DNS zone transfer is a classic attack angle for security researchers. This means that there may be an insecure DNS server in the regional network. Any anonymous user can send instructions to it to obtain all domain name data in the regional network. However, it is believed that few people know that if the intranet uses the DNS integrated by the active directory, any intranet user has the right to query all DNS records.
This article will introduce the method of manually querying DNS records based on the above situation, as well as a tool that can automatically perform this operation.
background
Personally, whenever I start a new penetration task, I usually first understand the overall network layout, the software involved in the network, and the location of sensitive data. However, if the name of the server in the network does not contain the function description, and it is only a simple 00000, 1000000, 200003, then it is difficult for me to figure out where to start.
If you use tools like eyewitness to scan, you will see a large number of default Apache / IIS pages in the return, because most sites are configured to listen for DNS names rather than IP addresses. At this point, if you know the DNS record, you may find that srv00001.company.local and gitlab.company.local point to the same IP, which may contain a large number of source code.
EyeWitness
SRV00001.company.local
gitlab.company.local
To sum up, I think the DNS records in the active directory are of high value. I also wrote a tool to dump these DNS records. You can run it directly on the host in the network, or you can use it through socks tunnel.
Beginning
The reason why I study DNS records in domain environment is mainly inspired by Kevin Robertson's research on adidns. When I use ADSI edit, trying to find out how the active directory stores DNS records in the zone in LDAP, I suddenly see an overview of DNS records in the domain. I was very surprised at this time, but Kevin pointed out to me that mubix had written about it as early as 2013. So, as early as 2013, there was a PowerShell script that could extract DNS records, but it didn't fully meet my requirements, so I decided to write a python script and add some functions.
@3xocyte也用Python编写了一个类似的脚本。
"Hidden" DNS record
The main way to query DNS records in LDAP is to select all objects of the dnsnode class to perform the query operation. You will see all entities in the DNS zone. When I use a filter to execute a query (objectclass = dnsnode), only very limited results are returned. You know, even if I manually browse the DNS zone, I can see more records:
dnsNode
(objectClass=dnsNode)
The objectclass of many objects is not visible because the default permissions for computer DNS records (I don't think other records are created through the active directory DNS page either) don't allow all users to view their contents. In addition, the IP address is actually stored as the property of these objects, so the IP address in these records cannot be viewed.
objectClass
However, by default, any user can create a new DNS record, and any user can list the sub objects of the DNS zone. All in all, we know where there are records, but we can't use LDAP to query it.
However, once we know a record by enumerating LDAP, we can directly use DNS to query it (because no privileges are required to perform regular DNS queries). So we can parse all the records in the region.
Adidnsdump
To use adidnsdump, you can get it from my GitHub, which enumerates all the records in the DNS zone. First, use the parameter -- print zones to display all areas in the current domain. Note that not all regions are meaningful. For example, forwarding, caching and other regions will not contain all records of the domain. If you find such areas, it's best to query their actual domain. The following command shows that there are only default areas in the test domain I set up:
--print-zones
[email protected]:~/adidnsdump$ adidnsdump -u icorp\\testuser --print-zones icorp-dc.internal.corp
Password:
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Found 2 domain DNS zones:
internal.corp
RootDNSServers
[-] Found 2 forest DNS zones:
..TrustAnchors
_msdcs.internal.corp
If we specify an area for the tool, we will get all the records. Which records can be listed but can't be read (i.e. the so-called "hidden" DNS records mentioned above) will be displayed as question marks. The records are all saved to a file called records.csv.
records.csv
To resolve these unknown records, use the parameter - R, which performs a query on all the unknown records. At this point, you will find that the previous record suddenly appears:
-r
A
?
If you are connecting through a proxy, you can use the parameter -- DNS TCP to perform DNS queries over TCP.
--dns-tcp
Defensive measures
For security reasons, you can improve the query permission of records and delete the "list content" permission of ordinary people, but this may have a negative impact, so I don't recommend that. Monitoring DNS query actions through some software or enabling DNS zone auditing may be the best way to solve this problem.
tool
Adidnsdump can be installed and used through GitHub and pypi (PIP install adidnsdump). The final result will be dumped to a CSV file, which you can convert to another format by yourself.
本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场
来源:https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/