Skip to content

Instantly share code, notes, and snippets.

@DanielRTeixeira

DanielRTeixeira/recon.hta

Forked from nicholasmckinney/recon.hta
Created November 2, 2017 15:23
Show Gist options
  • Save DanielRTeixeira/8bf69ec62fb8f462eb880c76b0bbbf5d to your computer and use it in GitHub Desktop.
Save DanielRTeixeira/8bf69ec62fb8f462eb880c76b0bbbf5d to your computer and use it in GitHub Desktop.
Download ZIP
JavaScript AD Enumeration
Raw
recon.hta
<html>
<head>
<script Language = JavaScript>
//-----------------------------------------------------------------------------------------------
// adSiteInfo.js
//
//-----------------------------------------------------------------------------------------------
var objADSysInfo = new ActiveXObject("ADSystemInfo");
var objNetwork = new ActiveXObject("WScript.Network");
var objRootDSE = null;
var strUserDn = objADSysInfo.UserName;
var strUserName = objNetwork.userDomain + "\\" + objNetwork.userName;
var strComputerName = objNetwork.computerName;
var strComputerDn = objADSysInfo.ComputerName;
var strDomainDN = getDomainDN(objADSysInfo.ComputerName);
var strDCName = getAuthenticatingDC();
var strSiteName = objADSysInfo.SiteName
var arrDCs = getDCList(strSiteName);
var details = " Your User Name : " + strUserName + "\n";
details += " Your Distinguished Name : " + strUserDn + "\n";
details += " Your Computer Name : " + strComputerName + "\n";
details += " Your Computer Dn : " + strComputerDn + "\n";
details += " Auth Domain Controller : " + strDCName + "\n";
details += " Your Domain Name : " + strDomainDN + "\n";
details += " Domain Controllers : " + "\n";
for (var idx=0;idx<arrDCs.length;idx++)
{
details += " " + arrDCs[idx] + "\n";
}
alert(details);
//---------------------------------------------------------------------------
// function : getAuthenticatingDC()
//
// purpose : this function will determine the name of the Domain Controller
// that authenticated you when you logged on
//---------------------------------------------------------------------------
function getAuthenticatingDC()
{
objRootDSE = GetObject("LDAP://rootDse");
objDC = objRootDSE.Get("dnsHostName");
return objDC;
}
//---------------------------------------------------------------------------
// function : getDomainDN(path)
//
// purpose : retrieve the Domain - DC=amed,DC=ds,DC=army,DC=mil
//---------------------------------------------------------------------------
function getDomainDN(path)
{
var ADS_SETTYPE_DN = 4;
var ADS_FORMAT_X500_PARENT = 8;
var pathname = new ActiveXObject("Pathname");
pathname.Set(path, ADS_SETTYPE_DN);
var domainDN = pathname.Retrieve(ADS_FORMAT_X500_PARENT);
while (domainDN.substr(0, 2) != "DC")
{
pathname.RemoveLeafElement();
domainDN = pathname.Retrieve(ADS_FORMAT_X500_PARENT);
}
return domainDN;
}
//---------------------------------------------------------------------------
// function : getDCList(strSiteName)
//
// purpose : return an array of all DC's for this AD Site
//---------------------------------------------------------------------------
function getDCList(strSiteName)
{
var arrComputers = new Array();
strConfigurationNC = objRootDSE.Get("configurationNamingContext");
strServersPath = "LDAP://cn=Servers,Cn=" + strSiteName + ",cn=Sites," + strConfigurationNC
var objServersContainer = GetObject(strServersPath);
var enumItems = new Enumerator(objServersContainer);
for (; !enumItems.atEnd(); enumItems.moveNext())
{
var objItem = enumItems.item();
arrComputers.push(objItem.Name);
}
return arrComputers;
}
</script>
</head>
<body>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment