Awesome
EDD
Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.
WPF Frontend
<p align="center"> <img align="center" src="https://raw.githubusercontent.com/whiterabb17/EDD/master/Screenshot.png"> </p>Usage
To use EDD, you just need to call the application, provide the function that you want to run (listed below) and provide any optional/required parameters used by the function.
Arguments:
-f, --function=VALUE the function you want to use
-o, --output=VALUE the path to the file to save
-c, --computername=VALUE the computer you are targeting
-n, --canonicalname=VALUE canonical name for domain user
-d, --domainname=VALUE the computer you are targeting
-g, --groupname=VALUE the domain group you are targeting
-p, --processname=VALUE the process you are targeting
-fd, --filedata=PATH the path to a file containing data related to the function you are invoking
-w, --password=VALUE the password to authenticate with or what you are
setting it to
-u, --username=VALUE the domain account you are targeting
-t, --threads=VALUE the number of threads to run (default: 5)
-q, --query=VALUE custom LDAP filter to search
-a, --adright=VALUE Active Directory Rights to return, separated by
commas
-s, --search=VALUE the search term(s) for
FindInterestingDomainShareFile separated by a
comma (,), accepts wildcards
--sharepath=VALUE the specific share to search for interesting files
-i, --info returns information on a specifed function
-l, --listfunction returns all available functions
-h, --help show this message and exit
Functions
The following functions can be used with the -f flag to specify the data you want to enumerate/action you want to take.
Forest/Domain Information
getdomainsid - Returns the domain sid (by default current domain if no domain is provided)
getforest - returns the name of the current forest
getforestdomains - returns the name of all domains in the current forest
getsiddata - Converts a SID to the corresponding group or domain name (use the -u option for providing the SID value)
getadcsservers - Get a list of servers running AD CS within the current domain
Computer Information
getdomaincomputers - Get a list of all computers in the domain
getdomaincontrollers - Gets a list of all domain controllers
getdomainshares - Get a list of all domain shares
getreadabledomainshares - Get a list of all readable domain shares
User Information
changeaccountpassword - Change the password for a targeted account
customldapquery - Set arbitrary LDAP filter to search for objects
getuserdacl - Returns DACL of a specified domain object
getnetlocalgroupmember - Returns a list of all users in a local group on a remote system
getdomaingroupmember - Returns a list of all users in a domain group
getdomainuser - Retrieves info about specific user (name, description, SID, Domain Groups)
getdomaindescriptions - returns domain objects with non-standard account descriptions
getnetsession - Returns a list of accounts with sessions on the targeted system
getnetloggedon - Returns a list of accounts logged into the targeted system
getuserswithspns - Returns a list of all domain accounts that have a SPN associated with them
getdomaingroupsid - Fetch the SID of a group
getdomainsid - Fetch SID of domain
getsiddata - Return username from SID
joingroupbysid - Join an account to a group via the group's sid
joingroupbyname - Join an account to a group via the group's name
Chained Information
findadminsch - Uses the task scheduler to query for admin rights within a domain
findadminwmi - Uses WMI to search for admin rights within a domain
finddomainprocess - Search for a specific process across all systems in the domain (requires admin access on remote systems)
finddomainuser - Searches the domain environment for a specified user or group and tries to find active sessions (default searches for Domain Admins)
findemptysystem - Searches the domain for systems with no user account logged into it
findinterestingdomainsharefile - Searches the domain environment for all accessible shares. Once found, it parses all filenames for "interesting" strings
findwritableshares - Enumerates all shares in the domain and then checks to see if the current account can create a text file in the root level share, and one level deep.
References
PowerView - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
CSharp-Tools - https://github.com/RcoIl/CSharp-Tools
StackOverflow - Random questions (if this isn't somehow listed as a reference, we know we're forgetting it :))
SharpView - https://github.com/tevora-threat/SharpView