#!/usr/bin/env python# resolve domain computers by @3xocyteimport argparseim

1. #!/usr/bin/env python
2. # resolve domain computers by @3xocyte
3.  
4. import argparse
5. import sys
6. import string
7.  
8. # requires dnspython and ldap3
9. import dns.resolver
10. from ldap3 import Server, Connection, NTLM, ALL, SUBTREE
11.  
12. def resolve(nameserver, host_fqdn):
13. resolver = dns.resolver.Resolver();
14. resolver.nameservers = [nameserver]
15. answer = resolver.query(host_fqdn, "A")
16. return answer
17.  
18. def get_base_dn(domain):
19. base_dn = ''
20. domain_parts = domain.split('.')
21. for i in domain_parts:
22. base_dn += 'DC=%s,' % i
23. base_dn = base_dn[:-1]
24. return base_dn
25.  
26. def ldap_login(dc_ip, username, password, ssl, domain):
27. if ssl == True:
28. s = Server(dc_ip, port = 636, use_ssl = True, get_info=ALL)
29. else:
30. s = Server(dc_ip, get_info=ALL)
31. domain_user = "%s\\%s" % (domain, username)
32. try:
33. c = Connection(s, user = domain_user, password = password, authentication=NTLM)
34. if c.bind() != True:
35. print "[!] unable to bind"
36. sys.exit()
37. except Exception, e:
38. print "[!] unable to connect, exception: %s" % str(e)
39. sys.exit()
40. return c
41.  
42. def get_computers(ldap_connection, domain, dc_ip):
43. dn = get_base_dn(domain)
44. filter = "(samAccountType=805306369)" # or (objectCategory=computer)
45. try:
46. ldap_connection.search(search_base=dn, search_filter=filter, search_scope=SUBTREE, attributes=['dnsHostName'])
47. for entry in ldap_connection.entries:
48. computer = str(entry['dNSHostName'])
49. try:
50. answer = ''
51. result = resolve(dc_ip, computer)
52. for i in result:
53. result_string = ''.join([str(i), answer])
54. print '%s\t%s' % (result_string, computer)
55. except Exception as e:
56. # failed to resolve the hostname so no need to pollute the file
57. pass
58.  
59. except Exception, e:
60. print "[!] exception raised: %s" % str(e)
61. ldap_connection.unbind()
62. sys.exit()
63.  
64. def main():
65. parser = argparse.ArgumentParser(add_help = True, description = "script to produce /etc/hosts entries for domain-joined computers (requires valid domain credentials and an IP address for a DC acting as a DNS server)")
66. parser.add_argument('-d', '--domain', action="store", default='', help='valid fully-qualified domain name', required=True)
67. parser.add_argument('-u', '--username', action="store", default='', help='valid username', required=True)
68. parser.add_argument('--ssl', action="store_true", default=False, help="connect to ldap over SSL")
69. password_or_ntlm = parser.add_mutually_exclusive_group(required=True)
70. password_or_ntlm.add_argument('-p', '--password', action="store", default='', help='valid password')
71. password_or_ntlm.add_argument('-n', '--nthash', action="store", default='', help='valid nt hash (32 hex chars)')
72. parser.add_argument('target_dc', help='ip address or hostname of dc')
73. options = parser.parse_args()
74.  
75. domain = options.domain
76. username = options.username
77. password = options.password
78. nthash = options.nthash
79. dc_ip = options.target_dc
80. ssl = options.ssl
81.  
82. if nthash:
83. password = '00000000000000000000000000000000:%s' % nthash
84.  
85. ldap_connection = ldap_login(dc_ip, username, password, ssl, domain)
86. computer_results = get_computers(ldap_connection, domain, dc_ip)
87.  
88. if __name__ == '__main__':
89. main()