• Stars
    star
    312
  • Rank 134,133 (Top 3 %)
  • Language
    C#
  • Created over 3 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Enumerate Domain Data

CodeFactor

EDD

Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.

WPF Frontend

Usage

To use EDD, you just need to call the application, provide the function that you want to run (listed below) and provide any optional/required parameters used by the function.

Arguments:

-f, --function=VALUE       the function you want to use
-o, --output=VALUE         the path to the file to save
-c, --computername=VALUE   the computer you are targeting
-n, --canonicalname=VALUE  canonical name for domain user
-d, --domainname=VALUE     the computer you are targeting
-g, --groupname=VALUE      the domain group you are targeting
-p, --processname=VALUE    the process you are targeting
-w, --password=VALUE       the password to authenticate with or what you are
                           setting it to
-u, --username=VALUE       the domain account you are targeting
-t, --threads=VALUE        the number of threads to run (default: 5)
-q, --query=VALUE          custom LDAP filter to search
-a, --adright=VALUE        Active Directory Rights to return, separated by
                           commas
-s, --search=VALUE         the search term(s) for
                             FindInterestingDomainShareFile separated by a
                             comma (,), accepts wildcards
--sharepath=VALUE      the specific share to search for interesting files
-i, --info                 returns information on a specifed function
-l, --listfunction         returns all available functions

-h, --help                 show this message and exit

Functions

The following functions can be used with the -f flag to specify the data you want to enumerate/action you want to take.

Forest/Domain Information

getdomainsid - Returns the domain sid (by default current domain if no domain is provided)
getforest - returns the name of the current forest
getforestdomains - returns the name of all domains in the current forest
getsiddata - Converts a SID to the corresponding group or domain name (use the -u option for providing the SID value)
getadcsservers - Get a list of servers running AD CS within the current domain

Computer Information

getdomaincomputers - Get a list of all computers in the domain
getdomaincontrollers - Gets a list of all domain controllers
getdomainshares - Get a list of all domain shares
getreadabledomainshares - Get a list of all readable domain shares

User Information

changeaccountpassword - Change the password for a targeted account
customldapquery - Set arbitrary LDAP filter to search for objects
getuserdacl - Returns DACL of a specified domain object
getnetlocalgroupmember - Returns a list of all users in a local group on a remote system
getdomaingroupmember - Returns a list of all users in a domain group
getdomainuser - Retrieves info about specific user (name, description, SID, Domain Groups)
getdomaindescriptions - returns domain objects with non-standard account descriptions
getnetsession - Returns a list of accounts with sessions on the targeted system
getnetloggedon - Returns a list of accounts logged into the targeted system
getuserswithspns - Returns a list of all domain accounts that have a SPN associated with them
getdomaingroupsid - Fetch the SID of a group
getdomainsid - Fetch SID of domain
getsiddata - Return username from SID
joingroupbysid - Join an account to a group via the group's sid
joingroupbyname - Join an account to a group via the group's name

Chained Information

findadminsch - Uses the task scheduler to query for admin rights within a domain
findadminwmi - Uses WMI to search for admin rights within a domain
finddomainprocess - Search for a specific process across all systems in the domain (requires admin access on remote systems)
finddomainuser - Searches the domain environment for a specified user or group and tries to find active sessions (default searches for Domain Admins)
findemptysystem - Searches the domain for systems with no user account logged into it
findinterestingdomainsharefile - Searches the domain environment for all accessible shares. Once found, it parses all filenames for "interesting" strings
findwritableshares - Enumerates all shares in the domain and then checks to see if the current account can create a text file in the root level share, and one level deep.

References

PowerView - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
CSharp-Tools - https://github.com/RcoIl/CSharp-Tools
StackOverflow - Random questions (if this isn't somehow listed as a reference, we know we're forgetting it :))
SharpView - https://github.com/tevora-threat/SharpView

More Repositories

1

EyeWitness

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
Python
4,899
star
2

C2concealer

C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
Python
987
star
3

WMImplant

This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
PowerShell
798
star
4

Just-Metadata

Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset.
Python
623
star
5

Egress-Assess

Egress-Assess is a tool used to test egress data detection capabilities
PowerShell
610
star
6

GraphStrike

Cobalt Strike HTTPS beaconing over Microsoft Graph API
C
539
star
7

EXCELntDonut

Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory.
Python
498
star
8

WMIOps

This repo is for WMIOps, a powershell script which uses WMI for various purposes across a network.
PowerShell
381
star
9

PersistAssist

Fully modular persistence framework
C#
249
star
10

CIMplant

C# port of WMImplant which uses either CIM or WMI to query remote systems
C#
196
star
11

AutoFunkt

Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles
Python
189
star
12

Jigsaw

Hide shellcode by shuffling bytes into a random array and reconstruct at runtime
Python
173
star
13

AggressorAssessor

Aggressor scripts for phases of a pen test or red team assessment
Python
171
star
14

hot-manchego

Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library.
C#
140
star
15

jargon

Python
114
star
16

Screenshooter

C# program to take a full size screenshot or a recording of the user's desktop. Takes in 0-3 flags
C#
83
star
17

DigDug

Python
66
star
18

FunctionalC2

A small POC of using Azure Functions to relay communications. Feel free to add additional functionality beyond this POC!
Python
66
star
19

What-The-F

This repo hosts a poc of how to execute F# code within an unmanaged process
C++
64
star
20

SqlClient

POC for .NET mssql client for accessing database data through beacon
C#
59
star
21

MiddleOut

A small .NET compression utility
C#
54
star
22

Hasher

Hasher is designed to be a tool that allows you to quickly hash plaintext strings, or compare hashed values with a plaintext locally. Not meant to crack passwords, but designed for local checks.
Python
48
star
23

GPPDeception

This script generates a groups.xml file that mimics a real GPP to create a new user on domain-joined computers
PowerShell
44
star
24

rstools

Python
39
star
25

Chromatophore

Utilities for obfuscating shellcode
C
38
star
26

RandomScripts

Scripts for public use that we've randomly written, or have updated from other people's work.
Shell
36
star
27

ProxmarkWrapper

A wrapper around the Proxmark3 client that will alert the user of specific events
Python
29
star
28

CLM-Base64

This project provides Base64 encoding and decoding functionality to PowerShell within Constrained Language Mode
PowerShell
22
star
29

SharpCollectionTemplate

PowerShell
13
star
30

Delta-Encoder

Python
12
star
31

CredCheck

.NET wrapper around LogonUserA to test creds
C#
10
star
32

RansomwareTalks

code for ransomware talks
C#
8
star
33

CUDA-Installation-Script

Quick and dirty installation script for CUDA drivers on Ubuntu 18.04 LTS to save a bit of time.
Shell
3
star