2. Create, configure the new DNS name that could be likely exploited for spoofing with Attacker's IP and enable it. I chose pc01 which was found in DNS cache:
3. Check the newly created DNS object and try to resolve it. AD will need some time (~180 seconds) to sync LDAP changes via its DNS dynamic updates protocol:
$ ldapsearch -H ldap://10.10.13.37:389 -x -D 'CN=snovvcrash,CN=Users,DC=megacorp,DC=local' -w 'Passw0rd!' -s sub -b 'DC=megacorp.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=megacorp,DC=local' '(objectClass=*)' dnsRecord dNSTombstoned name
If you need to dump a child domain ADIDNS (say child.megacorp.local), then you may want to use --zone and --forest options:
# Will dump records from DC=megacorp.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=megacorp,DC=local
$ adidnsdump -u 'child.megacorp.local\snovvcrash' -p 'Passw0rd!' DC01.child.megacorp.local --zone megacorp.local --forest -r
# Will attempt to dump records from DC=child.megacorp.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=child,DC=megacorp,DC=local (and may fail)
$ adidnsdump -u 'child.megacorp.local\snovvcrash' -p 'Passw0rd!' DC01.child.megacorp.local -r
Merge all the IPs into /24 CIDRs with a Python script:
cidr_merge.py
#!/usr/bin/env python3"""Merge standalone IPs into CIDRs.Example:$ cat ~/ws/enum/adidns.csv | awk -F, '{print $3}' > ip.lst$ cidr_merge.py | sort -u -t'.' -k1,1n -k2,2n -k3,3n -k4,4n | grep -e '^192' -e '^172' -e '^10'"""import netaddriplst = []withopen('ip.lst', 'r')as fd:for line in fd: ip = line.rstrip('\n')try: iplst.append(netaddr.IPNetwork(f'{ip}/24'))except netaddr.core.AddrFormatError:passfor net in netaddr.cidr_merge(iplst):print(str(net))
