Invoke-DHCPCheckup is a tool meant to identify risky DHCP and DNS configurations in Active Directory environments. For additional information please refer to our blogpost: https://akamai.com/blog/security-research/spoofing-dns-by-abusing-dhcp
The tool identifies the following misconfigurations:
- DNS Credential is not configured
- The configured DNS credential is of a strong user
- Name protection is not enabled on a scope
- Name protection is not enabled by default on new scopes
- Display group members
- Specify whether the members are DHCP servers
- List records owned by DHCP servers (Managed Records)
- List records that could be overwritten by authenticated users
Invoke-DHCPCheckup relies on the DHCP server management API and requires to run as a user that is part of the "DHCP Administrators" and "DNSAdmins" groups.
It also requires the following Powershell modules:
- ActiveDirectory
- DHCPServer
- DNSServer
To run use the following commands:
PS C:\Users\Administrator> Import-Module C:\Users\Administrator\Desktop\DHCP-Checkup.ps1
PS C:\Users\Administrator> Invoke-DHCPCheckup -domainName <domain_name> -dnsServerName <adidns_server_fqdn>
For domains that use languages other than english as their default language, adjust the names of the strong groups at line 45 if necessary.
Copyright 2023 Akamai Technologies Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.