Get-netcomputer didn't return all the computers

the-useless-one / pywerview

A (partial) Python rewriting of PowerSploit's PowerView

GNU General Public License v3.0

908 stars 113 forks source link

Get-netcomputer didn't return all the computers #48

Closed CapAlex94 closed 2 years ago

CapAlex94 commented 2 years ago

The function use the parameter dnshostname to filter the results, but using this filter the function returns only a partial list of the domain computers. To get a complete list of the domain computers is necessary to modify the file net.py and change the following line (278 -282)

for (attr_desc, attr_value) in (('servicePrincipalName', queried_spn),
                ('operatingSystem', queried_os), ('operatingsystemservicepack', queried_sp),
                ('dnsHostName', queried_computername)):
            if attr_value:
                computer_search_filter += '({}={})'.format(attr_desc, attr_value)

with

for (attr_desc, attr_value) in (('servicePrincipalName', queried_spn),
                ('operatingSystem', queried_os), ('operatingsystemservicepack', queried_sp),
                ('sAMAccountName', queried_computername)):
            if attr_value:
                computer_search_filter += '({}={})'.format(attr_desc, attr_value)

the-useless-one commented 2 years ago

Hi @CapAlex94, thanks for the issue.

Did you meet the case where an object computer does not have a dnsHostName attribute? That's surprising, I thought that this attribute was mandatory for computer objects. Can you confirm that you found an Active Directory environment where a computer object does not have the dnsHostName attribute?

If that's the case, I'll modify the function to allow for this case.

Cheers,

CapAlex94 commented 2 years ago

Sorry for the late response. Generally what you say is true, but if you compare the output from your tool and powerview, you will see more results in powerview as it reports all the computers and not only the ones with the dnsHostName attribute set.

In my personal opinion, it's better to have a complete view of the domain computers and eventually filter out the ones without the attribute set.

In addition, it would be great to get also the IP attribute, if set, inside the output. Powerview, if i'm not wrong, does not return this information but maybe with your implementation it's possible to obtain it.

ThePirateWhoSmellsOfSunflowers commented 2 years ago

Hello!

In addition, it would be great to get also the IP attribute, if set, inside the output. Powerview, if i'm not wrong, does not return this information but maybe with your implementation it's possible to obtain it.

As far as I know, IP address is not an attribute of a computer object. However I think it is possible to query the DNS via LDAP to get this information (see the excellent dnstool). Maybe we can implement the query module of dnstool within pywerview and add a --get-ip option to get-netcomputer.

I add it to my TODO list :+1:

:sunflower:

ThePirateWhoSmellsOfSunflowers commented 2 years ago

Hi @CapAlex94,

As you can see, get-netcomputer (develop branch) now returns all computers, even those without dnshostname attribute. Regarding the IP address, unfortunately, I change my mind and I will not implement it. However, feel free to provide a PR 🙂.

:sunflower: