Class: ADAssault::DNS::FindDCs

Inherits:

Object

• Object
• ADAssault::DNS::FindDCs

Defined in:

lib/adassault/dns/find_dcs.rb

Overview

Spot all domain controllers in a Microsoft Active Directory environment

Since:

• 0.0.1

Instance Attribute Summary

• #dcs ⇒ Hash readonly

  Hash containing all DCs.

Instance Method Summary

• #dc_fqdn ⇒ Array

  Get DC(s) FQDN directly from the DNS server.

• #dc_ip ⇒ Array

  Get DC(s) IP address name directly from the DNS server.

• #dc_name ⇒ Array

  Get DC(s) computer name directly from the DNS server.

• #display ⇒ nil

  Display a CLI-friendly output listing all DCs with their short name, FQDN and IP addresses.

• #display_old ⇒ Object deprecated Deprecated.

  Use #display instead.

• #fetch_dcs ⇒ Hash

  Generates a hash containing all DCs.

• #initialize(ad_domain, dns_opts = nil) ⇒ FindDCs constructor

  Create the FindDCs object.

Constructor Details

#initialize(ad_domain, dns_opts = nil) ⇒ FindDCs

Create the FindDCs object.

Examples:

dcd = ADAssault::DNS::FindDCs.new('THM.local', nameserver: ['10.10.25.54'])
dcd = ADAssault::DNS::FindDCs.new('spookysec.local', nameserver: ['10.10.197.59'])
dcd = ADAssault::DNS::FindDCs.new('za.tryhackme.com', nameserver: ['10.200.28.101'])

Parameters:

• ad_domain (String) —

  the Active Directory domain to work on.

• dns_opts (Hash) (defaults to: nil) —

  options for the DNS resolver. See [Resolv::DNS.new](ruby-doc.org/3.3.0/stdlibs/resolv/Resolv/DNS.html#method-c-new).

Options Hash (dns_opts):

• :nameserver (Array|String) —

  the DNS server to contact

Since:

• 0.0.1

# File 'lib/adassault/dns/find_dcs.rb', line 26

def initialize(ad_domain, dns_opts = nil)
  @ad_domain = ad_domain
  @dns_opts = dns_opts
  @dcs = fetch_dcs
end

Instance Attribute Details

#dcs ⇒ Hash (readonly)

Hash containing all DCs. Cached result of #fetch_dcs.

Returns:

• (Hash) —

  hash containing all DCs

Since:

• 0.0.1

# File 'lib/adassault/dns/find_dcs.rb', line 16

def dcs
  @dcs
end

Instance Method Details

#dc_fqdn ⇒ Array

Get DC(s) FQDN directly from the DNS server. Not cached in ‘@dcs`.

Examples:

dcd.dc_fqdn
# => ["THMDC.za.tryhackme.com"]

Returns:

• (Array) —

  the list of FQDN of all DCs

See Also:

• https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/how-domain-controllers-are-located

Since:

• 0.0.1

# File 'lib/adassault/dns/find_dcs.rb', line 40

def dc_fqdn
  Resolv::DNS.open(@dns_opts) do |dns|
    # _kerberos._tcp, _kpasswd._tcp, _ldap._tcp works too but are not MS only
    # _kerberos._tcp.dc._msdcs
    # _ldap._tcp.pdc._msdcs, _gc._tcp
    # _udp variants
    ress = dns.getresources "_ldap._tcp.dc._msdcs.#{@ad_domain}", Resolv::DNS::Resource::IN::ANY
    ress.map { |x| x.target.to_s }
  end
end

#dc_ip ⇒ Array

Get DC(s) IP address name directly from the DNS server. Not cached in ‘@dcs`.

Examples:

dcd.dc_ip
# => ["10.10.10.101", "10.200.28.101"]

Returns:

• (Array) —

  the list of IP address of all DCs

Since:

• 0.0.1

# File 'lib/adassault/dns/find_dcs.rb', line 70

def dc_ip
  Resolv::DNS.open(@dns_opts) do |dns|
    ress = dns.getresources "gc._msdcs.#{@ad_domain}", Resolv::DNS::Resource::IN::A
    ress.map { |x| x.address.to_s }
  end
end

#dc_name ⇒ Array

Get DC(s) computer name directly from the DNS server. Not cached in ‘@dcs`. Call #dc_fqdn and extract the name from it (substract the domain).

Examples:

dcd.dc_name
# => ["THMDC"]

Returns:

• (Array) —

  the list of computer name of all DCs

Since:

• 0.0.1

# File 'lib/adassault/dns/find_dcs.rb', line 59

def dc_name
  dc_fqdn.map { |x| x[...-@ad_domain.size - 1] }
end

#display ⇒ nil

Display a CLI-friendly output listing all DCs with their short name, FQDN and IP addresses.

Returns:

• (nil)

Since:

• 0.0.1

# File 'lib/adassault/dns/find_dcs.rb', line 103

def display
  dcs.each do |short_name, dc|
    puts "#{Paint[short_name, :bold,
                  'dark turquoise']} (#{Paint[dc[:fqdn], 'cyan']}) - #{Paint[dc[:ips].join(', '), 'aquamarine']}"
  end
end

#display_old ⇒ Object

Deprecated.

Use #display instead.

Since:

• 0.0.1

# File 'lib/adassault/dns/find_dcs.rb', line 113

def display_old
  puts Paint['DC(s) name', :underline, :bold, 'dark turquoise']
  dc_name.each do |name|
    puts Paint["🔍 #{name}"]
  end
  puts Paint["\nDC(s) FQDN", :underline, :bold, 'cyan']
  dc_fqdn.each do |fqdn|
    puts Paint["🔍 #{fqdn}"]
  end
  puts Paint["\nDC(s) IP address", :underline, :bold, 'aquamarine']
  dc_ip.each do |ip|
    puts Paint["🔍 #{ip}"]
  end
end

#fetch_dcs ⇒ Hash

Generates a hash containing all DCs. The key is the short name, the value is a hash with two keys: the FQDN and the IPs addresses. This method is called while instantiating the class and teh result stored in ‘@dcs` attribute.

Returns:

• (Hash) —

  hash containing all DCs

Since:

• 0.0.1

# File 'lib/adassault/dns/find_dcs.rb', line 84

def fetch_dcs
  h = {}
  dc_fqdn.each do |fqdn|
    Resolv::DNS.open(@dns_opts) do |dns|
      ress = dns.getresources fqdn, Resolv::DNS::Resource::IN::A
      short_name = fqdn[...-@ad_domain.size - 1].upcase
      h[short_name] = {
        fqdn: fqdn,
        ips: ress.map { |x| x.address.to_s }
      }
    end
  end
  h
end