Récolte de données via nom de domaine

Dig

Dans un premier temps, lorsque l’on analyse un Active Directory, nous pouvons analyser son nom de domaine. Pour ce faire on utilise l’outil dig afin de récupérer les différents RECORDS DNS.

┌──(shenzen㉿shenzen)-[~]
└─$ dig contoso.local @192.168.56.116

; <<>> DiG 9.18.8-1-Debian <<>> contoso.local @192.168.56.116
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31146
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;contoso.local.                 IN      A

;; ANSWER SECTION:
contoso.local.          600     IN      A       192.168.56.116

;; Query time: 0 msec
;; SERVER: 192.168.56.116#53(192.168.56.116) (UDP)
;; WHEN: Mon Jan 09 17:31:48 CET 2023
;; MSG SIZE  rcvd: 58

Le résultat ci-dessous permettent de découvrir un autre nom de domaine fonctionnel : hostmaster.contoso.local

dig contoso.local @192.168.56.116 ANY

; <<>> DiG 9.18.8-1-Debian <<>> contoso.local @192.168.56.116 ANY
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20442
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;contoso.local.                 IN      ANY

;; ANSWER SECTION:
contoso.local.          600     IN      A       192.168.56.116
contoso.local.          3600    IN      NS      ad.contoso.local.
contoso.local.          3600    IN      SOA     ad.contoso.local. hostmaster.contoso.local. 34 900 600 86400 3600

;; ADDITIONAL SECTION:
ad.contoso.local.       3600    IN      A       192.168.56.116

;; Query time: 0 msec
;; SERVER: 192.168.56.116#53(192.168.56.116) (TCP)
;; WHEN: Mon Jan 09 17:36:03 CET 2023
;; MSG SIZE  rcvd: 138

On voit qu’un autre nom de domaine existe qui est hostmaster.contoso.local

On fait:

┌──(shenzen㉿shenzen)-[~]
└─$ ldapsearch -x -H ldap://192.168.56.116 -b "dc=contoso,dc=local" -LLL -D"cn=hostmaster,dc=contoso,dc=local" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839

Et on voit qu’il faut entrer le mot de passe.