): %d\n", pBuf3->usrmod3_lockout_duration / 60);
135 | wprintf(L" Account lockout observation window (m): %d\n", pBuf3->usrmod3_lockout_duration / 60);
136 | }
137 | }
138 |
139 | // Free the allocated memory.
140 | if (pBuf3 != NULL)
141 | NetApiBufferFree(pBuf3);
142 |
143 | // Enumerate each Domain Controller and print its name.
144 | wprintf(L"[+] NextDc DnsHostName:\n");
145 |
146 | while (TRUE)
147 | {
148 | ULONG ulSocketCount;
149 | LPSOCKET_ADDRESS rgSocketAddresses;
150 |
151 | dwRet = DsGetDcNext(
152 | hGetDc,
153 | &ulSocketCount,
154 | &rgSocketAddresses,
155 | &pszDnsHostName);
156 |
157 | if (ERROR_SUCCESS == dwRet)
158 | {
159 | wprintf(L" %ls\n", pszDnsHostName);
160 |
161 | // Free the allocated string.
162 | NetApiBufferFree(pszDnsHostName);
163 |
164 | // Free the socket address array.
165 | LocalFree(rgSocketAddresses);
166 | }
167 | else if (ERROR_NO_MORE_ITEMS == dwRet)
168 | {
169 | // The end of the list has been reached.
170 | break;
171 | }
172 | else if (ERROR_FILEMARK_DETECTED == dwRet)
173 | {
174 | /*
175 | DS_NOTIFY_AFTER_SITE_RECORDS was specified in
176 | DsGetDcOpen and the end of the site-specific
177 | records was reached.
178 | */
179 | wprintf(L"[+] End of site-specific Domain Controllers.\n");
180 | continue;
181 | }
182 | else
183 | {
184 | // Some other error occurred.
185 | break;
186 | }
187 | }
188 |
189 | wprintf(L"--------------------------------------------------------------------\n");
190 |
191 | // Close the enumeration.
192 | DsGetDcClose(hGetDc);
193 | }
194 |
195 | // Free the DOMAIN_CONTROLLER_INFO structure.
196 | NetApiBufferFree(pdcInfo);
197 | }
198 |
199 | // Flush STDOUT
200 | fflush(stdout);
201 |
202 | // We're done, so let's exit
203 | ExitProcess(0);
204 | break;
205 | case DLL_PROCESS_DETACH:
206 | case DLL_THREAD_ATTACH:
207 | case DLL_THREAD_DETACH:
208 | break;
209 | }
210 | return bReturnValue;
211 | }
212 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Domain/Recon-AD-Domain/Recon-AD-Domain.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}
23 | ReconADDomain
24 | 8.1
25 |
26 |
27 |
28 | Application
29 | true
30 | v140
31 | MultiByte
32 |
33 |
34 | DynamicLibrary
35 | false
36 | v140
37 | true
38 | Unicode
39 |
40 |
41 | Application
42 | true
43 | v140
44 | MultiByte
45 |
46 |
47 | DynamicLibrary
48 | false
49 | v140
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | Level3
75 | Disabled
76 | true
77 |
78 |
79 |
80 |
81 | Level3
82 | Disabled
83 | true
84 |
85 |
86 |
87 |
88 | Level3
89 | MaxSpeed
90 | true
91 | true
92 | true
93 | MultiThreaded
94 | WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
95 |
96 |
97 | true
98 | true
99 | false
100 |
101 |
102 |
103 |
104 | Level3
105 | MaxSpeed
106 | true
107 | true
108 | true
109 | MultiThreaded
110 | WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
111 |
112 |
113 | true
114 | true
115 | false
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
--------------------------------------------------------------------------------
/Src/Recon-AD-SPNs/Recon-AD-SPNs/Recon-AD-SPNs.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}
23 | ReconADDomain
24 | 8.1
25 | Recon-AD-SPNs
26 |
27 |
28 |
29 | Application
30 | true
31 | v140
32 | MultiByte
33 |
34 |
35 | DynamicLibrary
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | Application
43 | true
44 | v140
45 | MultiByte
46 |
47 |
48 | DynamicLibrary
49 | false
50 | v140
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | Disabled
77 | true
78 |
79 |
80 |
81 |
82 | Level3
83 | Disabled
84 | true
85 |
86 |
87 |
88 |
89 | Level3
90 | MaxSpeed
91 | true
92 | true
93 | true
94 | MultiThreaded
95 | WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
96 |
97 |
98 | true
99 | true
100 | false
101 |
102 |
103 |
104 |
105 | Level3
106 | MaxSpeed
107 | true
108 | true
109 | true
110 | MultiThreaded
111 | WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
112 |
113 |
114 | true
115 | true
116 | false
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Users/Recon-AD-Users/Recon-AD-Users.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}
23 | ReconADDomain
24 | 8.1
25 | Recon-AD-Users
26 |
27 |
28 |
29 | Application
30 | true
31 | v140
32 | MultiByte
33 |
34 |
35 | DynamicLibrary
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | Application
43 | true
44 | v140
45 | MultiByte
46 |
47 |
48 | DynamicLibrary
49 | false
50 | v140
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | Disabled
77 | true
78 |
79 |
80 |
81 |
82 | Level3
83 | Disabled
84 | true
85 |
86 |
87 |
88 |
89 | Level3
90 | MaxSpeed
91 | true
92 | true
93 | true
94 | MultiThreaded
95 | WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
96 |
97 |
98 | true
99 | true
100 | false
101 |
102 |
103 |
104 |
105 | Level3
106 | MaxSpeed
107 | true
108 | true
109 | true
110 | MultiThreaded
111 | WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
112 |
113 |
114 | true
115 | true
116 | false
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Groups/Recon-AD-Groups/Recon-AD-Groups.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}
23 | ReconADDomain
24 | 8.1
25 | Recon-AD-Groups
26 |
27 |
28 |
29 | Application
30 | true
31 | v140
32 | MultiByte
33 |
34 |
35 | DynamicLibrary
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | Application
43 | true
44 | v140
45 | MultiByte
46 |
47 |
48 | DynamicLibrary
49 | false
50 | v140
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | Disabled
77 | true
78 |
79 |
80 |
81 |
82 | Level3
83 | Disabled
84 | true
85 |
86 |
87 |
88 |
89 | Level3
90 | MaxSpeed
91 | true
92 | true
93 | true
94 | MultiThreaded
95 | WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
96 |
97 |
98 | true
99 | true
100 | false
101 |
102 |
103 |
104 |
105 | Level3
106 | MaxSpeed
107 | true
108 | true
109 | true
110 | MultiThreaded
111 | WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
112 |
113 |
114 | true
115 | true
116 | false
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Computers/Recon-AD-Computers/Recon-AD-Computers.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}
23 | ReconADDomain
24 | 8.1
25 | Recon-AD-Computers
26 |
27 |
28 |
29 | Application
30 | true
31 | v140
32 | MultiByte
33 |
34 |
35 | DynamicLibrary
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | Application
43 | true
44 | v140
45 | MultiByte
46 |
47 |
48 | DynamicLibrary
49 | false
50 | v140
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | Disabled
77 | true
78 |
79 |
80 |
81 |
82 | Level3
83 | Disabled
84 | true
85 |
86 |
87 |
88 |
89 | Level3
90 | MaxSpeed
91 | true
92 | true
93 | true
94 | MultiThreaded
95 | WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
96 |
97 |
98 | true
99 | true
100 | false
101 |
102 |
103 |
104 |
105 | Level3
106 | MaxSpeed
107 | true
108 | true
109 | true
110 | MultiThreaded
111 | WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
112 |
113 |
114 | true
115 | true
116 | false
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
--------------------------------------------------------------------------------
/Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups/Recon-AD-LocalGroups.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}
23 | ReconADDomain
24 | 8.1
25 | Recon-AD-LocalGroups
26 |
27 |
28 |
29 | Application
30 | true
31 | v140
32 | MultiByte
33 |
34 |
35 | DynamicLibrary
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | DynamicLibrary
43 | true
44 | v141
45 | Unicode
46 |
47 |
48 | DynamicLibrary
49 | false
50 | v141
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | Disabled
77 | true
78 |
79 |
80 |
81 |
82 | Level3
83 | Disabled
84 | true
85 | WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
86 |
87 |
88 |
89 |
90 | Level3
91 | MaxSpeed
92 | true
93 | true
94 | true
95 | MultiThreaded
96 | WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
97 |
98 |
99 | true
100 | true
101 | false
102 |
103 |
104 |
105 |
106 | Level3
107 | MaxSpeed
108 | true
109 | true
110 | true
111 | MultiThreaded
112 | WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
113 |
114 |
115 | true
116 | true
117 | false
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
--------------------------------------------------------------------------------
/Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {D30C9D6B-1F45-47BD-825B-389FE8CC9069}
23 | ReconADDomain
24 | 8.1
25 | Recon-AD-AllLocalGroups
26 |
27 |
28 |
29 | Application
30 | true
31 | v140
32 | MultiByte
33 |
34 |
35 | DynamicLibrary
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | DynamicLibrary
43 | true
44 | v141
45 | Unicode
46 |
47 |
48 | DynamicLibrary
49 | false
50 | v141
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | Disabled
77 | true
78 |
79 |
80 |
81 |
82 | Level3
83 | Disabled
84 | true
85 | WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
86 |
87 |
88 |
89 |
90 | Level3
91 | MaxSpeed
92 | true
93 | true
94 | true
95 | MultiThreaded
96 | WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
97 |
98 |
99 | true
100 | true
101 | false
102 |
103 |
104 |
105 |
106 | Level3
107 | MaxSpeed
108 | true
109 | true
110 | true
111 | MultiThreaded
112 | WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
113 |
114 |
115 | true
116 | true
117 | false
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
--------------------------------------------------------------------------------
/Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups/ReflectiveDll.cpp:
--------------------------------------------------------------------------------
1 | #undef _UNICODE
2 | #define _UNICODE
3 | #undef UNICODE
4 | #define UNICODE
5 |
6 | #include "ReflectiveLoader.h"
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 |
13 | #pragma comment(lib, "ADSIid.lib")
14 | #pragma comment(lib, "ActiveDS.Lib")
15 |
16 | #define FETCH_NUM 100
17 |
18 | // Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are
19 | // defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own
20 | // DllMain and use the LoadRemoteLibraryR() API to inject this DLL.
21 |
22 | // You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c)
23 | extern HINSTANCE hAppInstance;
24 |
25 |
26 | HRESULT PrintGroupObjectMembers(IADsGroup * pADsGroup)
27 | {
28 | HRESULT hr = S_OK; // COM Result Code
29 | IADsMembers * pADsMembers = NULL; // Pointer to Members of the IADsGroup
30 | BOOL fContinue = TRUE; // Looping Variable
31 | IEnumVARIANT * pEnumVariant = NULL; // Pointer to the Enum variant
32 | IUnknown * pUnknown = NULL; // IUnknown for getting the ENUM initially
33 | VARIANT VariantArray[FETCH_NUM]; // Variant array for temp holding returned data
34 | ULONG ulElementsFetched = NULL; // Number of elements retrieved
35 |
36 | // Get an interface pointer to the IADsCollection of members.
37 | hr = pADsGroup->Members(&pADsMembers);
38 |
39 | if (SUCCEEDED(hr))
40 | {
41 |
42 | // Query the IADsCollection of members for a new ENUM Interface.
43 | // Be aware that the enum comes back as an IUnknown *
44 | hr = pADsMembers->get__NewEnum(&pUnknown);
45 |
46 | if (SUCCEEDED(hr))
47 | {
48 |
49 | // Call the QueryInterface method for the IUnknown * for a IEnumVARIANT interface.
50 | hr = pUnknown->QueryInterface(IID_IEnumVARIANT, (void **)&pEnumVariant);
51 |
52 | if (SUCCEEDED(hr))
53 | {
54 |
55 | // While no errors or end of data...
56 | while (fContinue)
57 | {
58 | ulElementsFetched = 0;
59 |
60 | // Get a "batch" number of group members - number of rows that FETCH_NUM specifies
61 | hr = ADsEnumerateNext(pEnumVariant, FETCH_NUM, VariantArray, &ulElementsFetched);
62 |
63 | if (ulElementsFetched)//SUCCEEDED(hr) && hr != S_FALSE)
64 | {
65 | wprintf(L"[+] Members:\n");
66 |
67 | // Loop through the current batch, printing
68 | // the path for each member.
69 | for (ULONG i = 0; i < ulElementsFetched; i++)
70 | {
71 | IDispatch * pDispatch = NULL;
72 | // Pointer for holding dispath of element.
73 | IADs * pIADsGroupMember = NULL;
74 | // IADs pointer to group member.
75 | BSTR bstrPath = NULL;
76 | // Contains the path of the object.
77 |
78 | // Get the dispatch pointer for the variant.
79 | pDispatch = VariantArray[i].pdispVal;
80 | //assert(HAS_BIT_STYLE(VariantArray[i].vt, VT_DISPATCH));
81 |
82 | // Get the IADs interface for the "member" of this group.
83 | hr = pDispatch->QueryInterface(IID_IADs,
84 | (VOID **)&pIADsGroupMember);
85 |
86 | if (SUCCEEDED(hr))
87 | {
88 |
89 | // Get the ADsPath property for this member.
90 | hr = pIADsGroupMember->get_ADsPath(&bstrPath);
91 |
92 | if (SUCCEEDED(hr))
93 | {
94 | // Print the ADsPath of the group member.
95 | //CStringW sBstr;
96 | //sBstr = (LPCWSTR)bstrPath;
97 | //sBstr.Replace(L"WinNT://", L"");
98 |
99 | wprintf(L" %s\r\n", (LPCWSTR)bstrPath);
100 | SysFreeString(bstrPath);
101 | }
102 | pIADsGroupMember->Release();
103 | pIADsGroupMember = NULL;
104 | }
105 | }
106 |
107 | // Clear the variant array.
108 | memset(VariantArray, 0, sizeof(VARIANT)*FETCH_NUM);
109 | }
110 | else
111 | fContinue = FALSE;
112 | }
113 | pEnumVariant->Release();
114 | pEnumVariant = NULL;
115 | }
116 | pUnknown->Release();
117 | pUnknown = NULL;
118 | }
119 | pADsMembers->Release();
120 | pADsMembers = NULL;
121 | }
122 |
123 | // If all completed normally, all data
124 | // was printed, and an S_FALSE, indicating
125 | // no more data, was received. If so,
126 | // return S_OK.
127 | if (hr == S_FALSE)
128 | hr = S_OK;
129 |
130 | return hr;
131 | }
132 |
133 |
134 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
135 | {
136 | BOOL bReturnValue = TRUE;
137 | LPWSTR pwszParams = (LPWSTR)calloc(strlen((LPSTR)lpReserved) + 1, sizeof(WCHAR));
138 | size_t convertedChars = 0;
139 | size_t newsize = strlen((LPSTR)lpReserved) + 1;
140 |
141 | switch (dwReason)
142 | {
143 | case DLL_QUERY_HMODULE:
144 | if (lpReserved != NULL)
145 | *(HMODULE *)lpReserved = hAppInstance;
146 | break;
147 | case DLL_PROCESS_ATTACH:
148 | hAppInstance = hinstDLL;
149 |
150 | if (lpReserved != NULL) {
151 |
152 | // Handle the command line arguments.
153 | int maxAlloc = MAX_PATH * 2;
154 | LPOLESTR pszBuffer = new OLECHAR[maxAlloc];
155 | mbstowcs_s(&convertedChars, pwszParams, newsize, (LPSTR)lpReserved, _TRUNCATE);
156 | wcscpy_s(pszBuffer, maxAlloc, pwszParams);
157 |
158 | LPWSTR pwszGroup = NULL;
159 | LPCWSTR pwszComputer = wcstok_s(pszBuffer, L" ", &pwszGroup);
160 | LPCWSTR pwszUsername = NULL;
161 | LPCWSTR pwszPassword = NULL;
162 |
163 | HRESULT hr;
164 |
165 | // Initialize COM
166 | CoInitialize(NULL);
167 |
168 | // Build the binding string.
169 | CComBSTR sbstrBindingString;
170 | sbstrBindingString = "WinNT://";
171 | sbstrBindingString += pwszComputer;
172 | if (wcscmp(L"", pwszGroup) == 0) {
173 | sbstrBindingString += "/Administrators";
174 | }
175 | else {
176 |
177 | sbstrBindingString += "/";
178 | sbstrBindingString += pwszGroup;
179 | }
180 | sbstrBindingString += ",group";
181 |
182 | // Bind to the container.
183 | IADsGroup *pGroup = NULL;
184 |
185 | hr = ADsOpenObject(sbstrBindingString,
186 | pwszUsername,
187 | pwszPassword,
188 | ADS_SECURE_AUTHENTICATION,
189 | IID_IADsGroup,
190 | (void**)&pGroup);
191 |
192 | if (SUCCEEDED(hr))
193 | {
194 | // Print the object data.
195 | CComBSTR sbstrNameResult;
196 | CComBSTR sbstrADsResult;
197 |
198 | wprintf(L"--------------------------------------------------------------------\n");
199 |
200 | hr = pGroup->get_Name(&sbstrNameResult);
201 | if (SUCCEEDED(hr))
202 | {
203 | wprintf(L"[+] Group:\n");
204 | wprintf(L" %s\r\n", (LPCWSTR)sbstrNameResult);
205 | }
206 |
207 | hr = pGroup->get_ADsPath(&sbstrADsResult);
208 | if (SUCCEEDED(hr))
209 | {
210 | //wprintf(L"[+] ADsPath:\n");
211 | //wprintf(L" %s\r\n", (LPCWSTR)sbstrADsResult);
212 | }
213 |
214 | if (SUCCEEDED(hr)) {
215 | PrintGroupObjectMembers(pGroup);
216 | }
217 |
218 | wprintf(L"--------------------------------------------------------------------\n");
219 |
220 | // Uninitialize COM
221 | CoUninitialize();
222 | }
223 | }
224 |
225 | // Flush STDOUT
226 | fflush(stdout);
227 |
228 | // We're done, so let's exit
229 | ExitProcess(0);
230 |
231 | break;
232 | case DLL_PROCESS_DETACH:
233 | case DLL_THREAD_ATTACH:
234 | case DLL_THREAD_DETACH:
235 | break;
236 | }
237 | return bReturnValue;
238 | }
239 |
--------------------------------------------------------------------------------
/Src/Recon-AD-SPNs/Recon-AD-SPNs/ReflectiveLoader.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 | #include
34 | #include
35 |
36 | #include "ReflectiveDLLInjection.h"
37 |
38 | typedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);
39 | typedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);
40 | typedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);
41 | typedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);
42 |
43 | #define KERNEL32DLL_HASH 0x6A4ABC5B
44 | #define NTDLLDLL_HASH 0x3CFA685D
45 |
46 | #define LOADLIBRARYA_HASH 0xEC0E4E8E
47 | #define GETPROCADDRESS_HASH 0x7C0DFCAA
48 | #define VIRTUALALLOC_HASH 0x91AFCA54
49 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
50 |
51 | #define IMAGE_REL_BASED_ARM_MOV32A 5
52 | #define IMAGE_REL_BASED_ARM_MOV32T 7
53 |
54 | #define ARM_MOV_MASK (DWORD)(0xFBF08000)
55 | #define ARM_MOV_MASK2 (DWORD)(0xFBF08F00)
56 | #define ARM_MOVW 0xF2400000
57 | #define ARM_MOVT 0xF2C00000
58 |
59 | #define HASH_KEY 13
60 | //===============================================================================================//
61 | #pragma intrinsic( _rotr )
62 |
63 | __forceinline DWORD ror(DWORD d)
64 | {
65 | return _rotr(d, HASH_KEY);
66 | }
67 |
68 | __forceinline DWORD hash(char * c)
69 | {
70 | register DWORD h = 0;
71 | do
72 | {
73 | h = ror(h);
74 | h += *c;
75 | } while (*++c);
76 |
77 | return h;
78 | }
79 | //===============================================================================================//
80 | typedef struct _UNICODE_STR
81 | {
82 | USHORT Length;
83 | USHORT MaximumLength;
84 | PWSTR pBuffer;
85 | } UNICODE_STR, *PUNICODE_STR;
86 |
87 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
88 | //__declspec( align(8) )
89 | typedef struct _LDR_DATA_TABLE_ENTRY
90 | {
91 | //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
92 | LIST_ENTRY InMemoryOrderModuleList;
93 | LIST_ENTRY InInitializationOrderModuleList;
94 | PVOID DllBase;
95 | PVOID EntryPoint;
96 | ULONG SizeOfImage;
97 | UNICODE_STR FullDllName;
98 | UNICODE_STR BaseDllName;
99 | ULONG Flags;
100 | SHORT LoadCount;
101 | SHORT TlsIndex;
102 | LIST_ENTRY HashTableEntry;
103 | ULONG TimeDateStamp;
104 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
105 |
106 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA
107 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
108 | {
109 | DWORD dwLength;
110 | DWORD dwInitialized;
111 | LPVOID lpSsHandle;
112 | LIST_ENTRY InLoadOrderModuleList;
113 | LIST_ENTRY InMemoryOrderModuleList;
114 | LIST_ENTRY InInitializationOrderModuleList;
115 | LPVOID lpEntryInProgress;
116 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
117 |
118 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
119 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
120 | {
121 | struct _PEB_FREE_BLOCK * pNext;
122 | DWORD dwSize;
123 | } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
124 |
125 | // struct _PEB is defined in Winternl.h but it is incomplete
126 | // WinDbg> dt -v ntdll!_PEB
127 | typedef struct __PEB // 65 elements, 0x210 bytes
128 | {
129 | BYTE bInheritedAddressSpace;
130 | BYTE bReadImageFileExecOptions;
131 | BYTE bBeingDebugged;
132 | BYTE bSpareBool;
133 | LPVOID lpMutant;
134 | LPVOID lpImageBaseAddress;
135 | PPEB_LDR_DATA pLdr;
136 | LPVOID lpProcessParameters;
137 | LPVOID lpSubSystemData;
138 | LPVOID lpProcessHeap;
139 | PRTL_CRITICAL_SECTION pFastPebLock;
140 | LPVOID lpFastPebLockRoutine;
141 | LPVOID lpFastPebUnlockRoutine;
142 | DWORD dwEnvironmentUpdateCount;
143 | LPVOID lpKernelCallbackTable;
144 | DWORD dwSystemReserved;
145 | DWORD dwAtlThunkSListPtr32;
146 | PPEB_FREE_BLOCK pFreeList;
147 | DWORD dwTlsExpansionCounter;
148 | LPVOID lpTlsBitmap;
149 | DWORD dwTlsBitmapBits[2];
150 | LPVOID lpReadOnlySharedMemoryBase;
151 | LPVOID lpReadOnlySharedMemoryHeap;
152 | LPVOID lpReadOnlyStaticServerData;
153 | LPVOID lpAnsiCodePageData;
154 | LPVOID lpOemCodePageData;
155 | LPVOID lpUnicodeCaseTableData;
156 | DWORD dwNumberOfProcessors;
157 | DWORD dwNtGlobalFlag;
158 | LARGE_INTEGER liCriticalSectionTimeout;
159 | DWORD dwHeapSegmentReserve;
160 | DWORD dwHeapSegmentCommit;
161 | DWORD dwHeapDeCommitTotalFreeThreshold;
162 | DWORD dwHeapDeCommitFreeBlockThreshold;
163 | DWORD dwNumberOfHeaps;
164 | DWORD dwMaximumNumberOfHeaps;
165 | LPVOID lpProcessHeaps;
166 | LPVOID lpGdiSharedHandleTable;
167 | LPVOID lpProcessStarterHelper;
168 | DWORD dwGdiDCAttributeList;
169 | LPVOID lpLoaderLock;
170 | DWORD dwOSMajorVersion;
171 | DWORD dwOSMinorVersion;
172 | WORD wOSBuildNumber;
173 | WORD wOSCSDVersion;
174 | DWORD dwOSPlatformId;
175 | DWORD dwImageSubsystem;
176 | DWORD dwImageSubsystemMajorVersion;
177 | DWORD dwImageSubsystemMinorVersion;
178 | DWORD dwImageProcessAffinityMask;
179 | DWORD dwGdiHandleBuffer[34];
180 | LPVOID lpPostProcessInitRoutine;
181 | LPVOID lpTlsExpansionBitmap;
182 | DWORD dwTlsExpansionBitmapBits[32];
183 | DWORD dwSessionId;
184 | ULARGE_INTEGER liAppCompatFlags;
185 | ULARGE_INTEGER liAppCompatFlagsUser;
186 | LPVOID lppShimData;
187 | LPVOID lpAppCompatInfo;
188 | UNICODE_STR usCSDVersion;
189 | LPVOID lpActivationContextData;
190 | LPVOID lpProcessAssemblyStorageMap;
191 | LPVOID lpSystemDefaultActivationContextData;
192 | LPVOID lpSystemAssemblyStorageMap;
193 | DWORD dwMinimumStackCommit;
194 | } _PEB, *_PPEB;
195 |
196 | typedef struct
197 | {
198 | WORD offset : 12;
199 | WORD type : 4;
200 | } IMAGE_RELOC, *PIMAGE_RELOC;
201 | //===============================================================================================//
202 | #endif
203 | //===============================================================================================//
204 |
205 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Users/Recon-AD-Users/ReflectiveLoader.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 | #include
34 | #include
35 |
36 | #include "ReflectiveDLLInjection.h"
37 |
38 | typedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);
39 | typedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);
40 | typedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);
41 | typedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);
42 |
43 | #define KERNEL32DLL_HASH 0x6A4ABC5B
44 | #define NTDLLDLL_HASH 0x3CFA685D
45 |
46 | #define LOADLIBRARYA_HASH 0xEC0E4E8E
47 | #define GETPROCADDRESS_HASH 0x7C0DFCAA
48 | #define VIRTUALALLOC_HASH 0x91AFCA54
49 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
50 |
51 | #define IMAGE_REL_BASED_ARM_MOV32A 5
52 | #define IMAGE_REL_BASED_ARM_MOV32T 7
53 |
54 | #define ARM_MOV_MASK (DWORD)(0xFBF08000)
55 | #define ARM_MOV_MASK2 (DWORD)(0xFBF08F00)
56 | #define ARM_MOVW 0xF2400000
57 | #define ARM_MOVT 0xF2C00000
58 |
59 | #define HASH_KEY 13
60 | //===============================================================================================//
61 | #pragma intrinsic( _rotr )
62 |
63 | __forceinline DWORD ror(DWORD d)
64 | {
65 | return _rotr(d, HASH_KEY);
66 | }
67 |
68 | __forceinline DWORD hash(char * c)
69 | {
70 | register DWORD h = 0;
71 | do
72 | {
73 | h = ror(h);
74 | h += *c;
75 | } while (*++c);
76 |
77 | return h;
78 | }
79 | //===============================================================================================//
80 | typedef struct _UNICODE_STR
81 | {
82 | USHORT Length;
83 | USHORT MaximumLength;
84 | PWSTR pBuffer;
85 | } UNICODE_STR, *PUNICODE_STR;
86 |
87 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
88 | //__declspec( align(8) )
89 | typedef struct _LDR_DATA_TABLE_ENTRY
90 | {
91 | //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
92 | LIST_ENTRY InMemoryOrderModuleList;
93 | LIST_ENTRY InInitializationOrderModuleList;
94 | PVOID DllBase;
95 | PVOID EntryPoint;
96 | ULONG SizeOfImage;
97 | UNICODE_STR FullDllName;
98 | UNICODE_STR BaseDllName;
99 | ULONG Flags;
100 | SHORT LoadCount;
101 | SHORT TlsIndex;
102 | LIST_ENTRY HashTableEntry;
103 | ULONG TimeDateStamp;
104 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
105 |
106 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA
107 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
108 | {
109 | DWORD dwLength;
110 | DWORD dwInitialized;
111 | LPVOID lpSsHandle;
112 | LIST_ENTRY InLoadOrderModuleList;
113 | LIST_ENTRY InMemoryOrderModuleList;
114 | LIST_ENTRY InInitializationOrderModuleList;
115 | LPVOID lpEntryInProgress;
116 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
117 |
118 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
119 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
120 | {
121 | struct _PEB_FREE_BLOCK * pNext;
122 | DWORD dwSize;
123 | } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
124 |
125 | // struct _PEB is defined in Winternl.h but it is incomplete
126 | // WinDbg> dt -v ntdll!_PEB
127 | typedef struct __PEB // 65 elements, 0x210 bytes
128 | {
129 | BYTE bInheritedAddressSpace;
130 | BYTE bReadImageFileExecOptions;
131 | BYTE bBeingDebugged;
132 | BYTE bSpareBool;
133 | LPVOID lpMutant;
134 | LPVOID lpImageBaseAddress;
135 | PPEB_LDR_DATA pLdr;
136 | LPVOID lpProcessParameters;
137 | LPVOID lpSubSystemData;
138 | LPVOID lpProcessHeap;
139 | PRTL_CRITICAL_SECTION pFastPebLock;
140 | LPVOID lpFastPebLockRoutine;
141 | LPVOID lpFastPebUnlockRoutine;
142 | DWORD dwEnvironmentUpdateCount;
143 | LPVOID lpKernelCallbackTable;
144 | DWORD dwSystemReserved;
145 | DWORD dwAtlThunkSListPtr32;
146 | PPEB_FREE_BLOCK pFreeList;
147 | DWORD dwTlsExpansionCounter;
148 | LPVOID lpTlsBitmap;
149 | DWORD dwTlsBitmapBits[2];
150 | LPVOID lpReadOnlySharedMemoryBase;
151 | LPVOID lpReadOnlySharedMemoryHeap;
152 | LPVOID lpReadOnlyStaticServerData;
153 | LPVOID lpAnsiCodePageData;
154 | LPVOID lpOemCodePageData;
155 | LPVOID lpUnicodeCaseTableData;
156 | DWORD dwNumberOfProcessors;
157 | DWORD dwNtGlobalFlag;
158 | LARGE_INTEGER liCriticalSectionTimeout;
159 | DWORD dwHeapSegmentReserve;
160 | DWORD dwHeapSegmentCommit;
161 | DWORD dwHeapDeCommitTotalFreeThreshold;
162 | DWORD dwHeapDeCommitFreeBlockThreshold;
163 | DWORD dwNumberOfHeaps;
164 | DWORD dwMaximumNumberOfHeaps;
165 | LPVOID lpProcessHeaps;
166 | LPVOID lpGdiSharedHandleTable;
167 | LPVOID lpProcessStarterHelper;
168 | DWORD dwGdiDCAttributeList;
169 | LPVOID lpLoaderLock;
170 | DWORD dwOSMajorVersion;
171 | DWORD dwOSMinorVersion;
172 | WORD wOSBuildNumber;
173 | WORD wOSCSDVersion;
174 | DWORD dwOSPlatformId;
175 | DWORD dwImageSubsystem;
176 | DWORD dwImageSubsystemMajorVersion;
177 | DWORD dwImageSubsystemMinorVersion;
178 | DWORD dwImageProcessAffinityMask;
179 | DWORD dwGdiHandleBuffer[34];
180 | LPVOID lpPostProcessInitRoutine;
181 | LPVOID lpTlsExpansionBitmap;
182 | DWORD dwTlsExpansionBitmapBits[32];
183 | DWORD dwSessionId;
184 | ULARGE_INTEGER liAppCompatFlags;
185 | ULARGE_INTEGER liAppCompatFlagsUser;
186 | LPVOID lppShimData;
187 | LPVOID lpAppCompatInfo;
188 | UNICODE_STR usCSDVersion;
189 | LPVOID lpActivationContextData;
190 | LPVOID lpProcessAssemblyStorageMap;
191 | LPVOID lpSystemDefaultActivationContextData;
192 | LPVOID lpSystemAssemblyStorageMap;
193 | DWORD dwMinimumStackCommit;
194 | } _PEB, *_PPEB;
195 |
196 | typedef struct
197 | {
198 | WORD offset : 12;
199 | WORD type : 4;
200 | } IMAGE_RELOC, *PIMAGE_RELOC;
201 | //===============================================================================================//
202 | #endif
203 | //===============================================================================================//
204 |
205 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Domain/Recon-AD-Domain/ReflectiveLoader.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 | #include
34 | #include
35 |
36 | #include "ReflectiveDLLInjection.h"
37 |
38 | typedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);
39 | typedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);
40 | typedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);
41 | typedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);
42 |
43 | #define KERNEL32DLL_HASH 0x6A4ABC5B
44 | #define NTDLLDLL_HASH 0x3CFA685D
45 |
46 | #define LOADLIBRARYA_HASH 0xEC0E4E8E
47 | #define GETPROCADDRESS_HASH 0x7C0DFCAA
48 | #define VIRTUALALLOC_HASH 0x91AFCA54
49 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
50 |
51 | #define IMAGE_REL_BASED_ARM_MOV32A 5
52 | #define IMAGE_REL_BASED_ARM_MOV32T 7
53 |
54 | #define ARM_MOV_MASK (DWORD)(0xFBF08000)
55 | #define ARM_MOV_MASK2 (DWORD)(0xFBF08F00)
56 | #define ARM_MOVW 0xF2400000
57 | #define ARM_MOVT 0xF2C00000
58 |
59 | #define HASH_KEY 13
60 | //===============================================================================================//
61 | #pragma intrinsic( _rotr )
62 |
63 | __forceinline DWORD ror(DWORD d)
64 | {
65 | return _rotr(d, HASH_KEY);
66 | }
67 |
68 | __forceinline DWORD hash(char * c)
69 | {
70 | register DWORD h = 0;
71 | do
72 | {
73 | h = ror(h);
74 | h += *c;
75 | } while (*++c);
76 |
77 | return h;
78 | }
79 | //===============================================================================================//
80 | typedef struct _UNICODE_STR
81 | {
82 | USHORT Length;
83 | USHORT MaximumLength;
84 | PWSTR pBuffer;
85 | } UNICODE_STR, *PUNICODE_STR;
86 |
87 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
88 | //__declspec( align(8) )
89 | typedef struct _LDR_DATA_TABLE_ENTRY
90 | {
91 | //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
92 | LIST_ENTRY InMemoryOrderModuleList;
93 | LIST_ENTRY InInitializationOrderModuleList;
94 | PVOID DllBase;
95 | PVOID EntryPoint;
96 | ULONG SizeOfImage;
97 | UNICODE_STR FullDllName;
98 | UNICODE_STR BaseDllName;
99 | ULONG Flags;
100 | SHORT LoadCount;
101 | SHORT TlsIndex;
102 | LIST_ENTRY HashTableEntry;
103 | ULONG TimeDateStamp;
104 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
105 |
106 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA
107 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
108 | {
109 | DWORD dwLength;
110 | DWORD dwInitialized;
111 | LPVOID lpSsHandle;
112 | LIST_ENTRY InLoadOrderModuleList;
113 | LIST_ENTRY InMemoryOrderModuleList;
114 | LIST_ENTRY InInitializationOrderModuleList;
115 | LPVOID lpEntryInProgress;
116 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
117 |
118 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
119 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
120 | {
121 | struct _PEB_FREE_BLOCK * pNext;
122 | DWORD dwSize;
123 | } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
124 |
125 | // struct _PEB is defined in Winternl.h but it is incomplete
126 | // WinDbg> dt -v ntdll!_PEB
127 | typedef struct __PEB // 65 elements, 0x210 bytes
128 | {
129 | BYTE bInheritedAddressSpace;
130 | BYTE bReadImageFileExecOptions;
131 | BYTE bBeingDebugged;
132 | BYTE bSpareBool;
133 | LPVOID lpMutant;
134 | LPVOID lpImageBaseAddress;
135 | PPEB_LDR_DATA pLdr;
136 | LPVOID lpProcessParameters;
137 | LPVOID lpSubSystemData;
138 | LPVOID lpProcessHeap;
139 | PRTL_CRITICAL_SECTION pFastPebLock;
140 | LPVOID lpFastPebLockRoutine;
141 | LPVOID lpFastPebUnlockRoutine;
142 | DWORD dwEnvironmentUpdateCount;
143 | LPVOID lpKernelCallbackTable;
144 | DWORD dwSystemReserved;
145 | DWORD dwAtlThunkSListPtr32;
146 | PPEB_FREE_BLOCK pFreeList;
147 | DWORD dwTlsExpansionCounter;
148 | LPVOID lpTlsBitmap;
149 | DWORD dwTlsBitmapBits[2];
150 | LPVOID lpReadOnlySharedMemoryBase;
151 | LPVOID lpReadOnlySharedMemoryHeap;
152 | LPVOID lpReadOnlyStaticServerData;
153 | LPVOID lpAnsiCodePageData;
154 | LPVOID lpOemCodePageData;
155 | LPVOID lpUnicodeCaseTableData;
156 | DWORD dwNumberOfProcessors;
157 | DWORD dwNtGlobalFlag;
158 | LARGE_INTEGER liCriticalSectionTimeout;
159 | DWORD dwHeapSegmentReserve;
160 | DWORD dwHeapSegmentCommit;
161 | DWORD dwHeapDeCommitTotalFreeThreshold;
162 | DWORD dwHeapDeCommitFreeBlockThreshold;
163 | DWORD dwNumberOfHeaps;
164 | DWORD dwMaximumNumberOfHeaps;
165 | LPVOID lpProcessHeaps;
166 | LPVOID lpGdiSharedHandleTable;
167 | LPVOID lpProcessStarterHelper;
168 | DWORD dwGdiDCAttributeList;
169 | LPVOID lpLoaderLock;
170 | DWORD dwOSMajorVersion;
171 | DWORD dwOSMinorVersion;
172 | WORD wOSBuildNumber;
173 | WORD wOSCSDVersion;
174 | DWORD dwOSPlatformId;
175 | DWORD dwImageSubsystem;
176 | DWORD dwImageSubsystemMajorVersion;
177 | DWORD dwImageSubsystemMinorVersion;
178 | DWORD dwImageProcessAffinityMask;
179 | DWORD dwGdiHandleBuffer[34];
180 | LPVOID lpPostProcessInitRoutine;
181 | LPVOID lpTlsExpansionBitmap;
182 | DWORD dwTlsExpansionBitmapBits[32];
183 | DWORD dwSessionId;
184 | ULARGE_INTEGER liAppCompatFlags;
185 | ULARGE_INTEGER liAppCompatFlagsUser;
186 | LPVOID lppShimData;
187 | LPVOID lpAppCompatInfo;
188 | UNICODE_STR usCSDVersion;
189 | LPVOID lpActivationContextData;
190 | LPVOID lpProcessAssemblyStorageMap;
191 | LPVOID lpSystemDefaultActivationContextData;
192 | LPVOID lpSystemAssemblyStorageMap;
193 | DWORD dwMinimumStackCommit;
194 | } _PEB, *_PPEB;
195 |
196 | typedef struct
197 | {
198 | WORD offset : 12;
199 | WORD type : 4;
200 | } IMAGE_RELOC, *PIMAGE_RELOC;
201 | //===============================================================================================//
202 | #endif
203 | //===============================================================================================//
204 |
205 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Groups/Recon-AD-Groups/ReflectiveLoader.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 | #include
34 | #include
35 |
36 | #include "ReflectiveDLLInjection.h"
37 |
38 | typedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);
39 | typedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);
40 | typedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);
41 | typedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);
42 |
43 | #define KERNEL32DLL_HASH 0x6A4ABC5B
44 | #define NTDLLDLL_HASH 0x3CFA685D
45 |
46 | #define LOADLIBRARYA_HASH 0xEC0E4E8E
47 | #define GETPROCADDRESS_HASH 0x7C0DFCAA
48 | #define VIRTUALALLOC_HASH 0x91AFCA54
49 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
50 |
51 | #define IMAGE_REL_BASED_ARM_MOV32A 5
52 | #define IMAGE_REL_BASED_ARM_MOV32T 7
53 |
54 | #define ARM_MOV_MASK (DWORD)(0xFBF08000)
55 | #define ARM_MOV_MASK2 (DWORD)(0xFBF08F00)
56 | #define ARM_MOVW 0xF2400000
57 | #define ARM_MOVT 0xF2C00000
58 |
59 | #define HASH_KEY 13
60 | //===============================================================================================//
61 | #pragma intrinsic( _rotr )
62 |
63 | __forceinline DWORD ror(DWORD d)
64 | {
65 | return _rotr(d, HASH_KEY);
66 | }
67 |
68 | __forceinline DWORD hash(char * c)
69 | {
70 | register DWORD h = 0;
71 | do
72 | {
73 | h = ror(h);
74 | h += *c;
75 | } while (*++c);
76 |
77 | return h;
78 | }
79 | //===============================================================================================//
80 | typedef struct _UNICODE_STR
81 | {
82 | USHORT Length;
83 | USHORT MaximumLength;
84 | PWSTR pBuffer;
85 | } UNICODE_STR, *PUNICODE_STR;
86 |
87 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
88 | //__declspec( align(8) )
89 | typedef struct _LDR_DATA_TABLE_ENTRY
90 | {
91 | //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
92 | LIST_ENTRY InMemoryOrderModuleList;
93 | LIST_ENTRY InInitializationOrderModuleList;
94 | PVOID DllBase;
95 | PVOID EntryPoint;
96 | ULONG SizeOfImage;
97 | UNICODE_STR FullDllName;
98 | UNICODE_STR BaseDllName;
99 | ULONG Flags;
100 | SHORT LoadCount;
101 | SHORT TlsIndex;
102 | LIST_ENTRY HashTableEntry;
103 | ULONG TimeDateStamp;
104 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
105 |
106 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA
107 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
108 | {
109 | DWORD dwLength;
110 | DWORD dwInitialized;
111 | LPVOID lpSsHandle;
112 | LIST_ENTRY InLoadOrderModuleList;
113 | LIST_ENTRY InMemoryOrderModuleList;
114 | LIST_ENTRY InInitializationOrderModuleList;
115 | LPVOID lpEntryInProgress;
116 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
117 |
118 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
119 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
120 | {
121 | struct _PEB_FREE_BLOCK * pNext;
122 | DWORD dwSize;
123 | } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
124 |
125 | // struct _PEB is defined in Winternl.h but it is incomplete
126 | // WinDbg> dt -v ntdll!_PEB
127 | typedef struct __PEB // 65 elements, 0x210 bytes
128 | {
129 | BYTE bInheritedAddressSpace;
130 | BYTE bReadImageFileExecOptions;
131 | BYTE bBeingDebugged;
132 | BYTE bSpareBool;
133 | LPVOID lpMutant;
134 | LPVOID lpImageBaseAddress;
135 | PPEB_LDR_DATA pLdr;
136 | LPVOID lpProcessParameters;
137 | LPVOID lpSubSystemData;
138 | LPVOID lpProcessHeap;
139 | PRTL_CRITICAL_SECTION pFastPebLock;
140 | LPVOID lpFastPebLockRoutine;
141 | LPVOID lpFastPebUnlockRoutine;
142 | DWORD dwEnvironmentUpdateCount;
143 | LPVOID lpKernelCallbackTable;
144 | DWORD dwSystemReserved;
145 | DWORD dwAtlThunkSListPtr32;
146 | PPEB_FREE_BLOCK pFreeList;
147 | DWORD dwTlsExpansionCounter;
148 | LPVOID lpTlsBitmap;
149 | DWORD dwTlsBitmapBits[2];
150 | LPVOID lpReadOnlySharedMemoryBase;
151 | LPVOID lpReadOnlySharedMemoryHeap;
152 | LPVOID lpReadOnlyStaticServerData;
153 | LPVOID lpAnsiCodePageData;
154 | LPVOID lpOemCodePageData;
155 | LPVOID lpUnicodeCaseTableData;
156 | DWORD dwNumberOfProcessors;
157 | DWORD dwNtGlobalFlag;
158 | LARGE_INTEGER liCriticalSectionTimeout;
159 | DWORD dwHeapSegmentReserve;
160 | DWORD dwHeapSegmentCommit;
161 | DWORD dwHeapDeCommitTotalFreeThreshold;
162 | DWORD dwHeapDeCommitFreeBlockThreshold;
163 | DWORD dwNumberOfHeaps;
164 | DWORD dwMaximumNumberOfHeaps;
165 | LPVOID lpProcessHeaps;
166 | LPVOID lpGdiSharedHandleTable;
167 | LPVOID lpProcessStarterHelper;
168 | DWORD dwGdiDCAttributeList;
169 | LPVOID lpLoaderLock;
170 | DWORD dwOSMajorVersion;
171 | DWORD dwOSMinorVersion;
172 | WORD wOSBuildNumber;
173 | WORD wOSCSDVersion;
174 | DWORD dwOSPlatformId;
175 | DWORD dwImageSubsystem;
176 | DWORD dwImageSubsystemMajorVersion;
177 | DWORD dwImageSubsystemMinorVersion;
178 | DWORD dwImageProcessAffinityMask;
179 | DWORD dwGdiHandleBuffer[34];
180 | LPVOID lpPostProcessInitRoutine;
181 | LPVOID lpTlsExpansionBitmap;
182 | DWORD dwTlsExpansionBitmapBits[32];
183 | DWORD dwSessionId;
184 | ULARGE_INTEGER liAppCompatFlags;
185 | ULARGE_INTEGER liAppCompatFlagsUser;
186 | LPVOID lppShimData;
187 | LPVOID lpAppCompatInfo;
188 | UNICODE_STR usCSDVersion;
189 | LPVOID lpActivationContextData;
190 | LPVOID lpProcessAssemblyStorageMap;
191 | LPVOID lpSystemDefaultActivationContextData;
192 | LPVOID lpSystemAssemblyStorageMap;
193 | DWORD dwMinimumStackCommit;
194 | } _PEB, *_PPEB;
195 |
196 | typedef struct
197 | {
198 | WORD offset : 12;
199 | WORD type : 4;
200 | } IMAGE_RELOC, *PIMAGE_RELOC;
201 | //===============================================================================================//
202 | #endif
203 | //===============================================================================================//
204 |
205 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Computers/Recon-AD-Computers/ReflectiveLoader.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 | #include
34 | #include
35 |
36 | #include "ReflectiveDLLInjection.h"
37 |
38 | typedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);
39 | typedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);
40 | typedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);
41 | typedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);
42 |
43 | #define KERNEL32DLL_HASH 0x6A4ABC5B
44 | #define NTDLLDLL_HASH 0x3CFA685D
45 |
46 | #define LOADLIBRARYA_HASH 0xEC0E4E8E
47 | #define GETPROCADDRESS_HASH 0x7C0DFCAA
48 | #define VIRTUALALLOC_HASH 0x91AFCA54
49 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
50 |
51 | #define IMAGE_REL_BASED_ARM_MOV32A 5
52 | #define IMAGE_REL_BASED_ARM_MOV32T 7
53 |
54 | #define ARM_MOV_MASK (DWORD)(0xFBF08000)
55 | #define ARM_MOV_MASK2 (DWORD)(0xFBF08F00)
56 | #define ARM_MOVW 0xF2400000
57 | #define ARM_MOVT 0xF2C00000
58 |
59 | #define HASH_KEY 13
60 | //===============================================================================================//
61 | #pragma intrinsic( _rotr )
62 |
63 | __forceinline DWORD ror(DWORD d)
64 | {
65 | return _rotr(d, HASH_KEY);
66 | }
67 |
68 | __forceinline DWORD hash(char * c)
69 | {
70 | register DWORD h = 0;
71 | do
72 | {
73 | h = ror(h);
74 | h += *c;
75 | } while (*++c);
76 |
77 | return h;
78 | }
79 | //===============================================================================================//
80 | typedef struct _UNICODE_STR
81 | {
82 | USHORT Length;
83 | USHORT MaximumLength;
84 | PWSTR pBuffer;
85 | } UNICODE_STR, *PUNICODE_STR;
86 |
87 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
88 | //__declspec( align(8) )
89 | typedef struct _LDR_DATA_TABLE_ENTRY
90 | {
91 | //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
92 | LIST_ENTRY InMemoryOrderModuleList;
93 | LIST_ENTRY InInitializationOrderModuleList;
94 | PVOID DllBase;
95 | PVOID EntryPoint;
96 | ULONG SizeOfImage;
97 | UNICODE_STR FullDllName;
98 | UNICODE_STR BaseDllName;
99 | ULONG Flags;
100 | SHORT LoadCount;
101 | SHORT TlsIndex;
102 | LIST_ENTRY HashTableEntry;
103 | ULONG TimeDateStamp;
104 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
105 |
106 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA
107 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
108 | {
109 | DWORD dwLength;
110 | DWORD dwInitialized;
111 | LPVOID lpSsHandle;
112 | LIST_ENTRY InLoadOrderModuleList;
113 | LIST_ENTRY InMemoryOrderModuleList;
114 | LIST_ENTRY InInitializationOrderModuleList;
115 | LPVOID lpEntryInProgress;
116 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
117 |
118 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
119 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
120 | {
121 | struct _PEB_FREE_BLOCK * pNext;
122 | DWORD dwSize;
123 | } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
124 |
125 | // struct _PEB is defined in Winternl.h but it is incomplete
126 | // WinDbg> dt -v ntdll!_PEB
127 | typedef struct __PEB // 65 elements, 0x210 bytes
128 | {
129 | BYTE bInheritedAddressSpace;
130 | BYTE bReadImageFileExecOptions;
131 | BYTE bBeingDebugged;
132 | BYTE bSpareBool;
133 | LPVOID lpMutant;
134 | LPVOID lpImageBaseAddress;
135 | PPEB_LDR_DATA pLdr;
136 | LPVOID lpProcessParameters;
137 | LPVOID lpSubSystemData;
138 | LPVOID lpProcessHeap;
139 | PRTL_CRITICAL_SECTION pFastPebLock;
140 | LPVOID lpFastPebLockRoutine;
141 | LPVOID lpFastPebUnlockRoutine;
142 | DWORD dwEnvironmentUpdateCount;
143 | LPVOID lpKernelCallbackTable;
144 | DWORD dwSystemReserved;
145 | DWORD dwAtlThunkSListPtr32;
146 | PPEB_FREE_BLOCK pFreeList;
147 | DWORD dwTlsExpansionCounter;
148 | LPVOID lpTlsBitmap;
149 | DWORD dwTlsBitmapBits[2];
150 | LPVOID lpReadOnlySharedMemoryBase;
151 | LPVOID lpReadOnlySharedMemoryHeap;
152 | LPVOID lpReadOnlyStaticServerData;
153 | LPVOID lpAnsiCodePageData;
154 | LPVOID lpOemCodePageData;
155 | LPVOID lpUnicodeCaseTableData;
156 | DWORD dwNumberOfProcessors;
157 | DWORD dwNtGlobalFlag;
158 | LARGE_INTEGER liCriticalSectionTimeout;
159 | DWORD dwHeapSegmentReserve;
160 | DWORD dwHeapSegmentCommit;
161 | DWORD dwHeapDeCommitTotalFreeThreshold;
162 | DWORD dwHeapDeCommitFreeBlockThreshold;
163 | DWORD dwNumberOfHeaps;
164 | DWORD dwMaximumNumberOfHeaps;
165 | LPVOID lpProcessHeaps;
166 | LPVOID lpGdiSharedHandleTable;
167 | LPVOID lpProcessStarterHelper;
168 | DWORD dwGdiDCAttributeList;
169 | LPVOID lpLoaderLock;
170 | DWORD dwOSMajorVersion;
171 | DWORD dwOSMinorVersion;
172 | WORD wOSBuildNumber;
173 | WORD wOSCSDVersion;
174 | DWORD dwOSPlatformId;
175 | DWORD dwImageSubsystem;
176 | DWORD dwImageSubsystemMajorVersion;
177 | DWORD dwImageSubsystemMinorVersion;
178 | DWORD dwImageProcessAffinityMask;
179 | DWORD dwGdiHandleBuffer[34];
180 | LPVOID lpPostProcessInitRoutine;
181 | LPVOID lpTlsExpansionBitmap;
182 | DWORD dwTlsExpansionBitmapBits[32];
183 | DWORD dwSessionId;
184 | ULARGE_INTEGER liAppCompatFlags;
185 | ULARGE_INTEGER liAppCompatFlagsUser;
186 | LPVOID lppShimData;
187 | LPVOID lpAppCompatInfo;
188 | UNICODE_STR usCSDVersion;
189 | LPVOID lpActivationContextData;
190 | LPVOID lpProcessAssemblyStorageMap;
191 | LPVOID lpSystemDefaultActivationContextData;
192 | LPVOID lpSystemAssemblyStorageMap;
193 | DWORD dwMinimumStackCommit;
194 | } _PEB, *_PPEB;
195 |
196 | typedef struct
197 | {
198 | WORD offset : 12;
199 | WORD type : 4;
200 | } IMAGE_RELOC, *PIMAGE_RELOC;
201 | //===============================================================================================//
202 | #endif
203 | //===============================================================================================//
204 |
205 |
--------------------------------------------------------------------------------
/Src/Recon-AD-LocalGroups/Recon-AD-LocalGroups/ReflectiveLoader.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 | #include
34 | #include
35 |
36 | #include "ReflectiveDLLInjection.h"
37 |
38 | typedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);
39 | typedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);
40 | typedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);
41 | typedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);
42 |
43 | #define KERNEL32DLL_HASH 0x6A4ABC5B
44 | #define NTDLLDLL_HASH 0x3CFA685D
45 |
46 | #define LOADLIBRARYA_HASH 0xEC0E4E8E
47 | #define GETPROCADDRESS_HASH 0x7C0DFCAA
48 | #define VIRTUALALLOC_HASH 0x91AFCA54
49 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
50 |
51 | #define IMAGE_REL_BASED_ARM_MOV32A 5
52 | #define IMAGE_REL_BASED_ARM_MOV32T 7
53 |
54 | #define ARM_MOV_MASK (DWORD)(0xFBF08000)
55 | #define ARM_MOV_MASK2 (DWORD)(0xFBF08F00)
56 | #define ARM_MOVW 0xF2400000
57 | #define ARM_MOVT 0xF2C00000
58 |
59 | #define HASH_KEY 13
60 | //===============================================================================================//
61 | #pragma intrinsic( _rotr )
62 |
63 | __forceinline DWORD ror(DWORD d)
64 | {
65 | return _rotr(d, HASH_KEY);
66 | }
67 |
68 | __forceinline DWORD hash(char * c)
69 | {
70 | register DWORD h = 0;
71 | do
72 | {
73 | h = ror(h);
74 | h += *c;
75 | } while (*++c);
76 |
77 | return h;
78 | }
79 | //===============================================================================================//
80 | typedef struct _UNICODE_STR
81 | {
82 | USHORT Length;
83 | USHORT MaximumLength;
84 | PWSTR pBuffer;
85 | } UNICODE_STR, *PUNICODE_STR;
86 |
87 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
88 | //__declspec( align(8) )
89 | typedef struct _LDR_DATA_TABLE_ENTRY
90 | {
91 | //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
92 | LIST_ENTRY InMemoryOrderModuleList;
93 | LIST_ENTRY InInitializationOrderModuleList;
94 | PVOID DllBase;
95 | PVOID EntryPoint;
96 | ULONG SizeOfImage;
97 | UNICODE_STR FullDllName;
98 | UNICODE_STR BaseDllName;
99 | ULONG Flags;
100 | SHORT LoadCount;
101 | SHORT TlsIndex;
102 | LIST_ENTRY HashTableEntry;
103 | ULONG TimeDateStamp;
104 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
105 |
106 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA
107 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
108 | {
109 | DWORD dwLength;
110 | DWORD dwInitialized;
111 | LPVOID lpSsHandle;
112 | LIST_ENTRY InLoadOrderModuleList;
113 | LIST_ENTRY InMemoryOrderModuleList;
114 | LIST_ENTRY InInitializationOrderModuleList;
115 | LPVOID lpEntryInProgress;
116 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
117 |
118 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
119 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
120 | {
121 | struct _PEB_FREE_BLOCK * pNext;
122 | DWORD dwSize;
123 | } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
124 |
125 | // struct _PEB is defined in Winternl.h but it is incomplete
126 | // WinDbg> dt -v ntdll!_PEB
127 | typedef struct __PEB // 65 elements, 0x210 bytes
128 | {
129 | BYTE bInheritedAddressSpace;
130 | BYTE bReadImageFileExecOptions;
131 | BYTE bBeingDebugged;
132 | BYTE bSpareBool;
133 | LPVOID lpMutant;
134 | LPVOID lpImageBaseAddress;
135 | PPEB_LDR_DATA pLdr;
136 | LPVOID lpProcessParameters;
137 | LPVOID lpSubSystemData;
138 | LPVOID lpProcessHeap;
139 | PRTL_CRITICAL_SECTION pFastPebLock;
140 | LPVOID lpFastPebLockRoutine;
141 | LPVOID lpFastPebUnlockRoutine;
142 | DWORD dwEnvironmentUpdateCount;
143 | LPVOID lpKernelCallbackTable;
144 | DWORD dwSystemReserved;
145 | DWORD dwAtlThunkSListPtr32;
146 | PPEB_FREE_BLOCK pFreeList;
147 | DWORD dwTlsExpansionCounter;
148 | LPVOID lpTlsBitmap;
149 | DWORD dwTlsBitmapBits[2];
150 | LPVOID lpReadOnlySharedMemoryBase;
151 | LPVOID lpReadOnlySharedMemoryHeap;
152 | LPVOID lpReadOnlyStaticServerData;
153 | LPVOID lpAnsiCodePageData;
154 | LPVOID lpOemCodePageData;
155 | LPVOID lpUnicodeCaseTableData;
156 | DWORD dwNumberOfProcessors;
157 | DWORD dwNtGlobalFlag;
158 | LARGE_INTEGER liCriticalSectionTimeout;
159 | DWORD dwHeapSegmentReserve;
160 | DWORD dwHeapSegmentCommit;
161 | DWORD dwHeapDeCommitTotalFreeThreshold;
162 | DWORD dwHeapDeCommitFreeBlockThreshold;
163 | DWORD dwNumberOfHeaps;
164 | DWORD dwMaximumNumberOfHeaps;
165 | LPVOID lpProcessHeaps;
166 | LPVOID lpGdiSharedHandleTable;
167 | LPVOID lpProcessStarterHelper;
168 | DWORD dwGdiDCAttributeList;
169 | LPVOID lpLoaderLock;
170 | DWORD dwOSMajorVersion;
171 | DWORD dwOSMinorVersion;
172 | WORD wOSBuildNumber;
173 | WORD wOSCSDVersion;
174 | DWORD dwOSPlatformId;
175 | DWORD dwImageSubsystem;
176 | DWORD dwImageSubsystemMajorVersion;
177 | DWORD dwImageSubsystemMinorVersion;
178 | DWORD dwImageProcessAffinityMask;
179 | DWORD dwGdiHandleBuffer[34];
180 | LPVOID lpPostProcessInitRoutine;
181 | LPVOID lpTlsExpansionBitmap;
182 | DWORD dwTlsExpansionBitmapBits[32];
183 | DWORD dwSessionId;
184 | ULARGE_INTEGER liAppCompatFlags;
185 | ULARGE_INTEGER liAppCompatFlagsUser;
186 | LPVOID lppShimData;
187 | LPVOID lpAppCompatInfo;
188 | UNICODE_STR usCSDVersion;
189 | LPVOID lpActivationContextData;
190 | LPVOID lpProcessAssemblyStorageMap;
191 | LPVOID lpSystemDefaultActivationContextData;
192 | LPVOID lpSystemAssemblyStorageMap;
193 | DWORD dwMinimumStackCommit;
194 | } _PEB, *_PPEB;
195 |
196 | typedef struct
197 | {
198 | WORD offset : 12;
199 | WORD type : 4;
200 | } IMAGE_RELOC, *PIMAGE_RELOC;
201 | //===============================================================================================//
202 | #endif
203 | //===============================================================================================//
204 |
205 |
--------------------------------------------------------------------------------
/Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups/ReflectiveLoader.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 | #include
34 | #include
35 |
36 | #include "ReflectiveDLLInjection.h"
37 |
38 | typedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);
39 | typedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);
40 | typedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);
41 | typedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);
42 |
43 | #define KERNEL32DLL_HASH 0x6A4ABC5B
44 | #define NTDLLDLL_HASH 0x3CFA685D
45 |
46 | #define LOADLIBRARYA_HASH 0xEC0E4E8E
47 | #define GETPROCADDRESS_HASH 0x7C0DFCAA
48 | #define VIRTUALALLOC_HASH 0x91AFCA54
49 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
50 |
51 | #define IMAGE_REL_BASED_ARM_MOV32A 5
52 | #define IMAGE_REL_BASED_ARM_MOV32T 7
53 |
54 | #define ARM_MOV_MASK (DWORD)(0xFBF08000)
55 | #define ARM_MOV_MASK2 (DWORD)(0xFBF08F00)
56 | #define ARM_MOVW 0xF2400000
57 | #define ARM_MOVT 0xF2C00000
58 |
59 | #define HASH_KEY 13
60 | //===============================================================================================//
61 | #pragma intrinsic( _rotr )
62 |
63 | __forceinline DWORD ror(DWORD d)
64 | {
65 | return _rotr(d, HASH_KEY);
66 | }
67 |
68 | __forceinline DWORD hash(char * c)
69 | {
70 | register DWORD h = 0;
71 | do
72 | {
73 | h = ror(h);
74 | h += *c;
75 | } while (*++c);
76 |
77 | return h;
78 | }
79 | //===============================================================================================//
80 | typedef struct _UNICODE_STR
81 | {
82 | USHORT Length;
83 | USHORT MaximumLength;
84 | PWSTR pBuffer;
85 | } UNICODE_STR, *PUNICODE_STR;
86 |
87 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
88 | //__declspec( align(8) )
89 | typedef struct _LDR_DATA_TABLE_ENTRY
90 | {
91 | //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
92 | LIST_ENTRY InMemoryOrderModuleList;
93 | LIST_ENTRY InInitializationOrderModuleList;
94 | PVOID DllBase;
95 | PVOID EntryPoint;
96 | ULONG SizeOfImage;
97 | UNICODE_STR FullDllName;
98 | UNICODE_STR BaseDllName;
99 | ULONG Flags;
100 | SHORT LoadCount;
101 | SHORT TlsIndex;
102 | LIST_ENTRY HashTableEntry;
103 | ULONG TimeDateStamp;
104 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
105 |
106 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA
107 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
108 | {
109 | DWORD dwLength;
110 | DWORD dwInitialized;
111 | LPVOID lpSsHandle;
112 | LIST_ENTRY InLoadOrderModuleList;
113 | LIST_ENTRY InMemoryOrderModuleList;
114 | LIST_ENTRY InInitializationOrderModuleList;
115 | LPVOID lpEntryInProgress;
116 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
117 |
118 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
119 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
120 | {
121 | struct _PEB_FREE_BLOCK * pNext;
122 | DWORD dwSize;
123 | } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
124 |
125 | // struct _PEB is defined in Winternl.h but it is incomplete
126 | // WinDbg> dt -v ntdll!_PEB
127 | typedef struct __PEB // 65 elements, 0x210 bytes
128 | {
129 | BYTE bInheritedAddressSpace;
130 | BYTE bReadImageFileExecOptions;
131 | BYTE bBeingDebugged;
132 | BYTE bSpareBool;
133 | LPVOID lpMutant;
134 | LPVOID lpImageBaseAddress;
135 | PPEB_LDR_DATA pLdr;
136 | LPVOID lpProcessParameters;
137 | LPVOID lpSubSystemData;
138 | LPVOID lpProcessHeap;
139 | PRTL_CRITICAL_SECTION pFastPebLock;
140 | LPVOID lpFastPebLockRoutine;
141 | LPVOID lpFastPebUnlockRoutine;
142 | DWORD dwEnvironmentUpdateCount;
143 | LPVOID lpKernelCallbackTable;
144 | DWORD dwSystemReserved;
145 | DWORD dwAtlThunkSListPtr32;
146 | PPEB_FREE_BLOCK pFreeList;
147 | DWORD dwTlsExpansionCounter;
148 | LPVOID lpTlsBitmap;
149 | DWORD dwTlsBitmapBits[2];
150 | LPVOID lpReadOnlySharedMemoryBase;
151 | LPVOID lpReadOnlySharedMemoryHeap;
152 | LPVOID lpReadOnlyStaticServerData;
153 | LPVOID lpAnsiCodePageData;
154 | LPVOID lpOemCodePageData;
155 | LPVOID lpUnicodeCaseTableData;
156 | DWORD dwNumberOfProcessors;
157 | DWORD dwNtGlobalFlag;
158 | LARGE_INTEGER liCriticalSectionTimeout;
159 | DWORD dwHeapSegmentReserve;
160 | DWORD dwHeapSegmentCommit;
161 | DWORD dwHeapDeCommitTotalFreeThreshold;
162 | DWORD dwHeapDeCommitFreeBlockThreshold;
163 | DWORD dwNumberOfHeaps;
164 | DWORD dwMaximumNumberOfHeaps;
165 | LPVOID lpProcessHeaps;
166 | LPVOID lpGdiSharedHandleTable;
167 | LPVOID lpProcessStarterHelper;
168 | DWORD dwGdiDCAttributeList;
169 | LPVOID lpLoaderLock;
170 | DWORD dwOSMajorVersion;
171 | DWORD dwOSMinorVersion;
172 | WORD wOSBuildNumber;
173 | WORD wOSCSDVersion;
174 | DWORD dwOSPlatformId;
175 | DWORD dwImageSubsystem;
176 | DWORD dwImageSubsystemMajorVersion;
177 | DWORD dwImageSubsystemMinorVersion;
178 | DWORD dwImageProcessAffinityMask;
179 | DWORD dwGdiHandleBuffer[34];
180 | LPVOID lpPostProcessInitRoutine;
181 | LPVOID lpTlsExpansionBitmap;
182 | DWORD dwTlsExpansionBitmapBits[32];
183 | DWORD dwSessionId;
184 | ULARGE_INTEGER liAppCompatFlags;
185 | ULARGE_INTEGER liAppCompatFlagsUser;
186 | LPVOID lppShimData;
187 | LPVOID lpAppCompatInfo;
188 | UNICODE_STR usCSDVersion;
189 | LPVOID lpActivationContextData;
190 | LPVOID lpProcessAssemblyStorageMap;
191 | LPVOID lpSystemDefaultActivationContextData;
192 | LPVOID lpSystemAssemblyStorageMap;
193 | DWORD dwMinimumStackCommit;
194 | } _PEB, *_PPEB;
195 |
196 | typedef struct
197 | {
198 | WORD offset : 12;
199 | WORD type : 4;
200 | } IMAGE_RELOC, *PIMAGE_RELOC;
201 | //===============================================================================================//
202 | #endif
203 | //===============================================================================================//
204 |
205 |
--------------------------------------------------------------------------------
/Outflank-Recon-AD/Recon-AD.cna:
--------------------------------------------------------------------------------
1 | #Recon-AD
2 | #author Cornelis de Plaa
3 | #@outflank.nl
4 |
5 | #Using Active Directory Service Interfaces (ADSI) to query Active Directory objects and corresponding attributes.
6 |
7 | #register help
8 | beacon_command_register("Recon-AD-Domain", "Using Active Directory Domain Services to enumerate domain information.",
9 | "Using Active Directory Domain Services to enumerate domain information.\n\n" .
10 | "Synopsis: Recon-AD-Domain\n\n");
11 |
12 | beacon_command_register("Recon-AD-Users", "Use ADSI to query Active Directory user objects and attributes.",
13 | "Use Active Directory Service Interfaces (ADSI) to query user objects and corresponding attributes.\n\n" .
14 | "Synopsis: Recon-AD-Users [username], to query a specific user object including attributes.\n" .
15 | " Recon-AD-Users [*admin*], to query for usernames containing admin.\n" .
16 | " Recon-AD-Users All, to query all user objects including attributes.\n");
17 |
18 | beacon_command_register("Recon-AD-Computers", "Use ADSI to query Active Directory computer objects and attributes.",
19 | "Use Active Directory Service Interfaces (ADSI) to query computer objects and corresponding attributes.\n\n" .
20 | "Synopsis: Recon-AD-Computers [computername], to query a specific computer object including attributes.\n" .
21 | " Recon-AD-Computers [*dc*], to query for computernames containing dc.\n" .
22 | " Recon-AD-Computers All, to query all computer objects including attributes.\n");
23 |
24 | beacon_command_register("Recon-AD-Groups", "Use ADSI to query Active Directory group objects and attributes.",
25 | "Use Active Directory Service Interfaces (ADSI) to query group objects and corresponding attributes.\n\n" .
26 | "Synopsis: Recon-AD-Groups [groupname], to query a specific group object including attributes.\n" .
27 | " Recon-AD-Groups [*admin*], to query for groupnames containing admin.\n" .
28 | " Recon-AD-Groups All, to query all group objects including attributes.\n");
29 |
30 | beacon_command_register("Recon-AD-LocalGroups", "Use ADSI to query a computer for specific localgroups.",
31 | "Use Active Directory Service Interfaces (ADSI) to query a computer for specific localgroups (default Administrators group).\n\n" .
32 | "Synopsis: Recon-AD-LocalGroups [computername] [groupname], to query a specific computer and localgroup.\n");
33 |
34 | beacon_command_register("Recon-AD-AllLocalGroups", "Use ADSI to query a computer for all localgroups.",
35 | "Use Active Directory Service Interfaces (ADSI) to query a computer for all localgroups.\n\n" .
36 | "Synopsis: Recon-AD-AllLocalGroups [computername], to query a specific computer for all localgroups.\n");
37 |
38 | beacon_command_register("Recon-AD-SPNs", "Use ADSI to query Active Directory user objects with Service Principal Names (SPN) configured.",
39 | "Use Active Directory Service Interfaces (ADSI) to query user objects with Service Principal Names (SPN) configured.\n\n" .
40 | "Synopsis: Recon-AD-SPNs\n\n");
41 |
42 |
43 | alias Recon-AD-Domain {
44 | $bid = $1;
45 | blog($bid, "Let's enumerate the domain\n");
46 | bdllspawn($bid, script_resource("Recon-AD-Domain.dll"), "", "Recon-AD-Domain", 5000, false);
47 | }
48 |
49 | alias Recon-AD-Users {
50 | $bid = $1;
51 |
52 | $input = substr($0, 15);
53 | @args = split(' ', $input);
54 |
55 | $object = @args[0];
56 |
57 | if ($object eq "") {
58 | berror($bid, "Please specify a username or all.");
59 | return;
60 | }
61 | else if ($object eq "all") {
62 | blog($bid, "Let's enumerate all users\n");
63 | bdllspawn($bid, script_resource("Recon-AD-Users.dll"), "", "Recon-AD-Users", 5000, false);
64 | }
65 | else{
66 | $param = "(sAMAccountName=" . $object . ")";
67 | blog($bid, "Let's enumerate user " . $object . "\n");
68 | bdllspawn($bid, script_resource("Recon-AD-Users.dll"), $param, "Recon-AD-Users", 5000, false);
69 | }
70 | }
71 |
72 | alias Recon-AD-Computers {
73 | $bid = $1;
74 |
75 | $input = substr($0, 19);
76 | @args = split(' ', $input);
77 |
78 | $object = @args[0];
79 |
80 | if ($object eq "") {
81 | berror($bid, "Please specify a computername or all.");
82 | return;
83 | }
84 | else if ($object eq "all") {
85 | blog($bid, "Let's enumerate all computers\n");
86 | bdllspawn($1, script_resource("Recon-AD-Computers.dll"), "", "Recon-AD-Computers", 5000, false);
87 | }
88 | else {
89 | $param = "(cn=" . $object . ")";
90 | blog($bid, "Let's enumerate computer " . $object . "\n");
91 | bdllspawn($1, script_resource("Recon-AD-Computers.dll"), $param, "Recon-AD-Computers", 5000, false);
92 | }
93 | }
94 |
95 | alias Recon-AD-Groups {
96 | $bid = $1;
97 |
98 | $input = substr($0, 16);
99 | @args = split(' ', $input);
100 |
101 | #For Groups with spaces in Groupname...
102 | $object = @args[0];
103 | $object1 = @args[1];
104 | $object2 = @args[2];
105 | $object3 = @args[3];
106 | $object4 = @args[4];
107 | $object5 = @args[5];
108 |
109 | if ($object eq "") {
110 | berror($bid, "Please specify a groupname or all.");
111 | return;
112 | }
113 | else if ($object eq "all") {
114 | blog($bid, "Let's enumerate all groups\n");
115 | bdllspawn($1, script_resource("Recon-AD-Groups.dll"), "", "Recon-AD-Groups", 5000, false);
116 | }
117 | else if (@args[1] eq ""){
118 | $param = "(sAMAccountName=" . $object . ")";
119 | }
120 | else if (@args[2] eq ""){
121 | $param = "(sAMAccountName=" . $object . " " . $object1 . ")";
122 | }
123 | else if (@args[3] eq ""){
124 | $param = "(sAMAccountName=" . $object . " " . $object1 . " " . $object2 . ")";
125 | }
126 | else if (@args[4] eq ""){
127 | $param = "(sAMAccountName=" . $object . " " . $object1 . " " . $object2 . " " . $object3 . ")";
128 | }
129 | else if (@args[5] eq ""){
130 | $param = "(sAMAccountName=" . $object . " " . $object1 . " " . $object2 . " " . $object3 . " " . $object4 . ")";
131 | }
132 | else {
133 | $param = "(sAMAccountName=" . $object . " " . $object1 . " " . $object2 . " " . $object3 . " " . $object4 . " " . $object5 . ")";
134 | }
135 | blog($bid, "Let's enumerate group " . $object . " " . $object1 . " " . $object2 . " " . $object3 . " " . $object4 . " " . $object5"\n");
136 | bdllspawn($1, script_resource("Recon-AD-Groups.dll"), $param, "Recon-AD-Groups", 5000, false);
137 | }
138 |
139 | alias Recon-AD-AllLocalGroups {
140 | $bid = $1;
141 |
142 | $input = substr($0, 24);
143 | @args = split(' ', $input);
144 |
145 | $object = @args[0];
146 |
147 | if ($object eq "") {
148 | berror($bid, "Please specify a computername.");
149 | return;
150 | }
151 | else{
152 | $param = $object;
153 | }
154 | blog($bid, "Let's enumerate computer " . $object . " for localgroups\n");
155 | bdllspawn($bid, script_resource("Recon-AD-AllLocalGroups.dll"), $param, "Recon-AD-AllLocalGroups", 5000, false);
156 | }
157 |
158 | alias Recon-AD-LocalGroups {
159 | $bid = $1;
160 |
161 | $input = substr($0, 21);
162 | @args = split(' ', $input);
163 |
164 | $object = @args[0];
165 | $object1 = @args[1];
166 | $object2 = @args[2];
167 | $object3 = @args[3];
168 |
169 | if ($object eq "") {
170 | berror($bid, "Please specify a computername and localgroup.");
171 | return;
172 | }
173 | else if (@args[1] eq ""){
174 | $param = $object;
175 | }
176 | else if (@args[2] eq ""){
177 | $param = $object . " " . $object1;
178 | }
179 | else if (@args[3] eq ""){
180 | $param = $object . " " . $object1 . " " . $object2;
181 | }
182 | else {
183 | $param = $object . " " . $object1 . " " . $object2 . " " . $object3;
184 | }
185 | blog($bid, "Let's enumerate computer " . $object . " for localgroup " . $object1 . " " . $object2 . " " . $object3"\n");
186 | bdllspawn($1, script_resource("Recon-AD-LocalGroups.dll"), $param, "Recon-AD-LocalGroups", 5000, false);
187 | }
188 |
189 | alias Recon-AD-SPNs {
190 | $bid = $1;
191 | blog($bid, "Let's enumerate all users with SPNs configured.\n");
192 | bdllspawn($bid, script_resource("Recon-AD-SPNs.dll"), "servicePrincipalName=*", "Recon-AD-SPNs", 5000, false);
193 | }
194 |
--------------------------------------------------------------------------------
/Src/Recon-AD-AllLocalGroups/Recon-AD-AllLocalGroups/ReflectiveDll.cpp:
--------------------------------------------------------------------------------
1 | #undef _UNICODE
2 | #define _UNICODE
3 | #undef UNICODE
4 | #define UNICODE
5 |
6 | #include "ReflectiveLoader.h"
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 |
13 | #pragma comment(lib, "ADSIid.lib")
14 | #pragma comment(lib, "ActiveDS.Lib")
15 |
16 | #define FETCH_NUM 100
17 |
18 | // Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are
19 | // defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own
20 | // DllMain and use the LoadRemoteLibraryR() API to inject this DLL.
21 |
22 | // You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c)
23 | extern HINSTANCE hAppInstance;
24 |
25 |
26 | HRESULT PrintGroupObjectMembers(IADsGroup * pADsGroup)
27 | {
28 | HRESULT hr = S_OK; // COM Result Code
29 | IADsMembers * pADsMembers = NULL; // Pointer to Members of the IADsGroup
30 | BOOL fContinue = TRUE; // Looping Variable
31 | IEnumVARIANT * pEnumVariant = NULL; // Pointer to the Enum variant
32 | IUnknown * pUnknown = NULL; // IUnknown for getting the ENUM initially
33 | VARIANT VariantArray[FETCH_NUM]; // Variant array for temp holding returned data
34 | ULONG ulElementsFetched = NULL; // Number of elements retrieved
35 |
36 | // Get an interface pointer to the IADsCollection of members.
37 | hr = pADsGroup->Members(&pADsMembers);
38 |
39 | if (SUCCEEDED(hr))
40 | {
41 |
42 | // Query the IADsCollection of members for a new ENUM Interface.
43 | // Be aware that the enum comes back as an IUnknown *
44 | hr = pADsMembers->get__NewEnum(&pUnknown);
45 |
46 | if (SUCCEEDED(hr))
47 | {
48 |
49 | // Call the QueryInterface method for the IUnknown * for a IEnumVARIANT interface.
50 | hr = pUnknown->QueryInterface(IID_IEnumVARIANT, (void **)&pEnumVariant);
51 |
52 | if (SUCCEEDED(hr))
53 | {
54 |
55 | // While no errors or end of data...
56 | while (fContinue)
57 | {
58 | ulElementsFetched = 0;
59 |
60 | // Get a "batch" number of group members - number of rows that FETCH_NUM specifies
61 | hr = ADsEnumerateNext(pEnumVariant, FETCH_NUM, VariantArray, &ulElementsFetched);
62 |
63 | if (ulElementsFetched)//SUCCEEDED(hr) && hr != S_FALSE)
64 | {
65 | wprintf(L"[+] Members:\n");
66 |
67 | // Loop through the current batch, printing
68 | // the path for each member.
69 | for (ULONG i = 0; i < ulElementsFetched; i++)
70 | {
71 | IDispatch * pDispatch = NULL;
72 | // Pointer for holding dispath of element.
73 | IADs * pIADsGroupMember = NULL;
74 | // IADs pointer to group member.
75 | BSTR bstrPath = NULL;
76 | // Contains the path of the object.
77 |
78 | // Get the dispatch pointer for the variant.
79 | pDispatch = VariantArray[i].pdispVal;
80 | //assert(HAS_BIT_STYLE(VariantArray[i].vt, VT_DISPATCH));
81 |
82 | // Get the IADs interface for the "member" of this group.
83 | hr = pDispatch->QueryInterface(IID_IADs,
84 | (VOID **)&pIADsGroupMember);
85 |
86 | if (SUCCEEDED(hr))
87 | {
88 |
89 | // Get the ADsPath property for this member.
90 | hr = pIADsGroupMember->get_ADsPath(&bstrPath);
91 |
92 | if (SUCCEEDED(hr))
93 | {
94 | // Print the ADsPath of the group member.
95 | //CStringW sBstr;
96 | //sBstr = (LPCWSTR)bstrPath;
97 | //sBstr.Replace(L"WinNT://", L"");
98 |
99 | wprintf(L" %s\r\n", (LPCWSTR)bstrPath);
100 | SysFreeString(bstrPath);
101 | }
102 | pIADsGroupMember->Release();
103 | pIADsGroupMember = NULL;
104 | }
105 | }
106 |
107 | // Clear the variant array.
108 | memset(VariantArray, 0, sizeof(VARIANT)*FETCH_NUM);
109 | }
110 | else
111 | fContinue = FALSE;
112 | }
113 | pEnumVariant->Release();
114 | pEnumVariant = NULL;
115 | }
116 | pUnknown->Release();
117 | pUnknown = NULL;
118 | }
119 | pADsMembers->Release();
120 | pADsMembers = NULL;
121 | }
122 |
123 | // If all completed normally, all data
124 | // was printed, and an S_FALSE, indicating
125 | // no more data, was received. If so,
126 | // return S_OK.
127 | if (hr == S_FALSE)
128 | hr = S_OK;
129 |
130 | return hr;
131 | }
132 |
133 |
134 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
135 | {
136 | BOOL bReturnValue = TRUE;
137 | LPWSTR pwszParams = (LPWSTR)calloc(strlen((LPSTR)lpReserved) + 1, sizeof(WCHAR));
138 | size_t convertedChars = 0;
139 | size_t newsize = strlen((LPSTR)lpReserved) + 1;
140 |
141 | switch (dwReason)
142 | {
143 | case DLL_QUERY_HMODULE:
144 | if (lpReserved != NULL)
145 | *(HMODULE *)lpReserved = hAppInstance;
146 | break;
147 | case DLL_PROCESS_ATTACH:
148 | hAppInstance = hinstDLL;
149 |
150 | if (lpReserved != NULL) {
151 |
152 | // Handle the command line arguments.
153 | int maxAlloc = MAX_PATH * 2;
154 | LPOLESTR pszBuffer = new OLECHAR[maxAlloc];
155 | mbstowcs_s(&convertedChars, pwszParams, newsize, (LPSTR)lpReserved, _TRUNCATE);
156 | wcscpy_s(pszBuffer, maxAlloc, pwszParams);
157 |
158 | LPCWSTR pwszComputer = pszBuffer;
159 | LPCWSTR pwszClass = L"group";
160 | LPCWSTR pwszUsername = NULL;
161 | LPCWSTR pwszPassword = NULL;
162 |
163 | HRESULT hr;
164 |
165 | // Initialize COM
166 | CoInitialize(NULL);
167 |
168 | IADsContainer * pIADsCont = NULL;
169 |
170 | // Build the binding string.
171 | CComBSTR sbstrBindingString;
172 | sbstrBindingString = "WinNT://";
173 | sbstrBindingString += pwszComputer;
174 | sbstrBindingString += ",computer";
175 |
176 | // Bind to the container.
177 | hr = ADsOpenObject(sbstrBindingString,
178 | pwszUsername,
179 | pwszPassword,
180 | ADS_SECURE_AUTHENTICATION,
181 | IID_IADsContainer,
182 | (void**)&pIADsCont);
183 |
184 | if (SUCCEEDED(hr))
185 | {
186 | VARIANT vFilter;
187 | VariantInit(&vFilter);
188 | LPWSTR rgpwszFilter[] = { (LPWSTR)pwszClass };
189 |
190 | // Build a Variant of array type, using the filter passed.
191 | hr = ADsBuildVarArrayStr(rgpwszFilter, 1, &vFilter);
192 | if (SUCCEEDED(hr))
193 | {
194 | // Set the filter for the results of the enumeration.
195 | hr = pIADsCont->put_Filter(vFilter);
196 | if (SUCCEEDED(hr))
197 | {
198 | IEnumVARIANT *pEnumVariant = NULL;
199 |
200 | // Build an enumerator interface. This is used
201 | // to enumerate the objects contained in
202 | // the IADsContainer.
203 | hr = ADsBuildEnumerator(pIADsCont, &pEnumVariant);
204 |
205 | if (SUCCEEDED(hr))
206 | {
207 | VARIANT Variant;
208 | ULONG ulElementsFetched;
209 |
210 | wprintf(L"--------------------------------------------------------------------\n");
211 |
212 | // Loop through and print the data.
213 | while (SUCCEEDED(ADsEnumerateNext(pEnumVariant,
214 | 1,
215 | &Variant,
216 | &ulElementsFetched))
217 | && (ulElementsFetched > 0))
218 | {
219 | if (VT_DISPATCH == Variant.vt)
220 | {
221 | IADs *pIADs = NULL;
222 |
223 | // Query the variant IDispatch *
224 | // for the IADs interface
225 | hr = Variant.pdispVal->QueryInterface(IID_IADs,
226 | (VOID**)&pIADs);
227 |
228 | if (SUCCEEDED(hr))
229 | {
230 | // Print the object data.
231 | CComBSTR sbstrResult;
232 | hr = pIADs->get_Name(&sbstrResult);
233 | if (SUCCEEDED(hr))
234 | {
235 | wprintf(L"[+] Group:\n");
236 | wprintf(L" %s\r\n", (LPCWSTR)sbstrResult);
237 | }
238 |
239 | hr = pIADs->get_ADsPath(&sbstrResult);
240 | if (SUCCEEDED(hr))
241 | {
242 | //wprintf(L"[+] ADsPath:\n");
243 | //wprintf(L" %s\r\n", (LPCWSTR)sbstrResult);
244 | }
245 |
246 | IADsGroup *pGroup = NULL;
247 | hr = ADsGetObject(sbstrResult, IID_IADsGroup, (void**)&pGroup);
248 | if (SUCCEEDED(hr)) {
249 | PrintGroupObjectMembers(pGroup);
250 | }
251 |
252 | wprintf(L"--------------------------------------------------------------------\n");
253 |
254 | pIADs->Release();
255 | }
256 | }
257 |
258 | VariantClear(&Variant);
259 | }
260 |
261 | pEnumVariant->Release();
262 | }
263 |
264 | }
265 | }
266 | VariantClear(&vFilter);
267 |
268 | // Uninitialize COM
269 | CoUninitialize();
270 | }
271 |
272 | }
273 |
274 | // Flush STDOUT
275 | fflush(stdout);
276 |
277 | // We're done, so let's exit
278 | ExitProcess(0);
279 |
280 | break;
281 | case DLL_PROCESS_DETACH:
282 | case DLL_THREAD_ATTACH:
283 | case DLL_THREAD_DETACH:
284 | break;
285 | }
286 | return bReturnValue;
287 | }
288 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Computers/Recon-AD-Computers/ReflectiveDll.cpp:
--------------------------------------------------------------------------------
1 | #undef _UNICODE
2 | #define _UNICODE
3 | #undef UNICODE
4 | #define UNICODE
5 |
6 | #include "ReflectiveLoader.h"
7 | #include
8 | #include
9 | #include
10 | #include
11 |
12 | #pragma comment(lib, "ADSIid.lib")
13 | #pragma comment(lib, "ActiveDS.Lib")
14 |
15 | // Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are
16 | // defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own
17 | // DllMain and use the LoadRemoteLibraryR() API to inject this DLL.
18 |
19 | // You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c)
20 | extern HINSTANCE hAppInstance;
21 |
22 |
23 | int IS_BUFFER_ENOUGH(UINT maxAlloc, LPWSTR pszTarget, LPCWSTR pszSource, int toCopy = -1) {
24 | if (toCopy == -1) {
25 | toCopy = wcslen(pszSource);
26 | }
27 |
28 | return maxAlloc - (wcslen(pszTarget) + toCopy + 1);
29 | }
30 |
31 | HRESULT FindComputers(IDirectorySearch *pContainerToSearch, // IDirectorySearch pointer to Partitions container.
32 | LPOLESTR szFilter, // Filter for finding specific crossrefs. NULL returns all attributeSchema objects.
33 | LPOLESTR *pszPropertiesToReturn) // Properties to return for crossRef objects found. NULL returns all set properties.
34 | {
35 | if (!pContainerToSearch)
36 | return E_POINTER;
37 |
38 | // Create search filter
39 | LPOLESTR pszSearchFilter = new OLECHAR[MAX_PATH * 2];
40 | if (!pszSearchFilter)
41 | return E_OUTOFMEMORY;
42 | wchar_t szFormat[] = L"(&(objectCategory=computer)(objectClass=computer)%s)";
43 |
44 | // Check the buffer first
45 | if (IS_BUFFER_ENOUGH(MAX_PATH * 2, szFormat, szFilter) > 0)
46 | {
47 | // Add the filter.
48 | swprintf_s(pszSearchFilter, MAX_PATH * 2, szFormat, szFilter);
49 | }
50 | else
51 | {
52 | wprintf(L"[!] The filter is too large for buffer, aborting...");
53 | delete[] pszSearchFilter;
54 | return FALSE;
55 | }
56 |
57 | // Specify subtree search
58 | ADS_SEARCHPREF_INFO SearchPrefs;
59 | SearchPrefs.dwSearchPref = ADS_SEARCHPREF_SEARCH_SCOPE;
60 | SearchPrefs.vValue.dwType = ADSTYPE_INTEGER;
61 | SearchPrefs.vValue.Integer = ADS_SCOPE_SUBTREE;
62 | DWORD dwNumPrefs = 1;
63 |
64 | // COL for iterations
65 | LPOLESTR pszColumn = NULL;
66 | ADS_SEARCH_COLUMN col;
67 | HRESULT hr;
68 |
69 | // Interface Pointers
70 | IADs *pObj = NULL;
71 | IADs *pIADs = NULL;
72 |
73 | // Handle used for searching
74 | ADS_SEARCH_HANDLE hSearch = NULL;
75 |
76 | // Set the search preference
77 | hr = pContainerToSearch->SetSearchPreference(&SearchPrefs, dwNumPrefs);
78 | if (FAILED(hr))
79 | {
80 | delete[] pszSearchFilter;
81 | return hr;
82 | }
83 |
84 | LPOLESTR pszBool = NULL;
85 | DWORD dwBool;
86 | PSID pObjectSID = NULL;
87 | LPOLESTR szSID = NULL;
88 | LPOLESTR szDSGUID = new WCHAR[39];
89 | LPGUID pObjectGUID = NULL;
90 | FILETIME filetime;
91 | SYSTEMTIME systemtime;
92 | DATE date;
93 | VARIANT varDate;
94 | LARGE_INTEGER liValue;
95 | LPOLESTR *pszPropertyList = NULL;
96 |
97 | int iCount = 0;
98 | DWORD x = 0L;
99 |
100 | if (!pszPropertiesToReturn)
101 | {
102 | // Return all properties.
103 | hr = pContainerToSearch->ExecuteSearch(pszSearchFilter,
104 | NULL,
105 | -1L,
106 | &hSearch);
107 | }
108 | else
109 | {
110 | // Specified subset.
111 | pszPropertyList = pszPropertiesToReturn;
112 |
113 | // Return specified properties
114 | hr = pContainerToSearch->ExecuteSearch(pszSearchFilter,
115 | pszPropertyList,
116 | sizeof(pszPropertyList) / sizeof(LPOLESTR),
117 | &hSearch);
118 | }
119 |
120 | if (SUCCEEDED(hr))
121 | {
122 | // Call IDirectorySearch::GetNextRow() to retrieve the next row of data
123 | hr = pContainerToSearch->GetFirstRow(hSearch);
124 | if (SUCCEEDED(hr))
125 | {
126 | while (hr != S_ADS_NOMORE_ROWS)
127 | {
128 | // Keep track of count.
129 | iCount++;
130 |
131 | wprintf(L"--------------------------------------------------------------------\n");
132 |
133 | // Loop through the array of passed column names, print the data for each column
134 | while (pContainerToSearch->GetNextColumnName(hSearch, &pszColumn) != S_ADS_NOMORE_COLUMNS)
135 | {
136 | hr = pContainerToSearch->GetColumn(hSearch, pszColumn, &col);
137 | if (SUCCEEDED(hr))
138 | {
139 | // Print the data for the column and free the column
140 | // Get the data for this column
141 | wprintf(L"[+] %s:\n", col.pszAttrName);
142 | switch (col.dwADsType)
143 | {
144 | case ADSTYPE_DN_STRING:
145 | for (x = 0; x< col.dwNumValues; x++)
146 | {
147 | wprintf(L" %s\r\n", col.pADsValues[x].DNString);
148 | }
149 | break;
150 | case ADSTYPE_CASE_EXACT_STRING:
151 | case ADSTYPE_CASE_IGNORE_STRING:
152 | case ADSTYPE_PRINTABLE_STRING:
153 | case ADSTYPE_NUMERIC_STRING:
154 | case ADSTYPE_TYPEDNAME:
155 | case ADSTYPE_FAXNUMBER:
156 | case ADSTYPE_PATH:
157 | case ADSTYPE_OBJECT_CLASS:
158 | for (x = 0; x< col.dwNumValues; x++)
159 | {
160 | wprintf(L" %s\r\n", col.pADsValues[x].CaseIgnoreString);
161 | }
162 | break;
163 | case ADSTYPE_BOOLEAN:
164 | for (x = 0; x< col.dwNumValues; x++)
165 | {
166 | dwBool = col.pADsValues[x].Boolean;
167 | pszBool = dwBool ? L"TRUE" : L"FALSE";
168 | wprintf(L" %s\r\n", pszBool);
169 | }
170 | break;
171 | case ADSTYPE_INTEGER:
172 | for (x = 0; x< col.dwNumValues; x++)
173 | {
174 | wprintf(L" %d\r\n", col.pADsValues[x].Integer);
175 | }
176 | break;
177 | case ADSTYPE_OCTET_STRING:
178 | if (_wcsicmp(col.pszAttrName, L"objectSID") == 0)
179 | {
180 | for (x = 0; x< col.dwNumValues; x++)
181 | {
182 | pObjectSID = (PSID)(col.pADsValues[x].OctetString.lpValue);
183 | // Convert SID to string.
184 | ConvertSidToStringSid(pObjectSID, &szSID);
185 | wprintf(L" %s\r\n", szSID);
186 | LocalFree(szSID);
187 | }
188 | }
189 | else if ((_wcsicmp(col.pszAttrName, L"objectGUID") == 0))
190 | {
191 | for (x = 0; x< col.dwNumValues; x++)
192 | {
193 | // Cast to LPGUID
194 | pObjectGUID = (LPGUID)(col.pADsValues[x].OctetString.lpValue);
195 | // Convert GUID to string.
196 | ::StringFromGUID2(*pObjectGUID, szDSGUID, 39);
197 | // Print the GUID
198 | wprintf(L" %s\r\n", szDSGUID);
199 | }
200 | }
201 | else
202 | wprintf(L" Value of type Octet String. No Conversion.\n");
203 | break;
204 | case ADSTYPE_UTC_TIME:
205 | for (x = 0; x< col.dwNumValues; x++)
206 | {
207 | systemtime = col.pADsValues[x].UTCTime;
208 | if (SystemTimeToVariantTime(&systemtime,
209 | &date) != 0)
210 | {
211 | // Pack in variant.vt
212 | varDate.vt = VT_DATE;
213 | varDate.date = date;
214 | VariantChangeType(&varDate, &varDate, VARIANT_NOVALUEPROP, VT_BSTR);
215 | wprintf(L" %s\r\n", varDate.bstrVal);
216 | VariantClear(&varDate);
217 | }
218 | else
219 | wprintf(L"[!] Could not convert UTC-Time.\n");
220 | }
221 | break;
222 | case ADSTYPE_LARGE_INTEGER:
223 | for (x = 0; x< col.dwNumValues; x++)
224 | {
225 | liValue = col.pADsValues[x].LargeInteger;
226 | filetime.dwLowDateTime = liValue.LowPart;
227 | filetime.dwHighDateTime = liValue.HighPart;
228 | if ((filetime.dwHighDateTime == 0) && (filetime.dwLowDateTime == 0))
229 | {
230 | wprintf(L" No value set.\n");
231 | }
232 | else
233 | {
234 | // Check for properties of type LargeInteger that represent time
235 | // if TRUE, then convert to variant time.
236 | if ((0 == wcscmp(L"accountExpires", col.pszAttrName)) |
237 | (0 == wcscmp(L"badPasswordTime", col.pszAttrName)) ||
238 | (0 == wcscmp(L"lastLogon", col.pszAttrName)) ||
239 | (0 == wcscmp(L"lastLogoff", col.pszAttrName)) ||
240 | (0 == wcscmp(L"lockoutTime", col.pszAttrName)) ||
241 | (0 == wcscmp(L"pwdLastSet", col.pszAttrName))
242 | )
243 | {
244 | // Handle special case for Never Expires where low part is -1
245 | if (filetime.dwLowDateTime == -1)
246 | {
247 | wprintf(L" Never Expires.\n");
248 | }
249 | else
250 | {
251 | if (FileTimeToLocalFileTime(&filetime, &filetime) != 0)
252 | {
253 | if (FileTimeToSystemTime(&filetime,
254 | &systemtime) != 0)
255 | {
256 | if (SystemTimeToVariantTime(&systemtime,
257 | &date) != 0)
258 | {
259 | // Pack in variant.vt
260 | varDate.vt = VT_DATE;
261 | varDate.date = date;
262 | VariantChangeType(&varDate, &varDate, VARIANT_NOVALUEPROP, VT_BSTR);
263 | wprintf(L" %s\r\n", varDate.bstrVal);
264 | VariantClear(&varDate);
265 | }
266 | else
267 | {
268 | wprintf(L" FileTimeToVariantTime failed\n");
269 | }
270 | }
271 | else
272 | {
273 | wprintf(L" FileTimeToSystemTime failed\n");
274 | }
275 |
276 | }
277 | else
278 | {
279 | wprintf(L" FileTimeToLocalFileTime failed\n");
280 | }
281 | }
282 | }
283 | else
284 | {
285 | // Print the LargeInteger.
286 | wprintf(L" high: %d low: %d\r\n", filetime.dwHighDateTime, filetime.dwLowDateTime);
287 | }
288 | }
289 | }
290 | break;
291 | case ADSTYPE_NT_SECURITY_DESCRIPTOR:
292 | for (x = 0; x< col.dwNumValues; x++)
293 | {
294 | wprintf(L" Security descriptor.\n");
295 | }
296 | break;
297 | default:
298 | wprintf(L"[!] Unknown type %d.\n", col.dwADsType);
299 | }
300 |
301 | pContainerToSearch->FreeColumn(&col);
302 | }
303 | CoTaskMemFree(pszColumn);
304 | }
305 |
306 | // Get the next row
307 | hr = pContainerToSearch->GetNextRow(hSearch);
308 | }
309 | }
310 | // Close the search handle to clean up
311 | pContainerToSearch->CloseSearchHandle(hSearch);
312 | }
313 | if (SUCCEEDED(hr) && 0 == iCount)
314 | hr = S_FALSE;
315 |
316 | wprintf(L"--------------------------------------------------------------------\n");
317 |
318 | delete[] pszSearchFilter;
319 | return hr;
320 | }
321 |
322 |
323 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
324 | {
325 | BOOL bReturnValue = TRUE;
326 | LPWSTR pwszParams = (LPWSTR)calloc(strlen((LPSTR)lpReserved) + 1, sizeof(WCHAR));
327 | size_t convertedChars = 0;
328 | size_t newsize = strlen((LPSTR)lpReserved) + 1;
329 |
330 | switch (dwReason)
331 | {
332 | case DLL_QUERY_HMODULE:
333 | if (lpReserved != NULL)
334 | *(HMODULE *)lpReserved = hAppInstance;
335 | break;
336 | case DLL_PROCESS_ATTACH:
337 | hAppInstance = hinstDLL;
338 |
339 | if (lpReserved != NULL) {
340 |
341 | // Handle the command line arguments.
342 | int maxAlloc = MAX_PATH * 2;
343 | LPOLESTR pszBuffer = new OLECHAR[maxAlloc];
344 | mbstowcs_s(&convertedChars, pwszParams, newsize, (LPSTR)lpReserved, _TRUNCATE);
345 | wcscpy_s(pszBuffer, maxAlloc, pwszParams);
346 |
347 | // Initialize COM
348 | CoInitialize(NULL);
349 | HRESULT hr = S_OK;
350 |
351 | // Get rootDSE and the current user's domain container DN.
352 | IADs *pObject = NULL;
353 | IDirectorySearch *pContainerToSearch = NULL;
354 | LPOLESTR szPath = new OLECHAR[MAX_PATH];
355 | VARIANT var;
356 | hr = ADsOpenObject(L"LDAP://rootDSE",
357 | NULL,
358 | NULL,
359 | ADS_SECURE_AUTHENTICATION, // Use Secure Authentication
360 | IID_IADs,
361 | (void**)&pObject);
362 | if (FAILED(hr))
363 | {
364 | wprintf(L"[!] Could not execute query. Could not bind to LDAP://rootDSE.\n");
365 | if (pObject)
366 | pObject->Release();
367 | delete[] pszBuffer;
368 | delete[] szPath;
369 | CoUninitialize();
370 |
371 | // Flush STDOUT
372 | fflush(stdout);
373 |
374 | // We're done, so let's exit
375 | ExitProcess(0);
376 | }
377 | if (SUCCEEDED(hr))
378 | {
379 | hr = pObject->Get(L"defaultNamingContext", &var);
380 | if (SUCCEEDED(hr))
381 | {
382 | // Build path to the domain container.
383 | wcscpy_s(szPath, MAX_PATH, L"LDAP://");
384 | if (IS_BUFFER_ENOUGH(MAX_PATH, szPath, var.bstrVal) > 0)
385 | {
386 | wcscat_s(szPath, MAX_PATH, var.bstrVal);
387 | }
388 | else
389 | {
390 | wprintf(L"[!] Buffer is too small for the domain DN");
391 | delete[] pszBuffer;
392 | delete[] szPath;
393 | CoUninitialize();
394 |
395 | // Flush STDOUT
396 | fflush(stdout);
397 |
398 | // We're done, so let's exit
399 | ExitProcess(0);
400 | }
401 |
402 | hr = ADsOpenObject(szPath,
403 | NULL,
404 | NULL,
405 | ADS_SECURE_AUTHENTICATION, // Use Secure Authentication
406 | IID_IDirectorySearch,
407 | (void**)&pContainerToSearch);
408 |
409 | if (SUCCEEDED(hr))
410 | {
411 | hr = FindComputers(pContainerToSearch, // IDirectorySearch pointer to Partitions container.
412 | pszBuffer,
413 | NULL //Return all properties
414 | );
415 | if (SUCCEEDED(hr))
416 | {
417 | if (S_FALSE == hr)
418 | wprintf(L"[!] No computer object could be found.\n");
419 | }
420 | else if (0x8007203e == hr)
421 | wprintf(L"[!] Could not execute query. An invalid filter was specified.\n");
422 | else
423 | wprintf(L"[!] Query failed to run. HRESULT: %x\n", hr);
424 | }
425 | else
426 | {
427 | wprintf(L"[!] Could not execute query. Could not bind to the container.\n");
428 | }
429 | if (pContainerToSearch)
430 | pContainerToSearch->Release();
431 | }
432 | VariantClear(&var);
433 | }
434 | if (pObject)
435 | pObject->Release();
436 |
437 | delete[] pszBuffer;
438 | delete[] szPath;
439 |
440 | // Uninitialize COM
441 | CoUninitialize();
442 | }
443 |
444 | // Flush STDOUT
445 | fflush(stdout);
446 |
447 | // We're done, so let's exit
448 | ExitProcess(0);
449 | break;
450 | case DLL_PROCESS_DETACH:
451 | case DLL_THREAD_ATTACH:
452 | case DLL_THREAD_DETACH:
453 | break;
454 | }
455 | return bReturnValue;
456 | }
457 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Groups/Recon-AD-Groups/ReflectiveDll.cpp:
--------------------------------------------------------------------------------
1 | #undef _UNICODE
2 | #define _UNICODE
3 | #undef UNICODE
4 | #define UNICODE
5 |
6 | #include "ReflectiveLoader.h"
7 | #include
8 | #include
9 | #include
10 | #include
11 |
12 | #pragma comment(lib, "ADSIid.lib")
13 | #pragma comment(lib, "ActiveDS.Lib")
14 |
15 | // Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are
16 | // defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own
17 | // DllMain and use the LoadRemoteLibraryR() API to inject this DLL.
18 |
19 | // You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c)
20 | extern HINSTANCE hAppInstance;
21 |
22 |
23 | int IS_BUFFER_ENOUGH(UINT maxAlloc, LPWSTR pszTarget, LPCWSTR pszSource, int toCopy = -1) {
24 | if (toCopy == -1) {
25 | toCopy = wcslen(pszSource);
26 | }
27 |
28 | return maxAlloc - (wcslen(pszTarget) + toCopy + 1);
29 | }
30 |
31 | HRESULT FindGroups(IDirectorySearch *pContainerToSearch, // IDirectorySearch pointer to Partitions container.
32 | LPOLESTR szFilter, // Filter for finding specific crossrefs. NULL returns all attributeSchema objects.
33 | LPOLESTR *pszPropertiesToReturn) // Properties to return for crossRef objects found. NULL returns all set properties.
34 | {
35 | if (!pContainerToSearch)
36 | return E_POINTER;
37 |
38 | // Create search filter
39 | LPOLESTR pszSearchFilter = new OLECHAR[MAX_PATH * 2];
40 | if (!pszSearchFilter)
41 | return E_OUTOFMEMORY;
42 | wchar_t szFormat[] = L"(&(objectCategory=group)%s)";
43 |
44 | // Check the buffer first
45 | if (IS_BUFFER_ENOUGH(MAX_PATH * 2, szFormat, szFilter) > 0)
46 | {
47 | // Add the filter.
48 | swprintf_s(pszSearchFilter, MAX_PATH * 2, szFormat, szFilter);
49 | }
50 | else
51 | {
52 | wprintf(L"[!] The filter is too large for buffer, aborting...");
53 | delete[] pszSearchFilter;
54 | return FALSE;
55 | }
56 |
57 | // Specify subtree search
58 | ADS_SEARCHPREF_INFO SearchPrefs;
59 | SearchPrefs.dwSearchPref = ADS_SEARCHPREF_SEARCH_SCOPE;
60 | SearchPrefs.vValue.dwType = ADSTYPE_INTEGER;
61 | SearchPrefs.vValue.Integer = ADS_SCOPE_SUBTREE;
62 | DWORD dwNumPrefs = 1;
63 |
64 | // COL for iterations
65 | LPOLESTR pszColumn = NULL;
66 | ADS_SEARCH_COLUMN col;
67 | HRESULT hr;
68 |
69 | // Interface Pointers
70 | IADs *pObj = NULL;
71 | IADs *pIADs = NULL;
72 |
73 | // Handle used for searching
74 | ADS_SEARCH_HANDLE hSearch = NULL;
75 |
76 | // Set the search preference
77 | hr = pContainerToSearch->SetSearchPreference(&SearchPrefs, dwNumPrefs);
78 | if (FAILED(hr))
79 | {
80 | delete[] pszSearchFilter;
81 | return hr;
82 | }
83 |
84 | LPOLESTR pszBool = NULL;
85 | DWORD dwBool;
86 | PSID pObjectSID = NULL;
87 | LPOLESTR szSID = NULL;
88 | LPOLESTR szDSGUID = new WCHAR[39];
89 | LPGUID pObjectGUID = NULL;
90 | FILETIME filetime;
91 | SYSTEMTIME systemtime;
92 | DATE date;
93 | VARIANT varDate;
94 | LARGE_INTEGER liValue;
95 | LPOLESTR *pszPropertyList = NULL;
96 |
97 | int iCount = 0;
98 | DWORD x = 0L;
99 |
100 | if (!pszPropertiesToReturn)
101 | {
102 | // Return all properties.
103 | hr = pContainerToSearch->ExecuteSearch(pszSearchFilter,
104 | NULL,
105 | -1L,
106 | &hSearch);
107 | }
108 | else
109 | {
110 | // Specified subset.
111 | pszPropertyList = pszPropertiesToReturn;
112 |
113 | // Return specified properties
114 | hr = pContainerToSearch->ExecuteSearch(pszSearchFilter,
115 | pszPropertyList,
116 | sizeof(pszPropertyList) / sizeof(LPOLESTR),
117 | &hSearch);
118 | }
119 |
120 | if (SUCCEEDED(hr))
121 | {
122 | // Call IDirectorySearch::GetNextRow() to retrieve the next row of data
123 | hr = pContainerToSearch->GetFirstRow(hSearch);
124 | if (SUCCEEDED(hr))
125 | {
126 | while (hr != S_ADS_NOMORE_ROWS)
127 | {
128 | // Keep track of count.
129 | iCount++;
130 |
131 | wprintf(L"--------------------------------------------------------------------\n");
132 |
133 | // Loop through the array of passed column names, print the data for each column
134 | while (pContainerToSearch->GetNextColumnName(hSearch, &pszColumn) != S_ADS_NOMORE_COLUMNS)
135 | {
136 | hr = pContainerToSearch->GetColumn(hSearch, pszColumn, &col);
137 | if (SUCCEEDED(hr))
138 | {
139 | // Print the data for the column and free the column
140 | // Get the data for this column
141 | wprintf(L"[+] %s:\n", col.pszAttrName);
142 | switch (col.dwADsType)
143 | {
144 | case ADSTYPE_DN_STRING:
145 | for (x = 0; x< col.dwNumValues; x++)
146 | {
147 | if (wcscmp(L"member", col.pszAttrName) == 0) {
148 | IADsNameTranslate *pNto;
149 | BSTR bstr;
150 |
151 | hr = CoCreateInstance(CLSID_NameTranslate,
152 | NULL,
153 | CLSCTX_INPROC_SERVER,
154 | IID_IADsNameTranslate,
155 | (void**)&pNto);
156 | if (SUCCEEDED(hr)) {
157 | hr = pNto->Set(ADS_NAME_TYPE_1779, col.pADsValues[x].DNString);
158 | if (SUCCEEDED(hr)) {
159 | hr = pNto->Get(ADS_NAME_TYPE_NT4, &bstr);
160 | wprintf(L" %s\r\n", bstr);
161 | SysFreeString(bstr);
162 | }
163 |
164 | pNto->Release();
165 | }
166 |
167 | }
168 | else {
169 | wprintf(L" %s\r\n", col.pADsValues[x].DNString);
170 | }
171 | }
172 | break;
173 | case ADSTYPE_CASE_EXACT_STRING:
174 | case ADSTYPE_CASE_IGNORE_STRING:
175 | case ADSTYPE_PRINTABLE_STRING:
176 | case ADSTYPE_NUMERIC_STRING:
177 | case ADSTYPE_TYPEDNAME:
178 | case ADSTYPE_FAXNUMBER:
179 | case ADSTYPE_PATH:
180 | case ADSTYPE_OBJECT_CLASS:
181 | for (x = 0; x< col.dwNumValues; x++)
182 | {
183 | wprintf(L" %s\r\n", col.pADsValues[x].CaseIgnoreString);
184 | }
185 | break;
186 | case ADSTYPE_BOOLEAN:
187 | for (x = 0; x< col.dwNumValues; x++)
188 | {
189 | dwBool = col.pADsValues[x].Boolean;
190 | pszBool = dwBool ? L"TRUE" : L"FALSE";
191 | wprintf(L" %s\r\n", pszBool);
192 | }
193 | break;
194 | case ADSTYPE_INTEGER:
195 | for (x = 0; x< col.dwNumValues; x++)
196 | {
197 | wprintf(L" %d\r\n", col.pADsValues[x].Integer);
198 | }
199 | break;
200 | case ADSTYPE_OCTET_STRING:
201 | if (_wcsicmp(col.pszAttrName, L"objectSID") == 0)
202 | {
203 | for (x = 0; x< col.dwNumValues; x++)
204 | {
205 | pObjectSID = (PSID)(col.pADsValues[x].OctetString.lpValue);
206 | // Convert SID to string.
207 | ConvertSidToStringSid(pObjectSID, &szSID);
208 | wprintf(L" %s\r\n", szSID);
209 | LocalFree(szSID);
210 | }
211 | }
212 | else if ((_wcsicmp(col.pszAttrName, L"objectGUID") == 0))
213 | {
214 | for (x = 0; x< col.dwNumValues; x++)
215 | {
216 | // Cast to LPGUID
217 | pObjectGUID = (LPGUID)(col.pADsValues[x].OctetString.lpValue);
218 | // Convert GUID to string.
219 | ::StringFromGUID2(*pObjectGUID, szDSGUID, 39);
220 | // Print the GUID
221 | wprintf(L" %s\r\n", szDSGUID);
222 | }
223 | }
224 | else
225 | wprintf(L" Value of type Octet String. No Conversion.\n");
226 | break;
227 | case ADSTYPE_UTC_TIME:
228 | for (x = 0; x< col.dwNumValues; x++)
229 | {
230 | systemtime = col.pADsValues[x].UTCTime;
231 | if (SystemTimeToVariantTime(&systemtime,
232 | &date) != 0)
233 | {
234 | // Pack in variant.vt
235 | varDate.vt = VT_DATE;
236 | varDate.date = date;
237 | VariantChangeType(&varDate, &varDate, VARIANT_NOVALUEPROP, VT_BSTR);
238 | wprintf(L" %s\r\n", varDate.bstrVal);
239 | VariantClear(&varDate);
240 | }
241 | else
242 | wprintf(L"[!] Could not convert UTC-Time.\n");
243 | }
244 | break;
245 | case ADSTYPE_LARGE_INTEGER:
246 | for (x = 0; x< col.dwNumValues; x++)
247 | {
248 | liValue = col.pADsValues[x].LargeInteger;
249 | filetime.dwLowDateTime = liValue.LowPart;
250 | filetime.dwHighDateTime = liValue.HighPart;
251 | if ((filetime.dwHighDateTime == 0) && (filetime.dwLowDateTime == 0))
252 | {
253 | wprintf(L" No value set.\n");
254 | }
255 | else
256 | {
257 | // Check for properties of type LargeInteger that represent time
258 | // if TRUE, then convert to variant time.
259 | if ((0 == wcscmp(L"accountExpires", col.pszAttrName)) |
260 | (0 == wcscmp(L"badPasswordTime", col.pszAttrName)) ||
261 | (0 == wcscmp(L"lastLogon", col.pszAttrName)) ||
262 | (0 == wcscmp(L"lastLogoff", col.pszAttrName)) ||
263 | (0 == wcscmp(L"lockoutTime", col.pszAttrName)) ||
264 | (0 == wcscmp(L"pwdLastSet", col.pszAttrName))
265 | )
266 | {
267 | // Handle special case for Never Expires where low part is -1
268 | if (filetime.dwLowDateTime == -1)
269 | {
270 | wprintf(L" Never Expires.\n");
271 | }
272 | else
273 | {
274 | if (FileTimeToLocalFileTime(&filetime, &filetime) != 0)
275 | {
276 | if (FileTimeToSystemTime(&filetime,
277 | &systemtime) != 0)
278 | {
279 | if (SystemTimeToVariantTime(&systemtime,
280 | &date) != 0)
281 | {
282 | // Pack in variant.vt
283 | varDate.vt = VT_DATE;
284 | varDate.date = date;
285 | VariantChangeType(&varDate, &varDate, VARIANT_NOVALUEPROP, VT_BSTR);
286 | wprintf(L" %s\r\n", varDate.bstrVal);
287 | VariantClear(&varDate);
288 | }
289 | else
290 | {
291 | wprintf(L" FileTimeToVariantTime failed\n");
292 | }
293 | }
294 | else
295 | {
296 | wprintf(L" FileTimeToSystemTime failed\n");
297 | }
298 |
299 | }
300 | else
301 | {
302 | wprintf(L" FileTimeToLocalFileTime failed\n");
303 | }
304 | }
305 | }
306 | else
307 | {
308 | // Print the LargeInteger.
309 | wprintf(L" high: %d low: %d\r\n", filetime.dwHighDateTime, filetime.dwLowDateTime);
310 | }
311 | }
312 | }
313 | break;
314 | case ADSTYPE_NT_SECURITY_DESCRIPTOR:
315 | for (x = 0; x< col.dwNumValues; x++)
316 | {
317 | wprintf(L" Security descriptor.\n");
318 | }
319 | break;
320 | default:
321 | wprintf(L"[!] Unknown type %d.\n", col.dwADsType);
322 | }
323 |
324 | pContainerToSearch->FreeColumn(&col);
325 | }
326 | CoTaskMemFree(pszColumn);
327 | }
328 |
329 | // Get the next row
330 | hr = pContainerToSearch->GetNextRow(hSearch);
331 | }
332 | }
333 | // Close the search handle to clean up
334 | pContainerToSearch->CloseSearchHandle(hSearch);
335 | }
336 | if (SUCCEEDED(hr) && 0 == iCount)
337 | hr = S_FALSE;
338 |
339 | wprintf(L"--------------------------------------------------------------------\n");
340 |
341 | delete[] pszSearchFilter;
342 | return hr;
343 | }
344 |
345 |
346 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
347 | {
348 | BOOL bReturnValue = TRUE;
349 | LPWSTR pwszParams = (LPWSTR)calloc(strlen((LPSTR)lpReserved) + 1, sizeof(WCHAR));
350 | size_t convertedChars = 0;
351 | size_t newsize = strlen((LPSTR)lpReserved) + 1;
352 |
353 | switch (dwReason)
354 | {
355 | case DLL_QUERY_HMODULE:
356 | if (lpReserved != NULL)
357 | *(HMODULE *)lpReserved = hAppInstance;
358 | break;
359 | case DLL_PROCESS_ATTACH:
360 | hAppInstance = hinstDLL;
361 |
362 | if (lpReserved != NULL) {
363 |
364 | // Handle the command line arguments.
365 | int maxAlloc = MAX_PATH * 2;
366 | LPOLESTR pszBuffer = new OLECHAR[maxAlloc];
367 | mbstowcs_s(&convertedChars, pwszParams, newsize, (LPSTR)lpReserved, _TRUNCATE);
368 | wcscpy_s(pszBuffer, maxAlloc, pwszParams);
369 |
370 | // Initialize COM
371 | CoInitialize(NULL);
372 | HRESULT hr = S_OK;
373 |
374 | // Get rootDSE and the current user's domain container DN.
375 | IADs *pObject = NULL;
376 | IDirectorySearch *pContainerToSearch = NULL;
377 | LPOLESTR szPath = new OLECHAR[MAX_PATH];
378 | VARIANT var;
379 | hr = ADsOpenObject(L"LDAP://rootDSE",
380 | NULL,
381 | NULL,
382 | ADS_SECURE_AUTHENTICATION, // Use Secure Authentication
383 | IID_IADs,
384 | (void**)&pObject);
385 | if (FAILED(hr))
386 | {
387 | wprintf(L"[!] Could not execute query. Could not bind to LDAP://rootDSE.\n");
388 | if (pObject)
389 | pObject->Release();
390 | delete[] pszBuffer;
391 | delete[] szPath;
392 | CoUninitialize();
393 |
394 | // Flush STDOUT
395 | fflush(stdout);
396 |
397 | // We're done, so let's exit
398 | ExitProcess(0);
399 | }
400 | if (SUCCEEDED(hr))
401 | {
402 | hr = pObject->Get(L"defaultNamingContext", &var);
403 | if (SUCCEEDED(hr))
404 | {
405 | // Build path to the domain container.
406 | wcscpy_s(szPath, MAX_PATH, L"LDAP://");
407 | if (IS_BUFFER_ENOUGH(MAX_PATH, szPath, var.bstrVal) > 0)
408 | {
409 | wcscat_s(szPath, MAX_PATH, var.bstrVal);
410 | }
411 | else
412 | {
413 | wprintf(L"[!] Buffer is too small for the domain DN");
414 | delete[] pszBuffer;
415 | delete[] szPath;
416 | CoUninitialize();
417 |
418 | // Flush STDOUT
419 | fflush(stdout);
420 |
421 | // We're done, so let's exit
422 | ExitProcess(0);
423 | }
424 |
425 | hr = ADsOpenObject(szPath,
426 | NULL,
427 | NULL,
428 | ADS_SECURE_AUTHENTICATION, // Use Secure Authentication
429 | IID_IDirectorySearch,
430 | (void**)&pContainerToSearch);
431 |
432 | if (SUCCEEDED(hr))
433 | {
434 | hr = FindGroups(pContainerToSearch, //IDirectorySearch pointer to Partitions container.
435 | pszBuffer,
436 | NULL //Return all properties
437 | );
438 | if (SUCCEEDED(hr))
439 | {
440 | if (S_FALSE == hr)
441 | wprintf(L"[!] No group object could be found.\n");
442 | }
443 | else if (0x8007203e == hr)
444 | wprintf(L"[!] Could not execute query. An invalid filter was specified.\n");
445 | else
446 | wprintf(L"[!] Query failed to run. HRESULT: %x\n", hr);
447 | }
448 | else
449 | {
450 | wprintf(L"[!] Could not execute query. Could not bind to the container.\n");
451 | }
452 | if (pContainerToSearch)
453 | pContainerToSearch->Release();
454 | }
455 | VariantClear(&var);
456 | }
457 | if (pObject)
458 | pObject->Release();
459 |
460 | delete[] pszBuffer;
461 | delete[] szPath;
462 |
463 | // Uninitialize COM
464 | CoUninitialize();
465 | }
466 |
467 | // Flush STDOUT
468 | fflush(stdout);
469 |
470 | // We're done, so let's exit
471 | ExitProcess(0);
472 | break;
473 | case DLL_PROCESS_DETACH:
474 | case DLL_THREAD_ATTACH:
475 | case DLL_THREAD_DETACH:
476 | break;
477 | }
478 | return bReturnValue;
479 | }
480 |
--------------------------------------------------------------------------------
/Src/Recon-AD-Users/Recon-AD-Users/ReflectiveDll.cpp:
--------------------------------------------------------------------------------
1 | #undef _UNICODE
2 | #define _UNICODE
3 | #undef UNICODE
4 | #define UNICODE
5 |
6 | #include "ReflectiveLoader.h"
7 | #include
8 | #include
9 | #include
10 | #include
11 |
12 | #pragma comment(lib, "ADSIid.lib")
13 | #pragma comment(lib, "ActiveDS.Lib")
14 |
15 | // Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are
16 | // defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own
17 | // DllMain and use the LoadRemoteLibraryR() API to inject this DLL.
18 |
19 | // You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c)
20 | extern HINSTANCE hAppInstance;
21 |
22 |
23 | int IS_BUFFER_ENOUGH(UINT maxAlloc, LPWSTR pszTarget, LPCWSTR pszSource, int toCopy = -1) {
24 | if (toCopy == -1) {
25 | toCopy = wcslen(pszSource);
26 | }
27 |
28 | return maxAlloc - (wcslen(pszTarget) + toCopy + 1);
29 | }
30 |
31 | HRESULT FindUsers(IDirectorySearch *pContainerToSearch, // IDirectorySearch pointer to Partitions container.
32 | LPOLESTR szFilter, // Filter for finding specific crossrefs. NULL returns all attributeSchema objects.
33 | LPOLESTR *pszPropertiesToReturn) // Properties to return for crossRef objects found. NULL returns all set properties.
34 | {
35 | if (!pContainerToSearch)
36 | return E_POINTER;
37 |
38 | // Create search filter
39 | LPOLESTR pszSearchFilter = new OLECHAR[MAX_PATH * 2];
40 | if (!pszSearchFilter)
41 | return E_OUTOFMEMORY;
42 | wchar_t szFormat[] = L"(&(objectClass=user)(objectCategory=person)%s)";
43 |
44 | // Check the buffer first
45 | if (IS_BUFFER_ENOUGH(MAX_PATH * 2, szFormat, szFilter) > 0)
46 | {
47 | // Add the filter.
48 | swprintf_s(pszSearchFilter, MAX_PATH * 2, szFormat, szFilter);
49 | }
50 | else
51 | {
52 | wprintf(L"[!] The filter is too large for buffer, aborting...");
53 | delete[] pszSearchFilter;
54 | return FALSE;
55 | }
56 |
57 | // Specify subtree search
58 | ADS_SEARCHPREF_INFO SearchPrefs;
59 | SearchPrefs.dwSearchPref = ADS_SEARCHPREF_SEARCH_SCOPE;
60 | SearchPrefs.vValue.dwType = ADSTYPE_INTEGER;
61 | SearchPrefs.vValue.Integer = ADS_SCOPE_SUBTREE;
62 | DWORD dwNumPrefs = 1;
63 |
64 | // COL for iterations
65 | LPOLESTR pszColumn = NULL;
66 | ADS_SEARCH_COLUMN col;
67 | HRESULT hr;
68 |
69 | // Interface Pointers
70 | IADs *pObj = NULL;
71 | IADs *pIADs = NULL;
72 |
73 | // Handle used for searching
74 | ADS_SEARCH_HANDLE hSearch = NULL;
75 |
76 | // Set the search preference
77 | hr = pContainerToSearch->SetSearchPreference(&SearchPrefs, dwNumPrefs);
78 | if (FAILED(hr))
79 | {
80 | delete[] pszSearchFilter;
81 | return hr;
82 | }
83 |
84 | LPOLESTR pszBool = NULL;
85 | DWORD dwBool;
86 | PSID pObjectSID = NULL;
87 | LPOLESTR szSID = NULL;
88 | LPOLESTR szDSGUID = new WCHAR[39];
89 | LPGUID pObjectGUID = NULL;
90 | FILETIME filetime;
91 | SYSTEMTIME systemtime;
92 | DATE date;
93 | VARIANT varDate;
94 | LARGE_INTEGER liValue;
95 | LPOLESTR *pszPropertyList = NULL;
96 |
97 | int iCount = 0;
98 | DWORD x = 0L;
99 |
100 | if (!pszPropertiesToReturn)
101 | {
102 | // Return all properties.
103 | hr = pContainerToSearch->ExecuteSearch(pszSearchFilter,
104 | NULL,
105 | -1L,
106 | &hSearch);
107 | }
108 | else
109 | {
110 | // Specified subset.
111 | pszPropertyList = pszPropertiesToReturn;
112 |
113 | // Return specified properties
114 | hr = pContainerToSearch->ExecuteSearch(pszSearchFilter,
115 | pszPropertyList,
116 | sizeof(pszPropertyList) / sizeof(LPOLESTR),
117 | &hSearch);
118 | }
119 |
120 | if (SUCCEEDED(hr))
121 | {
122 | // Call IDirectorySearch::GetNextRow() to retrieve the next row of data
123 | hr = pContainerToSearch->GetFirstRow(hSearch);
124 | if (SUCCEEDED(hr))
125 | {
126 | while (hr != S_ADS_NOMORE_ROWS)
127 | {
128 | // Keep track of count.
129 | iCount++;
130 |
131 | wprintf(L"--------------------------------------------------------------------\n");
132 |
133 | // Loop through the array of passed column names, print the data for each column
134 | while (pContainerToSearch->GetNextColumnName(hSearch, &pszColumn) != S_ADS_NOMORE_COLUMNS)
135 | {
136 | hr = pContainerToSearch->GetColumn(hSearch, pszColumn, &col);
137 | if (SUCCEEDED(hr))
138 | {
139 | // Print the data for the column and free the column
140 | // Get the data for this column
141 | wprintf(L"[+] %s:\n", col.pszAttrName);
142 | switch (col.dwADsType)
143 | {
144 | case ADSTYPE_DN_STRING:
145 | for (x = 0; x< col.dwNumValues; x++)
146 | {
147 | wprintf(L" %s\r\n", col.pADsValues[x].DNString);
148 | }
149 | break;
150 | case ADSTYPE_CASE_EXACT_STRING:
151 | case ADSTYPE_CASE_IGNORE_STRING:
152 | case ADSTYPE_PRINTABLE_STRING:
153 | case ADSTYPE_NUMERIC_STRING:
154 | case ADSTYPE_TYPEDNAME:
155 | case ADSTYPE_FAXNUMBER:
156 | case ADSTYPE_PATH:
157 | case ADSTYPE_OBJECT_CLASS:
158 | for (x = 0; x< col.dwNumValues; x++)
159 | {
160 | wprintf(L" %s\r\n", col.pADsValues[x].CaseIgnoreString);
161 | if (wcscmp(L"ADsPath", col.pszAttrName) == 0) {
162 | IADsUser *pUser;
163 | SYSTEMTIME ExpirationDate;
164 | VARIANT_BOOL pfAccountDisabled;
165 |
166 | hr = ADsGetObject(col.pADsValues[x].CaseIgnoreString, IID_IADsUser, (void**)&pUser);
167 | if (SUCCEEDED(hr))
168 | {
169 | DATE expirationDate;
170 |
171 | hr = pUser->get_PasswordExpirationDate(&expirationDate);
172 | if (SUCCEEDED(hr))
173 | VariantTimeToSystemTime(expirationDate, &ExpirationDate);
174 | else {
175 | pUser->Release();
176 | break;
177 | }
178 |
179 | wprintf(L"[+] Password expire settings:\r\n");
180 |
181 | if (ExpirationDate.wYear == 1970) {
182 | wprintf(L" password never expires\r\n");
183 | }
184 | else {
185 | wprintf(L" password expires at: %02d-%02d-%02d %02d:%02d:%02d\r\n", ExpirationDate.wDay, ExpirationDate.wMonth, ExpirationDate.wYear, ExpirationDate.wHour, ExpirationDate.wMinute, ExpirationDate.wSecond);
186 | }
187 |
188 | wprintf(L"[+] Account options:\r\n");
189 |
190 | hr = pUser->get_AccountDisabled(&pfAccountDisabled);
191 | if (SUCCEEDED(hr))
192 | if (pfAccountDisabled != 0) {
193 | wprintf(L" account disabled\r\n");
194 | }
195 | else if (pfAccountDisabled == 0) {
196 | wprintf(L" account enabled\r\n");
197 | }
198 |
199 | pUser->Release();
200 | }
201 | }
202 | }
203 | break;
204 | case ADSTYPE_BOOLEAN:
205 | for (x = 0; x< col.dwNumValues; x++)
206 | {
207 | dwBool = col.pADsValues[x].Boolean;
208 | pszBool = dwBool ? L"TRUE" : L"FALSE";
209 | wprintf(L" %s\r\n", pszBool);
210 | }
211 | break;
212 | case ADSTYPE_INTEGER:
213 | for (x = 0; x< col.dwNumValues; x++)
214 | {
215 | wprintf(L" %d\r\n", col.pADsValues[x].Integer);
216 | }
217 | break;
218 | case ADSTYPE_OCTET_STRING:
219 | if (_wcsicmp(col.pszAttrName, L"objectSID") == 0)
220 | {
221 | for (x = 0; x< col.dwNumValues; x++)
222 | {
223 | pObjectSID = (PSID)(col.pADsValues[x].OctetString.lpValue);
224 | // Convert SID to string.
225 | ConvertSidToStringSid(pObjectSID, &szSID);
226 | wprintf(L" %s\r\n", szSID);
227 | LocalFree(szSID);
228 | }
229 | }
230 | else if ((_wcsicmp(col.pszAttrName, L"objectGUID") == 0))
231 | {
232 | for (x = 0; x< col.dwNumValues; x++)
233 | {
234 | // Cast to LPGUID
235 | pObjectGUID = (LPGUID)(col.pADsValues[x].OctetString.lpValue);
236 | // Convert GUID to string.
237 | ::StringFromGUID2(*pObjectGUID, szDSGUID, 39);
238 | // Print the GUID
239 | wprintf(L" %s\r\n", szDSGUID);
240 | }
241 | }
242 | else
243 | wprintf(L" Value of type Octet String. No Conversion.\n");
244 | break;
245 | case ADSTYPE_UTC_TIME:
246 | for (x = 0; x< col.dwNumValues; x++)
247 | {
248 | systemtime = col.pADsValues[x].UTCTime;
249 | if (SystemTimeToVariantTime(&systemtime,
250 | &date) != 0)
251 | {
252 | // Pack in variant.vt
253 | varDate.vt = VT_DATE;
254 | varDate.date = date;
255 | VariantChangeType(&varDate, &varDate, VARIANT_NOVALUEPROP, VT_BSTR);
256 | wprintf(L" %s\r\n", varDate.bstrVal);
257 | VariantClear(&varDate);
258 | }
259 | else
260 | wprintf(L"[!] Could not convert UTC-Time.\n");
261 | }
262 | break;
263 | case ADSTYPE_LARGE_INTEGER:
264 | for (x = 0; x< col.dwNumValues; x++)
265 | {
266 | liValue = col.pADsValues[x].LargeInteger;
267 | filetime.dwLowDateTime = liValue.LowPart;
268 | filetime.dwHighDateTime = liValue.HighPart;
269 | if ((filetime.dwHighDateTime == 0) && (filetime.dwLowDateTime == 0))
270 | {
271 | wprintf(L" No value set.\n");
272 | }
273 | else
274 | {
275 | // Check for properties of type LargeInteger that represent time
276 | // if TRUE, then convert to variant time.
277 | if ((0 == wcscmp(L"accountExpires", col.pszAttrName)) |
278 | (0 == wcscmp(L"badPasswordTime", col.pszAttrName)) ||
279 | (0 == wcscmp(L"lastLogon", col.pszAttrName)) ||
280 | (0 == wcscmp(L"lastLogoff", col.pszAttrName)) ||
281 | (0 == wcscmp(L"lockoutTime", col.pszAttrName)) ||
282 | (0 == wcscmp(L"pwdLastSet", col.pszAttrName))
283 | )
284 | {
285 | // Handle special case for Never Expires where low part is -1
286 | if (filetime.dwLowDateTime == -1)
287 | {
288 | wprintf(L" Never Expires.\n");
289 | }
290 | else
291 | {
292 | if (FileTimeToLocalFileTime(&filetime, &filetime) != 0)
293 | {
294 | if (FileTimeToSystemTime(&filetime,
295 | &systemtime) != 0)
296 | {
297 | if (SystemTimeToVariantTime(&systemtime,
298 | &date) != 0)
299 | {
300 | // Pack in variant.vt
301 | varDate.vt = VT_DATE;
302 | varDate.date = date;
303 | VariantChangeType(&varDate, &varDate, VARIANT_NOVALUEPROP, VT_BSTR);
304 | wprintf(L" %s\r\n", varDate.bstrVal);
305 | VariantClear(&varDate);
306 | }
307 | else
308 | {
309 | wprintf(L" FileTimeToVariantTime failed\n");
310 | }
311 | }
312 | else
313 | {
314 | wprintf(L" FileTimeToSystemTime failed\n");
315 | }
316 |
317 | }
318 | else
319 | {
320 | wprintf(L" FileTimeToLocalFileTime failed\n");
321 | }
322 | }
323 | }
324 | else
325 | {
326 | // Print the LargeInteger.
327 | wprintf(L" high: %d low: %d\r\n", filetime.dwHighDateTime, filetime.dwLowDateTime);
328 | }
329 | }
330 | }
331 | break;
332 | case ADSTYPE_NT_SECURITY_DESCRIPTOR:
333 | for (x = 0; x< col.dwNumValues; x++)
334 | {
335 | wprintf(L" Security descriptor.\n");
336 | }
337 | break;
338 | default:
339 | wprintf(L"[!] Unknown type %d.\n", col.dwADsType);
340 | }
341 |
342 | pContainerToSearch->FreeColumn(&col);
343 | }
344 | CoTaskMemFree(pszColumn);
345 | }
346 |
347 | // Get the next row
348 | hr = pContainerToSearch->GetNextRow(hSearch);
349 | }
350 | }
351 | // Close the search handle to clean up
352 | pContainerToSearch->CloseSearchHandle(hSearch);
353 | }
354 | if (SUCCEEDED(hr) && 0 == iCount)
355 | hr = S_FALSE;
356 |
357 | wprintf(L"--------------------------------------------------------------------\n");
358 |
359 | delete[] pszSearchFilter;
360 | return hr;
361 | }
362 |
363 |
364 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
365 | {
366 | BOOL bReturnValue = TRUE;
367 | LPWSTR pwszParams = (LPWSTR)calloc(strlen((LPSTR)lpReserved) + 1, sizeof(WCHAR));
368 | size_t convertedChars = 0;
369 | size_t newsize = strlen((LPSTR)lpReserved) + 1;
370 |
371 | switch (dwReason)
372 | {
373 | case DLL_QUERY_HMODULE:
374 | if (lpReserved != NULL)
375 | *(HMODULE *)lpReserved = hAppInstance;
376 | break;
377 | case DLL_PROCESS_ATTACH:
378 | hAppInstance = hinstDLL;
379 |
380 | if (lpReserved != NULL) {
381 |
382 | // Handle the command line arguments.
383 | int maxAlloc = MAX_PATH * 2;
384 | LPOLESTR pszBuffer = new OLECHAR[maxAlloc];
385 | mbstowcs_s(&convertedChars, pwszParams, newsize, (LPSTR)lpReserved, _TRUNCATE);
386 | wcscpy_s(pszBuffer, maxAlloc, pwszParams);
387 |
388 | // Initialize COM
389 | CoInitialize(NULL);
390 | HRESULT hr = S_OK;
391 |
392 | // Get rootDSE and the current user's domain container DN.
393 | IADs *pObject = NULL;
394 | IDirectorySearch *pContainerToSearch = NULL;
395 | LPOLESTR szPath = new OLECHAR[MAX_PATH];
396 | VARIANT var;
397 | hr = ADsOpenObject(L"LDAP://rootDSE",
398 | NULL,
399 | NULL,
400 | ADS_SECURE_AUTHENTICATION, // Use Secure Authentication
401 | IID_IADs,
402 | (void**)&pObject);
403 | if (FAILED(hr))
404 | {
405 | wprintf(L"[!] Could not execute query. Could not bind to LDAP://rootDSE.\n");
406 | if (pObject)
407 | pObject->Release();
408 | delete[] pszBuffer;
409 | delete[] szPath;
410 | CoUninitialize();
411 |
412 | // Flush STDOUT
413 | fflush(stdout);
414 |
415 | // We're done, so let's exit
416 | ExitProcess(0);
417 | }
418 | if (SUCCEEDED(hr))
419 | {
420 | hr = pObject->Get(L"defaultNamingContext", &var);
421 | if (SUCCEEDED(hr))
422 | {
423 | // Build path to the domain container.
424 | wcscpy_s(szPath, MAX_PATH, L"LDAP://");
425 | if (IS_BUFFER_ENOUGH(MAX_PATH, szPath, var.bstrVal) > 0)
426 | {
427 | wcscat_s(szPath, MAX_PATH, var.bstrVal);
428 | }
429 | else
430 | {
431 | wprintf(L"[!] Buffer is too small for the domain DN");
432 | delete[] pszBuffer;
433 | delete[] szPath;
434 | CoUninitialize();
435 |
436 | // Flush STDOUT
437 | fflush(stdout);
438 |
439 | // We're done, so let's exit
440 | ExitProcess(0);
441 | }
442 |
443 | hr = ADsOpenObject(szPath,
444 | NULL,
445 | NULL,
446 | ADS_SECURE_AUTHENTICATION, // Use Secure Authentication
447 | IID_IDirectorySearch,
448 | (void**)&pContainerToSearch);
449 |
450 | if (SUCCEEDED(hr))
451 | {
452 | hr = FindUsers(pContainerToSearch, // IDirectorySearch pointer to Partitions container.
453 | pszBuffer,
454 | NULL //Return all properties
455 | );
456 | if (SUCCEEDED(hr))
457 | {
458 | if (S_FALSE == hr)
459 | wprintf(L"[!] No user object could be found.\n");
460 | }
461 | else if (0x8007203e == hr)
462 | wprintf(L"[!] Could not execute query. An invalid filter was specified.\n");
463 | else
464 | wprintf(L"[!] Query failed to run. HRESULT: %x\n", hr);
465 | }
466 | else
467 | {
468 | wprintf(L"[!] Could not execute query. Could not bind to the container.\n");
469 | }
470 | if (pContainerToSearch)
471 | pContainerToSearch->Release();
472 | }
473 | VariantClear(&var);
474 | }
475 | if (pObject)
476 | pObject->Release();
477 |
478 | delete[] pszBuffer;
479 | delete[] szPath;
480 |
481 | // Uninitialize COM
482 | CoUninitialize();
483 | }
484 |
485 | // Flush STDOUT
486 | fflush(stdout);
487 |
488 | // We're done, so let's exit
489 | ExitProcess(0);
490 | break;
491 | case DLL_PROCESS_DETACH:
492 | case DLL_THREAD_ATTACH:
493 | case DLL_THREAD_DETACH:
494 | break;
495 | }
496 | return bReturnValue;
497 | }
498 |
--------------------------------------------------------------------------------