Skip to content
/ goddi Public
forked from NetSPI/goddi

goddi (go dump domain info) dumps Active Directory domain information

License

View license
0 stars 85 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

swarley7/goddi

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
ddi
ddi
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
goddi
goddi
 
 
main.go
main.go
 
 

Repository files navigation

goddi - Go dump domain info

licence badge GitHub release Go Report Card

Based on work from Scott Sutherland (@_nullbind), Antti Rantasaari, Eric Gruber (@egru), Will Schroeder (@harmj0y), and the PowerView authors.

Install

go install github.com/swarley7/goddi

Or,

git clone https://github.com/swarley7/goddi.git
cd goddi
go install

Windows

Tested on Windows 10 and 8.1 (go1.10 windows/amd64).

Linux

Tested on Kali Linux (go1.10 linux/amd64).

  • umount, mount, and cifs-utils need to be installed for mapping a share for GetGPP
apt-get update
apt-get install -y mount cifs-utils
  • make sure nothing is mounted at /mnt/goddi/
  • make sure to run with sudo

Darwin

Tested on Darwin 17.5.0 (go1.10.1 darwin/amd64)

  • make sure nothing is mounted at /mnt/goddi/
  • make sure to run with sudo

Run

When run, will default to using TLS (tls.Client method) over 636. On Linux, make sure to run with sudo.

  • username: Target user. Required parameter.
  • password: Target user's password. Required parameter.
  • domain: Full domain name. Required parameter.
  • dc: DC to target. Can be either an IP or full hostname. Required parameter.
  • startTLS: Use to StartTLS over 389.
  • unsafe: Use for a plaintext connection.
PS C:\Users\Administrator\Desktop> .\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -dc="dc.test.local" -unsafe
[i] Begin PLAINTEXT LDAP connection to 'dc.test.local'...
[i] PLAINTEXT LDAP connection to 'dc.test.local' successful...
[i] Begin BIND...
[i] BIND with 'testuser' successful...
[i] Begin dump domain info...
[i] Domain Trusts: 1 found
[i] Domain Controllers: 1 found
[i] Users: 12 found
        [*] Warning: keyword 'pass' found!
        [*] Warning: keyword 'fall' found!
[i] Domain Admins: 4 users found
[i] Enterprise Admins: 1 users found
[i] Forest Admins: 0 users found
[i] Locked Users: 0 found
[i] Disabled Users: 2 found
[i] Groups: 45 found
[i] Domain Sites: 1 found
[i] Domain Subnets: 0 found
[i] Domain Computers: 17 found
[i] Deligated Users: 0 found
[i] Users with passwords not set to expire: 6 found
[i] Machine Accounts with passwords older than 45 days: 18 found
[i] Domain OUs: 8 found
[i] Domain Account Policy found
[i] Domain GPOs: 7 found
[i] FSMO Roles: 3 found
[i] SPNs: 122 found
[i] LAPS passwords: 0 found
[i] GPP enumeration starting. This can take a bit...
[i] GPP passwords: 7 found
[i] CSVs written to 'csv' directory in C:\Users\Administrator\Desktop
[i] Execution took 1.4217256s...
[i] Exiting...

Functionality

StartTLS and TLS (tls.Client func) connections supported. Connections over TLS are default. All output goes to CSVs and are created in /csv/ in the current working directory. Dumps:

  • Domain users. Also searches Description for keywords and prints to a seperate csv ex. "Password" was found in the domain user description.
  • Users in priveleged user groups (DA, EA, FA).
  • Users with passwords not set to expire.
  • User accounts that have been locked or disabled.
  • Machine accounts with passwords older than 45 days.
  • Domain Computers.
  • Domain Controllers.
  • Sites and Subnets.
  • SPNs and includes csv flag if domain admin (a flag to note SPNs that are DAs in the SPN CSV output).
  • Trusted domain relationships.
  • Domain Groups.
  • Domain OUs.
  • Domain Account Policy.
  • Domain deligation users.
  • Domain GPOs.
  • Domain FSMO roles.
  • LAPS passwords.
  • GPP passwords. On Windows, defaults to mapping Q. If used, will try another mapping until success R, S, etc... On Linux, /mnt/goddi is used.

Roadmap

  • Add support for running from current user context on Windows. Automatically get current domain and run in current user context.
  • Add robust error handling for GetGPP (net use and mount)
  • Improve XML parsing for GetGPP

Known Issues

  • Execution can fail at GetGPP if there are errors mapping a share or mounting /mnt/goddi. If goddi fails during GetGPP do the following checks.
    • Windows: check what shares are mounted with net use. If there is a share mounted to the target dc from goddi, remove it with net use Q: /delete where Q: is the problematic share.
    • Linux: check if /mnt/goddi exists. If something is mounted, use umount /mnt/goddi. Make sure goddi is run with sudo.

References

  • Scott Sutherland (@_nullbind)
  • Antti Rantasaari
  • Eric Gruber (@egru)
  • Will Schroeder (@harmj0y)
  • Karl Fosaaen (@kfosaaen)
  • @_RastaMouse
  • Chris Campbell (@obscuresec)
  • Leon Teale (@LeonTeale)

About

goddi (go dump domain info) dumps Active Directory domain information

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

3 tags

Packages

No packages published

Languages

  • Go 100.0%