ropnop / go-windapsearch Goto Github PK

@ropnop,

JSONL (JSON lines) is often more convenient to parse instead of a regular JSON structure.

I know it is quite easy to convert JSON to JSONL, by piping jq -c '.[]' after the windapsearch command, but relying on an external program (which is not installed by default) and having to type a longer command (prone to error) is not convenient.

Cheers !

Hello dear @ropnop,

Thanks for making a Go program for windapsearch !

As I am trying to use it, I saw a bug related to the parsing of the "username" parameter :

• The antibackslash input format is not parsed accordingly the connection fails :

$ ./windapsearch-linux-amd64 --debug --dc 1.2.3.4 -u "adyolo\user1" -m users
INFO[2022-06-04T14:35:15+02:00] Saving output to STDOUT                       package=windapsearch
Password for [user1@]: 

In this example, the user should be "adyolo\user1", not "user1".

I had to specify it like this to make it work, by using an arobase notation:

$ ./windapsearch-linux-amd64 --debug --dc 1.2.3.4 -u "user1@adyolo" -m users
INFO[2022-06-04T14:42:25+02:00] Saving output to STDOUT                       package=windapsearch
Password for [user1@adyolo]: 

FYI, all these tries did not work either:

-u 'adyolo\user1'
-u adyolo\user1
-u adyolo\\user1

Cheers !

Hi, in python's version of windapsearch I was able to run multiple modules at once (eg. unconstrained user-spns privileged-users domain-admins). I tried it with go's version and it seems that if you specify multiple modules, it only takes into account the first one. Am I doing something wrong?

Thanks!

Weirdly enough, i find through research, that this GO adaptation of windapsearch does not work as well, and doesn't seem to find the same results as the .py script....... I have no idea why, if its just an adaptation into GO.

@ropnop, here's a tiny feature asked: could it be possible to keep, in the output JSON file, the ordering of the specified attributes with the --attrs option ?

More precisely:

• Here, I asked for specific attributes, in a specific order, which is honored by standard output ("dn" comes before "cn") :

$ ./windapsearch-linux-amd64 --dc 1.2.3.4 -u "user1@adyolo" -p "password" -m users --attrs dn,cn
dn: CN=foo,CN=bar,DC=ADYOLO,DC=SWAG
cn: user1

• But with JSON output, the asked order is not kept : "cn" is printed before "dn" (which is the regular JSON order), but I wanted "dn" before "cn"

$ ./windapsearch-linux-amd64 --dc 1.2.3.4 -u "user1@adyolo" -p "password" -m users --attrs dn,cn -j
[{"cn":"user1","dn":"CN=foo,CN=bar,DC=ADYOLO,DC=SWAG"}
...

Cheers !

Include All modules to perform full dump on the AD running all the modules in the option

Example Scripting is done to perform full dump at the moment:

#! /bin/bash

for i in {admin-objects,computers,dns-names,dns-zones,domain-admins,gpos,groups,members,metadata,privileged-users,unconstrained,user-spns,users};
do
	echo "[+] Enumerating $i ";
	/bin/bash -c "/opt/Windows_Exploitation/Active-Directory/go-windapsearch/windapsearch --full -d megabank.local -m $i -j -o $i.json";
done

Seems it doesn't want to work well with proxychains, honestly don't know if this is a go thing but the python version of windapsearch works perfectly fine.

I'm trying to run windapsearch from within another go program.

I am using cmd,
err := exec.Command(path to windapsearch, "-d" + dc, "-u" + username, "-p"+ password, "-j", "-ousers.json", "-musers", "--attrs givenName,sn,userPrincipalName,Department", "--filter (!(userAccountControl:1.2.840.113556.1.4.803:=2))") fmt.Println(cmd)

for some reason when I run this within the go
fmt.Println(cmd) shows that the correct string was transferred as the command C:\Scripts\Go\Test\os-cmd\windapsearch.exe -d'dc' -u'username' -p'password' -j -ousers.json -musers --attrs givenName,sn,userPrincipalName,Department --filter (!(userAccountControl:1.2.840.113556.1.4.803:=2))

neither the filter nor the attribute selection are being implemented however the output is going to the correct file.

When I run the same command as it is output by fmt directly in cmd everything works perfectly. Any ideas?

Hey ropnop, first of all awesome tool, and I love that you've re-written it in Go! I've run into an issue today that I'm stumped by. I'm trying to run the simple module queries like admin-objects against a domain controller in the lab environment. I have 2 separate working sets of valid domain user credentials, and have confirmed they're valid through other tools (rpcclient, crackmapexec, ldapdomaindump, etc), yet I keep getting invalid Credentials upon every query attempt. Sample commands:
windapsearch --dc dc01.lab.local -u <user> -p <password> -m admin-objects
windapsearch --domain lab.local -u <user> -p <password> -m admin-objects

I followed the instructions on building the project with mage and ran into no issues on that front. Any idea on why this would be happening?

Hi! First of all, thank you for an awesome tool. Windapsearch and Impacket are by far the most useful tools for pentesting Windows from Linux machines. One thing it would be great to have is the option of using kerberos authentication instead of pass-the-hash. Pass the hash has been great, but most of the SOCs now detect legacy ntlm authentication as an IOC, and over pass the hash fixes this issue. I can get the tickets through Impacket, but it would be great being able to use them with windapsearch.

Thanks!

Not sure if its possible, but it would be awesome to have the ability to use NTLM hashes (PTH) instead of only plaintext passwords.

On the computers module it could be nice to have the IP address(es) directloy in addition to dNSHostName.

When authenticating to a Domain Controller that enforces ldaps, windapsearch throws the following error:

./windapsearch -u 'user@dom' -d 'dom' --dc dc.dom -m computers
Password for [user@dom]: 
FATAL[2020-09-29T18:16:57+02:00] LDAP Result Code 8 "Strong Auth Required": 00002028: LdapErr: DSID-0C09027F, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839  package=windapsearch

Appending the --secure flag is supposed to fix this, but unfortunately it brings up a less helpful error message:

./windapsearch -u 'user@dom' -d 'dom' --dc dc.dom -m computers --secure
Password for [user@dom]: 
FATAL[2020-09-29T18:17:08+02:00] unable to read LDAP response packet: read tcp 192.*.*.*:43528->10.*.*.*:636: read: connection reset by peer  package=windapsearch

Taking a look on the wire, I noticed that --secure sends the data unencrypted (which is pretty bad):

Since the DC won't allow this, the connection is resetted. I took a look into the problem and decided to stop when I got to the point where go-ldap does the handshake on its own.

Currently, go-windapsearch is broken for scenarios where the DC enforces a secure connection, which is a real pity. In order to fix the issue, I'd like to propose to establish the tlsconnection using go's standard library before handing the connection over to the ldap library. I'll submit a pull request, but please note that I didn't do extensive testing. It works with DCs enforcing TLS now, and I'm still getting the error to use TLS in case of a missing --secure switch (so everything works as it is supposed to), but I did not perform any other tests, so you might want to try it on your own first.

JSON is convenient, but TSV/CSV is really more ! :)

Hi there, I'm seeing an issue with how the latest release handles anonymous binds. Below is a screenshot from the latest release as well as the older release. Both are against the same system.

I think that commit d58f29e is causing this, but I'm not positive. That, or I'm not doing something correctly, ha!