Skip to content

[ntlmrelayx] LDAP attack: Add DNS records through LDAP #1289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
0xdeaddood merged 1 commit into from
Jun 15, 2023
Merged

[ntlmrelayx] LDAP attack: Add DNS records through LDAP #1289

0xdeaddood merged 1 commit into from
Jun 15, 2023

Conversation

@SAERXCIT
Copy link
Contributor

@SAERXCIT SAERXCIT commented Mar 28, 2022

Hi !

This PR adds the --add-dns-record as a ntlmrelayx LDAP attack, inspired by Kevin Robertson's ADIDNS research, and his own implementation in Inveigh.

The idea is being able to poison beyond the local subnet to get more authentications from hopefully higher-privileged users and machines. More info in the accompanying blog post.

Ntlmrelayx will add the provided name as an A record pointing to the provided IP, unless the name is wpad in which case it will bypass the GQBL using a NS record. Please note that adding a wildcard or wpad record could create disruptions in larger networks (using multiple DNS subdomains) or if workstations already use a proxy config. A warning was added to remind the user of that.

The output will be the following, in case of a wpad record:

[!] You are asking to add a `wpad` or a wildcard DNS name. This can cause disruption in larger networks (using multiple DNS subdomains) or if workstations already use a proxy config.
[*] HTTPD: Received connection from 10.72.72.101, attacking target ldap://dc1.domain.local
[*] Authenticating against ldap://dc1.domain.local as domain.local\BORDEAUX$ SUCCEED
[*] Assuming relayed user has privileges to escalate a user via ACL attack
[*] Checking if domain already has a `wpad` DNS record
[*] Domain does not have a `wpad` record!
[*] To add the `wpad` name, we need to bypass the GQBL: we'll first add a random `A` name and then add `wpad` as `NS` pointing to that name
[*] Adding `A` record `jwsgliwpffgv` pointing to `10.72.72.200` at `DC=jwsgliwpffgv,DC=DOMAIN.LOCAL,CN=MicrosoftDNS,DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL`
[*] Added `A` record `jwsgliwpffgv`. DON'T FORGET TO CLEANUP (set `dNSTombstoned` to `TRUE`, set `dnsRecord` to a NULL byte)
[*] Adding `NS` record `wpad` pointing to `jwsgliwpffgv.DOMAIN.LOCAL` at `DC=wpad,DC=DOMAIN.LOCAL,CN=MicrosoftDNS,DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL`
[*] Added `NS` record `wpad`. DON'T FORGET TO CLEANUP (set `dNSTombstoned` to `TRUE`, set `dnsRecord` to a NULL byte)

Credits for Kevin Robertson for the research in implementation in Powermad and Inveigh, and to Dirk-Jan Mollema for dnstool.py.

Cheers !

@anadrianmanrique anadrianmanrique added the in review This issue or pull request is being analyzed label Feb 16, 2023
@0xdeaddood 0xdeaddood added the medium Medium priority item label Feb 23, 2023
@0xdeaddood 0xdeaddood mentioned this pull request Jun 15, 2023
Merged
@0xdeaddood 0xdeaddood merged commit c432ff8 into fortra:master Jun 15, 2023
@0xdeaddood
Copy link
Collaborator

0xdeaddood commented Jun 15, 2023

Thanks @SAERXCIT!

@0xdeaddood 0xdeaddood removed the in review This issue or pull request is being analyzed label Jul 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@0xdeaddood 0xdeaddood

Labels

medium Medium priority item

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SAERXCIT @0xdeaddood @anadrianmanrique