Skip to content

Commit 997f293

Browse files
rolling-coderolling-code
authored
Revise README for crt_enum.ps1 and remove Test-ADDnsLowPrivWrite.ps1
Updated README to include details for crt_enum.ps1 and removed Test-ADDnsLowPrivWrite.ps1.
1 parent aee6f70 commit 997f293

1 file changed

Lines changed: 39 additions & 33 deletions

File tree

README.md

Lines changed: 39 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ PowerShell-Scripts/
1515
│ └── kickoff.ps1
1616
│ └── SetAdaptorMetricWired_Highest.ps1
1717
│ └── Check-ModularDS.ps1
18-
│ └── Test-ADDnsLowPrivWrite.ps1
18+
│ └── crt_enum.ps1
1919
2020
## ── 📂 ├── Azure Active Directory/
2121
│ └── get_az_token.ps1
@@ -63,6 +63,7 @@ PowerShell-Scripts/
6363
│ └── lan_audit_full2.ps1
6464
│ └── CheckWritableAttributesADUsers.py (Python, PowerShell version is below)
6565
│ └── CheckWritableAttributesADUsers.ps1 (is the PowerShell equivalent of Python file above)
66+
│ └── Test-ADDnsLowPrivWrite.ps1
6667
└── README.md
6768
```
6869

@@ -513,6 +514,41 @@ or specify other creds like so:
513514

514515
Use `-PageSize 200` for large directories.
515516

517+
---
518+
### `Test-ADDnsLowPrivWrite.ps1`
519+
520+
Check if your AD is vulnerable to registering a DNS record in an Active Directory DNS zone.
521+
https://www.depthsecurity.com/blog/using-ntlm-reflection-to-own-active-directory/
522+
523+
Usage:
524+
`\Test-ADDnsLowPrivWrite.ps1 -DcHost dc.xxx.net -Verbose`
525+
526+
`\Test-ADDnsLowPrivWrite.ps1 -DcHost dc.xxx.net -UseSSL -Port 636 -Zone xxx.net -Verbose`
527+
528+
`\Test-ADDnsLowPrivWrite.ps1 -DcHost dc.xxx.net -UseSSL -Port 636 -DomainNC 'DC=xxx,DC=net' -Verbose`
529+
530+
You can verify via ADWS in case of output: "[FAIL] VULNERABLE: low-priv add succeeded (record created)."
531+
532+
`
533+
$zoneDn = 'DC=xxx.net,CN=MicrosoftDNS,CN=System,DC=aimfire,DC=net'
534+
535+
$label = '_aclvtest-XXX' <= Change this
536+
537+
$server = 'dc.xxx.net'
538+
539+
Get-ADObject -Server $server -LDAPFilter "(dc=$label)" -SearchBase $zoneDn -SearchScope Subtree -Properties dc,dnsRecord,whenCreated,whenChanged,distinguishedName | Format-List distinguishedName,dc,whenCreated,whenChanged
540+
541+
542+
distinguishedName : DC=_aclvtest-XXX,DC=xxx.net,CN=MicrosoftDNS,CN=System,DC=aimfire,DC=net
543+
544+
dc : _aclvtest-XXX
545+
546+
whenCreated : 1/19/2026 12:56:35 PM
547+
548+
whenChanged : 1/19/2026 12:56:35 PM
549+
550+
`
551+
516552
## ── 📂 Section: Generic Directory ──
517553
---
518554
### `Test-Feeds3.ps1`
@@ -591,37 +627,7 @@ Check if a WordPress web site is vulnerable to: CVE-2026-23550
591627
https://modulards.com/a-note-on-the-recent-modular-ds-security-update/
592628

593629
---
594-
### `Test-ADDnsLowPrivWrite.ps1`
595-
596-
Check if your AD is vulnerable to registering a DNS record in an Active Directory DNS zone.
597-
https://www.depthsecurity.com/blog/using-ntlm-reflection-to-own-active-directory/
598-
599-
Usage:
600-
`\Test-ADDnsLowPrivWrite.ps1 -DcHost dc.xxx.net -Verbose`
601-
602-
`\Test-ADDnsLowPrivWrite.ps1 -DcHost dc.xxx.net -UseSSL -Port 636 -Zone xxx.net -Verbose`
603-
604-
`\Test-ADDnsLowPrivWrite.ps1 -DcHost dc.xxx.net -UseSSL -Port 636 -DomainNC 'DC=xxx,DC=net' -Verbose`
605-
606-
You can verify via ADWS in case of output: "[FAIL] VULNERABLE: low-priv add succeeded (record created)."
607-
608-
`
609-
$zoneDn = 'DC=xxx.net,CN=MicrosoftDNS,CN=System,DC=aimfire,DC=net'
610-
611-
$label = '_aclvtest-XXX' <= Change this
612-
613-
$server = 'dc.xxx.net'
630+
### `crt_enum.ps1`
614631

615-
Get-ADObject -Server $server -LDAPFilter "(dc=$label)" -SearchBase $zoneDn -SearchScope Subtree -Properties dc,dnsRecord,whenCreated,whenChanged,distinguishedName | Format-List distinguishedName,dc,whenCreated,whenChanged
616-
617-
618-
distinguishedName : DC=_aclvtest-XXX,DC=xxx.net,CN=MicrosoftDNS,CN=System,DC=aimfire,DC=net
619-
620-
dc : _aclvtest-XXX
621-
622-
whenCreated : 1/19/2026 12:56:35 PM
623-
624-
whenChanged : 1/19/2026 12:56:35 PM
625-
626-
`
632+
Performs automated subdomain discovery and service enumeration by ingesting a CSV file and extracting domain names specifically from the Asset Name column, then querying the certificate transparency database at crt.sh using its JSON endpoint (https://crt.sh/?q=<domain>&output=json) with a 30-second timeout and up to 3 retries per domain to ensure reliability against transient failures. For each input domain, it parses all returned certificate entries, extracts and normalizes unique domain names (including handling wildcard certificates and multi-value fields), and identifies newly discovered subdomains. It then sequentially tests network reachability via TCP connection attempts (3-second timeout) on ports 80 (HTTP), 443 (HTTPS), 22 (SSH), and 3389 (RDP), and, when web services are available, performs HTTP(S) requests to retrieve page titles for basic fingerprinting.
627633

0 commit comments

Comments
 (0)