Failed to Enumerate Zones
Opened this issue · 35 comments
Hello, while executing BlueTuxedo on a custom Windows 10 image that was not domain joined, my team received the following errors at on a client engagement:
We executed it within a runas /netonly shell using a compromised standard user and confirmed the shell to be valid. The client is in fact using ADIDNS through conversation with them. We have disabled Windows Defender locally and have not been having client IPSs blocking on our loud activities (i.e., BloodHound). Client hostnames are resolving and we can authenticate to DCs without issue.
If you have any ideas, feel free to reach out sooner rather later as I will only be on this client network as the engagement will end soon. Certainly understand any delays of course.
Since Jim and I are defenders at heart, we did not take into consideration attempting to run BT from a non-domain-joined machine. I'll need to ruminate on this a bit.
Have the same kind of error. Do the test from a DC with God level privileges.
PS C:\Users\Administrator\Downloads\BlueTuxedo-main> Invoke-BlueTuxedo
::::::::: ::: ::: ::::::::::::::::::::::::::: :::::: :::::::::::::::::::::: ::::::::
:+: :+::+: :+: :+::+: :+: :+: :+::+: :+::+: :+: :+::+: :+:
+:+ +:++:+ +:+ +:++:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:++:+ +:+
+#++:++#+ +#+ +#+ +:++#++:++# +#+ +#+ +:+ +#++:+ +#++:++# +#+ +:++#+ +:+
+#+ +#++#+ +#+ +#++#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+ +#++#+ +#+
#+# #+##+# #+# #+##+# #+# #+# #+##+# #+##+# #+# #+##+# #+#
######### ################## ########## ### ######## ### ###################### ########
v2023.11
Please hold. Collecting DNS data from the following domains:
acad.fakedomain.local fakedomain.local acronym.local
Get-DnsServerZone : Failed to enumerate zones from the server fakedomain.local.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTADIZone.ps1:14 char:18
+ $Zones = Get-DnsServerZone -ComputerName $domain | Where-Obje ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (fakedomain.local:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException
+ FullyQualifiedErrorId : WIN32 5,Get-DnsServerZone
Get-DnsServerZone : Failed to enumerate zones from the server acronym.local.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTADIZone.ps1:14 char:18
+ $Zones = Get-DnsServerZone -ComputerName $domain | Where-Obje ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (acronym.local:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException
+ FullyQualifiedErrorId : WIN32 1722,Get-DnsServerZone
Get-DnsServerZone : Failed to enumerate zones from the server 10.10.33.1.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTConditionalForwarder.ps1:16 char:22
+ ... $Zones = Get-DnsServerZone -ComputerName $dnsServer.IP4Address | W ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (10.10.33.1:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException
+ FullyQualifiedErrorId : WIN32 5,Get-DnsServerZone
Get-DnsServerResourceRecord : Failed to get the zone information for fakedomain.local on server fakedomain.local.
At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTDanglingSPN.ps1:33 char:29
+ ... if (Get-DnsServerResourceRecord -ComputerName $domain -ZoneNa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (fakedomain.local:root/Microsoft/...rResourceRecord) [Get-DnsServerResourceRecord], CimException
+ FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord
[Edted by @TrimarcJake to remove possibly private data]
For the non-domain joined machine, I’m gonna have my team try and add the domain as a DNS search in the interface. I know many PowerShell/Python equivalent tools have you specify a DC for “guaranteed” name resolution. That might help for a long term fix.
Have the same kind of error. Do the test from a DC with God level privileges.
PS C:\Users\Administrator\Downloads\BlueTuxedo-main> Invoke-BlueTuxedo ::::::::: ::: ::: ::::::::::::::::::::::::::: :::::: :::::::::::::::::::::: :::::::: :+: :+::+: :+: :+::+: :+: :+: :+::+: :+::+: :+: :+::+: :+: +:+ +:++:+ +:+ +:++:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:++:+ +:+ +#++:++#+ +#+ +#+ +:++#++:++# +#+ +#+ +:+ +#++:+ +#++:++# +#+ +:++#+ +:+ +#+ +#++#+ +#+ +#++#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+ +#++#+ +#+ #+# #+##+# #+# #+##+# #+# #+# #+##+# #+##+# #+# #+##+# #+# ######### ################## ########## ### ######## ### ###################### ######## v2023.11 Please hold. Collecting DNS data from the following domains: acad.fakedomain.local fakedomain.local acronym.local Get-DnsServerZone : Failed to enumerate zones from the server fakedomain.local. At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTADIZone.ps1:14 char:18 + $Zones = Get-DnsServerZone -ComputerName $domain | Where-Obje ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (fakedomain.local:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException + FullyQualifiedErrorId : WIN32 5,Get-DnsServerZone Get-DnsServerZone : Failed to enumerate zones from the server acronym.local. At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTADIZone.ps1:14 char:18 + $Zones = Get-DnsServerZone -ComputerName $domain | Where-Obje ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (acronym.local:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException + FullyQualifiedErrorId : WIN32 1722,Get-DnsServerZone Get-DnsServerZone : Failed to enumerate zones from the server 10.10.33.1. At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTConditionalForwarder.ps1:16 char:22 + ... $Zones = Get-DnsServerZone -ComputerName $dnsServer.IP4Address | W ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (10.10.33.1:root/Microsoft/...S_DnsServerZone) [Get-DnsServerZone], CimException + FullyQualifiedErrorId : WIN32 5,Get-DnsServerZone Get-DnsServerResourceRecord : Failed to get the zone information for fakedomain.local on server fakedomain.local. At C:\Users\Administrator\Downloads\BlueTuxedo-main\Private\Get\Get-BTDanglingSPN.ps1:33 char:29 + ... if (Get-DnsServerResourceRecord -ComputerName $domain -ZoneNa ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (fakedomain.local:root/Microsoft/...rResourceRecord) [Get-DnsServerResourceRecord], CimException + FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord[Edted by @TrimarcJake to remove possibly private data]
Dont worry is a homelab environment
@Zamanry - Assuming all the DNS servers in the environment are also Domain Controllers, Get-DnsServerZone requires Domain Admin (single-domain forest) or Enterprise Admin (multi-domain forest). Does the user you popped have those rights?
@rebelinux - I can see you are in a multi-domain environment and that you had no issues getting zones from acad.fakedomain.local, so I bet the user you are running your test is only a DA. Try one with EA and report back!
@Zamanry - Assuming all the DNS servers in the environment are also Domain Controllers, Get-DnsServerZone requires Domain Admin (single-domain forest) or Enterprise Admin (multi-domain forest). Does the user you popped have those rights?
@rebelinux - I can see you are in a multi-domain environment and that you had no issues getting zones from acad.fakedomain.local, so I bet the user you are running your test is only a DA. Try one with EA and report back!
My user does not. It’s a standard domain user. So this is likely a privilege issue hence the access denieds.
To be fair, I do not remember why I'm used Get-DnsServerZone for ADI zones instead of pulling that info from AD. That's something to work on!
BTW: As much as I'm a defender, I love helping you filthy red teamers get the goods (🤣), so expect an enhancement sometime in the next couple weeks.
The user is Ent Admin
The test was performed in this AD lab which is built/destroyed with automation producing the error results. Additionally I used the script in another environment with the same results. Possibly some situation related to multi domain forest
PS C:\Users\Administrator> whoami -user
USER INFORMATION
----------------
User Name SID
===================== ============================================
pharmax\administrator S-1-5-21-2867495315-1194516362-180967319-500
PS C:\Users\Administrator> whoami -groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================== ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
PHARMAX\Domain Admins Group S-1-5-21-2867495315-1194516362-180967319-512 Mandatory group, Enabled by default, Enabled group
PHARMAX\ESX Admins Group S-1-5-21-2867495315-1194516362-180967319-1190 Mandatory group, Enabled by default, Enabled group
PHARMAX\BitLocker Helpdesk Admins Group S-1-5-21-2867495315-1194516362-180967319-2625 Mandatory group, Enabled by default, Enabled group
PHARMAX\Group Policy Creator Owners Group S-1-5-21-2867495315-1194516362-180967319-520 Mandatory group, Enabled by default, Enabled group
PHARMAX\Enterprise Admins Group S-1-5-21-2867495315-1194516362-180967319-519 Mandatory group, Enabled by default, Enabled group
PHARMAX\Schema Admins Group S-1-5-21-2867495315-1194516362-180967319-518 Mandatory group, Enabled by default, Enabled group
PHARMAX\VEEAM AD-1-1401084541 Group S-1-5-21-2867495315-1194516362-180967319-7763 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
PHARMAX\Denied RODC Password Replication Group Alias S-1-5-21-2867495315-1194516362-180967319-572 Mandatory group, Enabled by default, Enabled group, Local Group
PHARMAX\LAPS Admins Alias S-1-5-21-2867495315-1194516362-180967319-2638 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PS C:\Users\Administrator>
@rebelinux Are you running BT from a child domain? If yes, are there different results when running BT from the root domain?
Also, sorry for the slow response. Thanksgiving and burnout are real.
Hello Jake and the Trimarc team. Hope you are doing okay and you had a good end of year!
I am facing the same issue as described, same error messages. I run it from a Windows 10 Pro VM as well, which is domain-joined, and from an elevated prompt with Domain Admin account. The context which I am using this tool consists of a single domain. If you need more details or test results from me, I am willing to provide them.
PS: I don't run into the same issue with Locksmith, which works great!
@rebelinux Are you running BT from a child domain? If yes, are there different results when running BT from the root domain?
Also, sorry for the slow response. Thanksgiving and burnout are real.
I ran it from the root domain.
@rebelinux and @benji1000:
Are you running DNS on your DCs or on separate machines?
DNS service is hosted in the DC servers
Same here.
WEIRD. Well, I just updated the Get-BTADIZone function to pull zone information from AD instead of directly from the DNS servers (less privs required, supports more varied infra!).
If y'all have a moment, please test the version in testing. :D
Thanks for the update, but the same thing happens unfortunately, using a standard account as well as a DA account. I pulled the repo and switched branch to testing, before importing the .psd1 file and invoking BlueTuxedo.
::::::::: ::: ::: ::::::::::::::::::::::::::: :::::: :::::::::::::::::::::: ::::::::
:+: :+::+: :+: :+::+: :+: :+: :+::+: :+::+: :+: :+::+: :+:
+:+ +:++:+ +:+ +:++:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:++:+ +:+
+#++:++#+ +#+ +#+ +:++#++:++# +#+ +#+ +:+ +#++:+ +#++:++# +#+ +:++#+ +:+
+#+ +#++#+ +#+ +#++#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+ +#++#+ +#+
#+# #+##+# #+# #+##+# #+# #+# #+##+# #+##+# #+# #+##+# #+#
######### ################## ########## ### ######## ### ###################### ########
v2024.1
Please hold. Collecting DNS data from the following domains:
[REDACTED]
Get-DnsServerResourceRecord : Échec de l’obtention des informations de zone pour [REDACTED] sur le serveur [REDACTED].
Au caractère Z:\BlueTuxedo\Private\Get\Get-BTDanglingSPN.ps1:33 : 29
+ ... if (Get-DnsServerResourceRecord -ComputerName $domain -ZoneNa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: ([REDACTED]:root/Microsoft/...rResourceRecord) [Get-DnsServerResourceRecord], CimException
+ FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord
As you can see, the AD I'm testing it on is in French. Is it something that can block the tool from working appropriately?
Hi @benji1000! Is this the full error?
If so, this is progress as I have not updated Get-BTDanglingSPNs yet, only Get-BTADIZone.
No I'm sorry, I didn't post the full log. It just loops on "Permission denied" errors after that, so I assumed it wasn't relevant and hit Ctrl+C after a few errors. Sorry if it gave the impression that some things were fixed... Are you interested in the full logs?
I love full logs. :D Feel free to send to security@dotdot.horse if it's big.
That being said, did you Get-Module -Name BlueTuxedo | Remove-Module first before loading the new version?
Generated the log using Start-Transcript:
This is an environment I used to develop the AsbuiltReport for AD, so no sensitive or important data!
Oooh, I'm starring that repo immediately. It looks very handy.
From the log, it looks like you are running the main version of the module instead of what I'm currently working on in testing. Would you mind doing the following?
git clone https://github.com/TrimarcJake/BlueTuxedo.git
cd BlueTuxedo
git checkout testing
Import-Module .\BlueTuxedo.psd1
Invoke-BlueTuxedo -VerboseI'd love to get a look at that log.
I used the testing repository to perform that test. I see that there are new commits in the repository so I will test again with the new changes.
I added the Start-Transcript cmdlet example for everyone's benefit:
PS BlueTuxedo> Start-Transcript -Append .\BlueTuxedo.log
PS BlueTuxedo> Invoke-BlueTuxedo -Verbose
PS BlueTuxedo> Stop-Transcript
Done with latest changes!
@rebelinux Ahhh, this is what it should look like!
- ADI Zones are collected, but the "Dynamic Update" field is not collected (yet)
- Failures during Dangling SPN checks because those still check the DNS servers directly for records instead of checking AD for records
Me rn
Hey, sorry it took me so long to post the rest of the log. You can find it here, it expires in a week.
These are not really the full log, as it is in continuation of the first logs I posted (I didn't know about the Start-Transcript technique rebelinux posted when I generated them...), and I had to redact some data. Also, when it came to the part when fixed were offered, I exited the program. I hope it can still help you.
Thank you for your hard work!
Hi @benji1000. I took a look at your log, and it is exactly as I expect it to look after making my last modifications.
I plan to continue replacing any Get-DnsServer* cmdlets with Get-ADObject or whatever else is needed.
Once those replacements are complete, I will consider this ticket closed.
Thanks so much to all of you for reporting issues!
No problem, glad I could be of some help!
Hi @benji1000 and @rebelinux - if either of you are free today, would you mind pulling down the testing branch and trying it out to see if your errors are mostly resolved?
Hello, sorry I don't have access to the environment at the moment. I will try to get access to it as soon as possible, but I don't know when it will be. Possibly at the end of this week.
Thanks, @benji1000 ! I hope you're having a great day.
Here is the log with the most recent version of the testing repo :)
BlueTuxedo.log
How is this worse?!?!
Maybe a DC issue. I will run the script again and let you know the results!