Shulou(Shulou.com)05/31 Report--

Editor to share with you how to use ADIDNS to bypass GQBL restrictions and resolve WPAD domain names. I hope you will get something after reading this article. Let's discuss it together.

What is WPAD?

Web agent automatic discovery (WPAD) is a common target in the process of LLMNR and NBNS spoofing. At first glance, WPAD is not much different from other records in ADIDNS. If ADIDNS does not have this record by default, authenticated users can add this record directly.

If you add a WPAD record, you will find that it has no effect. This is due to GQBL (Global query blocking list), which contains WPAD and ISATAP by default.

Modern Windows DNS servers usually do not respond to domain name query requests from hosts in the GQBL list. Why do I use the word "usually" here? This is because GQBL is not always valid.

Bypass GQBL

When I tried to record with wildcards, I found that the Windows DNS server ignored GQBL and responded to requests to WPAD with wildcards. So far, I haven't started using LDAP, I can only add records through dynamic updates. Since the'* 'character is not suitable for dynamic updates, I intend to find a GQBL bypass method that can be used with dynamic updates.

The first method I found was to use DNAME records. If there is a DNAME record for "WPAD" in the DNS domain, then the Windows DNS server can parse the WPAD.

In general, DNAME records do not resolve requests that match the actual records, and the DNS server only responds to requests from hosts in the mapped domain, such as "host.wpad.inveigh.net". At this point, the root record of 'wpad.inveigh.net' can be parsed normally.

Strangely, I found that the Windows DNS server responds to root requests recorded by DNAME when certain conditions are met. This kind of record needs to match the host in the GQBL and the GQBL is in the enabled state. It may be more dangerous for WPAD to turn on GQBL by default. However, I cannot use DNAME records to handle dynamic updates. So I had to find another way around it. Then I found a way to add NS records to the WPAD subdomain.

This approach is complicated because you need to set the NS record to point to a controllable DNS server. However, using the DNSchef that comes with Kali is an easy way to set up a DNS server to provide replies to received requests.

But at this point I still couldn't use dynamic updates to complete the bypass, but after choosing to use LDAP, everything became clear.

CVE-2018-8320

As soon as I discovered this problem, I immediately submitted my research results to Microsoft, which also assigned the CVE number (CVE-2018-8320) to the vulnerability and released a bug fix. Here are the results of my tests on the system after the bug has been fixed.

The wildcard record no longer parses requests from hosts in the GQBL list:

The DNAME record no longer parses requests from hosts in the GQBL list:

But as you can see, NS records can still bypass GQBL.

Domain name suffix search order

I previously recommended using administrator-controlled wildcard records to prevent ADIDNS wildcard attacks and LLMNR / NBNS spoofing attacks. However, some researchers have pointed out that wildcard records may be problematic when multiple domain name suffixes are assigned to the search list through group policy.

After the test, I also verified their story. When I set the wildcard in the DNS area of the higher-level domain name suffix, if a valid record is matched, the system will prevent valid requests from being degraded and resolved to any lower-level domain name suffix.

This situation leads to the birth of a new type of attack technology. This allows us to locate requests for existing records instead of locating records that do not exist in the DNS area. If the record can be added to the DNS area of the domain name suffix, we can locate the valid host in any low-priority domain name suffix. Incompletely valid requests to the target host will all be responded to by the records you added.

It is important to note that the DNS suffix should be taken into account when performing wildcard attacks. If you find a search list with multiple DNS suffixes, wildcard attacks are likely to be interrupted when injecting any record except the last DNS area in the list.

ADIDNS attack through phishing

When implementing LLMNR/NBNS spoofing, spoofing attack tools must run continuously. However, ADIDNS attacks can be completed with only some initialization operations. Therefore, I think it is easier to implement ADIDNS attacks through phishing. At this point, you only need an AD connected to the phishing target to execute Payload in order to add records that can send traffic to systems controlled by remote attackers, which you can use for C2 servers or other phishing attacks.

The image above is a PowerShell tool I developed myself. I have added a record pointing to the public IP, and we can use more Payload in the actual attack scenario.

This is another example of an NS record used for an attack. Once you have set up NS records, you can add additional records to the controlled subdomain name through your own DNS server.

Talking about ADIDNS Defense

As mentioned above, if you use a search list with multiple DNS suffixes, administrator-controlled wildcard A records may have security issues. Of course, you can also use record types that do not resolve domain name requests (such as TXT records) to create wildcards.

Because all record types exist in the dnsNode object, adding any form of wildcard record prevents unprivileged users from adding their own dnsNode object named "*". Unfortunately, wildcard records that do not parse do not have the ability to defend against LLMNR and NBNS spoofing attacks.

Locking the permissions of DNS domain is the most thorough way to alleviate the ADIDNS attack of authenticated users. Depending on the settings, users may be able to dynamically update their accounts with a specific DNS in DHCP. However, this may require you to completely remove the "create all child objects" permission under "authenticated users".

Many domain name resolution attacks are carried out through domain name requests that are not completely valid. Such user-generated requests are difficult to eliminate.

After reading this article, I believe you have a certain understanding of "how to use ADIDNS to bypass GQBL restrictions and resolve WPAD domain names". If you want to know more about it, you are welcome to follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.