kevin-robertson / powermad Goto Github PK

I'm trying to add a DNS entry into ADIDNS with the example shown in https://blog.netspi.com/exploiting-adidns/
Windows 10 client, Server 2019 DNS/DC

I have no idea where to begin troubleshooting this one...

Hi,

i just tried to add an ADIDNS-Node Entry for two different AD-Environments. The script was executed with a valid AD-User. But the default distinguished Names "CN=MicrosoftDNS,DC=DomainDNSZones" are not available on both Environments. So theese containers are not enabled in the default settings? I could not find another valid distinguished Name for the ADIDNS Zones.

The verbose Error Message for trying to add a note:
Exception when calling "SendRequest" with 1 argument(s): "The object does not exist".

Greetings

I added a machine on a remote domain controller through a socks proxy using the command:

New-MachineAccount -MachineAccount acctname -Password $(ConvertTo-SecureString 'password' -AsPlainText -Force) -Domain remote.domain -DomainController dc.remote.domain

However when I went to remove the account using the command:

New-MachineAccount -MachineAccount acctname -Credential $DomainAdminCred -Domain remote.domain -DomainController dc.remote.domain

I got this error:

[-] Exception calling "GetCurrentDomain" with "0" argument(s): "Current security context is not associated with an Active Directory domain or forest."
Exception calling "GetCurrentDomain" with "0" argument(s): "Current security context is not associated with an Active
Directory domain or forest."
At C:\Users\ritzbitz\Desktop\Powermad-master\Powermad.ps1:1037 char:13

•         $current_domain = [System.DirectoryServices.ActiveDirecto ...
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], ParentContainsErrorRecordException
  • FullyQualifiedErrorId : ActiveDirectoryOperationException

I believe this is due to the 'or' in the catch statement here:

if(!$DomainController -or !$Domain -or !$Zone)
{

    try
    {
        $current_domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
    }
    catch
    {
        Write-Output "[-] $($_.Exception.Message)"
        throw
    }

}

When I removed the check for or !$Zone and reloaded the Powermad module, the request completed successfully and removed the machine

I think a useful feature to be added is to be able to add a machine for a different domain.

Example:

• I have impersonated constr, a test.local domain user via a certificate I have dumped.
• User constr had GenericWrite permissions on the test.local DC, which is the only computer in that domain.
• Obviously, constr can laundh a RBCD attack to compromise the test.local DC.
• constr has access to a machine that belongs to a child domain, say hello.test.local
• When we try to add a new machine with New-MachineAccount the machine will be added to our current domain (hello.test.local).

It would be interesting to have the choice to add the new computer to the domain we want.

SharpAllowedToAct.exe offers that capability in order to perform the RBCD abuse when we have access to another trusted domain than the one we want to compromise.

Hello,

I've tried to create a record via
Invoke-DNSUpdate -Zone "sub.myzone.net" -DNSName host1.sub.myzone.net -DNSData 192.168.1.103 -DNSType A -Verbose
and got an error (the DNS zone from client is myzone.net, thats the reason why I need to use DNSZone).
After an short look in the source, I've seen
[parameter(Mandatory=$false)][String]$Zone,
but the help writes:
.PARAMETER DNSZone
DNS zone.

If I use the paramter "Zone", every thing is working fine.

Could this be a mistake?

Thanks Meike

Do you know what ldap attribute can be used to create a zone that will allow "Secure and Non-Secure Updates".

I'm using ldap api to create the dnsZone record ..Appreciate your help

I'm trying out the examples in the "Adding ADIDNS Records" wiki and they are not working for me.

PS C:\Users\Administrator>  New-ADIDNSNode -Node foo
[+] ADIDNS node foo added

PS C:\Users\Administrator> Enable-ADIDNSNode -Node foo
[+] foo enabled

PS C:\Users\Administrator>  Set-ADIDNSNodeAttribute -Node foo -DNSRecord (New-DNSRecordArray -DNSData 1.2.3.4)
ScriptHalted
At C:\Users\Administrator\Documents\adidns.ps1:3132 char:9
+         throw
+         ~~~~~
    + CategoryInfo          : OperationStopped: (:) [], RuntimeException
    + FullyQualifiedErrorId : ScriptHalted

Looking at the documentation for New-DNSRecordArray, I see that the DNSData parameter is no longer used, yet is still being referenced in the console output. Legacy code, I guess? I suppose you're already aware of this and it's on the roadmap.

So I used the new parameters and tried again:

PS C:\Users\Administrator> Set-ADIDNSNodeAttribute -node foo -Attribute dnsRecord -value (New-DNSRecordArray -Type A -Data 1.2.3.4)
[-] Exception calling "InvokeSet" with "2" argument(s): "Number of parameters specified does not match the expected number."

I found out that this is because the returned value for New-DNSRecordArray is Object[] but it really needs to be Byte[]. I was able to change the record manually with this cheap hack:

PS C:\Users\Administrator> Set-ADIDNSNodeAttribute -node foo -Attribute dnsRecord -value ([Byte[]] (New-DNSRecordArray -Type A -Data 1.2.3.4))
[+] dnsRecord updated for foo

So basically, the return-type for New-DNSRecordArray probably needs to be Byte[] and the documentation for that function should be updated. I have zero PowerShell experience and don't feel confident enough to submit a pull request for this. I could try, however, if you don't have the time.

Not possible to request a the records from a non-domain joined machine even though the -domain -credential -domaincontroller parameters are supplied. Please close if this is expected behaviour.

Get-ADIDNSNodeAttribute -Node * -Attribute DNSRecord -DomainController $Server -Domain $Domain -Credential $Creds -Verbose
[-] Exception calling "GetCurrentDomain" with "0" argument(s): "Current security context is not associated with an Active Directory domain or forest."
Exception calling "GetCurrentDomain" with "0" argument(s): "Current security context is not associated with an Active Directory domain or forest."
At C:\Tools\AD\Powermad\Powermad.ps1:1755 char:13
+             $current_domain = [System.DirectoryServices.ActiveDirecto ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ActiveDirectoryOperationException

When using New-ADIDNSNode -Node * -Tombstone -Verbose, I receive the error message:

'Exception calling sendRequest with (1) arguments. The object does not exist'

This is from a domain joined machine. Looking through the Powermad.ps1 file, this error message does not appear to be thrown directly from the script, but instead the SendMethod method called.

in the post, you said we can find DomainDNSZones in LDAP:

but in fact, here in my domain environment, I can't find that after searching every corner, and this is really wired, so I open this issue to ask you why is that, thanks