DNSAdmin to Domain Controller Compromise
by Sabe Barker
Posted on 9 January 2020
In this post I will explain how a user within the DNSAdmins group can accomplish Domain Controller takeover. We will cover how to create our custom DLL payload for the exploit and how to successfully execute it.
This issue was first published by Shay Ber back in 2017. I recently had to use this “feature” for privilege escalation and during that process I found that the part where we need to execute the
DLL can be troublesome to say the least. This seems to be due to the fact that the
DNS service crashes and needs to be restarted. However, this can be more than temperamental.
I will point out that this post in no way is meant to add anything new to the process of the compromise but more of a notebook of how to create a working
DLL and how to get the bloody thing to actually execute successfully. I found that when researching this issue many people I spoke to had attempted to create a custom working
DLL but ended up resorting to creation with
msfvenom. Me being me I wasn’t happy to stop there as the
DLL cannot be used locally on the machine as Windows Defender will nuke it. So if for whatever reason you cannot access the
DLL remotely you wouldn’t be able to obtain that beautiful system shell we desire so much.
Now before we start I will just do the usual spiel: This post is for educational purposes and I take no responsibility for any misuse of the information provided herein. Under no circumstances should you perform these actions on a system without prior consent from the owner.
Enough with the banter let’s get our hands dirty!
First off we will download the Visual Studio 2019 Preview. I used the Professional version which you can get a “free” trial. Once downloaded go through the installation process and then open our program.
Get started window select
Create a new project:
We are presented with the
Create a new project window where we will type
DLL in to the search bar and select
Dynamic-Link Library with exports (DLL) then click
Next we enter our
Project Name and click
We are presented with a template that includes two files one named
dllmain.cpp and the other
dllmain.cpp we will edit to reflect the following code:
DNSAdmin.cpp we will also edit to reflect the following code:
Ensure you change
<username> to the one that is on the
victim machine then save your changes. You will notice a reference to a file called
shell.cmd. This is where we will place our command to execute. In not hardcoding it to the
DLL we can freely change it if need be.
An explanation of what is going on here can be found at Shay’s post that was mentioned earlier.
Now it’s time to build our
From the top menu we will change
x64 or whichever the arch is for the
We will then navigate to
Build --> Build Solution in the top menu or type
Ctrl+Shift+B to build our
If we take a look in the
output section at the bottom of our window we should see that our build succeeded:
In this output we can also see that our build has been saved at the location
Now lets create our
cmd file. Open up your favourite text editor and add the following line saving the file as
<attacker-ip> with the
attacker machines IP address.
You will also need to download
netcat for windows which can be found here.
We should now have three files to work with:
Now upload/download these files to the
victim machine in to the directory:
Let’s setup our listener for the incoming connection on the
We will then load the
DLL using the
dnscmd command on the
victim machine like so:
On success we should see the output:
Now we have to restart the
DNS service so our
DLL is executed.
To do so we first stop the service:
and then start it again:
Back at your
netcat session we should see a connection and our prompt:
We now have control of the
In the scenario where you need to host the
DLL remotely you can fireup impacket’s smbserver.py on the
And then modify the
If you find that you do not receive a connection you can run the following command to test the
If you get a connection to your
netcat session then there is most likely some interference on the
victim machine (AV, Firewall etc.)