goddi – Go dump domain info

dumps Active Directory domain information

Functionality

StartTLS and TLS (tls.Client func) connections supported. Connections over TLS are the default. All output goes to CSVs and is created in /csv/ in the current working directory. Dumps:

• Domain users. Also searches Description for keywords and prints to a seperate csv ex. “Password” was found in the domain user description.
• Users in privileged user groups (DA, EA, FA).
• Users with passwords not set to expire.
• User accounts that have been locked or disabled.
• Machine accounts with passwords older than 45 days.
• Domain Computers.
• Domain Controllers.
• Sites and Subnets.
• SPNs and includes csv flag if domain admin (a flag to note SPNs that are DAs in the SPN CSV output).
• Trusted domain relationships.
• Domain Groups.
• Domain OUs.
• Domain Account Policy.
• Domain delegation users.
• Domain GPOs.
• Domain FSMO roles.
• LAPS passwords.
• GPP passwords. On Windows, defaults to mapping Q. If used, will try another mapping until success R, S, etc… On Linux, /mnt/goddi is used.

Download

Run

When run, will default to using TLS (tls.Client method) over 636. On Linux, make sure to run with sudo

• username: Target user. Required parameter.
• password: Target user’s password. Required parameter.
• domain: Full domain name. Required parameter.
• dc: DC to target. Can be either an IP or full hostname. Required parameter.
• startTLS: Use to StartTLS over 389.
• unsafe: Use for a plaintext connection.

PS C:\Users\Administrator\Desktop> .\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -dc="dc.test.local" -unsafe

[i] Begin PLAINTEXT LDAP connection to 'dc.test.local'...

[i] PLAINTEXT LDAP connection to 'dc.test.local' successful...

[i] Begin BIND...

[i] BIND with 'testuser' successful...

[i] Begin dump domain info...

[i] Domain Trusts: 1 found

[i] Domain Controllers: 1 found

[i] Users: 12 found

        [*] Warning: keyword 'pass' found!

        [*] Warning: keyword 'fall' found!

[i] Domain Admins: 4 users found

[i] Enterprise Admins: 1 users found

[i] Forest Admins: 0 users found

[i] Locked Users: 0 found

[i] Disabled Users: 2 found

[i] Groups: 45 found

[i] Domain Sites: 1 found

[i] Domain Subnets: 0 found

[i] Domain Computers: 17 found

[i] Deligated Users: 0 found

[i] Users with passwords not set to expire: 6 found

[i] Machine Accounts with passwords older than 45 days: 18 found

[i] Domain OUs: 8 found

[i] Domain Account Policy found

[i] Domain GPOs: 7 found

[i] FSMO Roles: 3 found

[i] SPNs: 122 found

[i] LAPS passwords: 0 found

[i] GPP enumeration starting. This can take a bit...

[i] GPP passwords: 7 found

[i] CSVs written to 'csv' directory in C:\Users\Administrator\Desktop

[i] Execution took 1.4217256s...

[i] Exiting...

Copyright (c) 2018, NetSPI
All rights reserved.

Source: https://github.com/NetSPI/