From 82fce5d7e066a2e4cab314864db840245782ae6b Mon Sep 17 00:00:00 2001 From: Hakan Yavuz Date: Fri, 27 Jun 2025 12:50:28 +0300 Subject: [PATCH 1/4] Update SUMMARY.md add DNS Module --- SUMMARY.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SUMMARY.md b/SUMMARY.md index b776bff..ca36136 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -93,6 +93,7 @@ ## LDAP protocol * [Authentication](ldap-protocol/authentication.md) +* [🆕 DNS](ldap-protocol/dns.md) * [Enumerate Domain Users](ldap-protocol/enumerate-users.md) * [Enumerate Domain Groups](ldap-protocol/enumerate-group-members.md) * [🆕 Query LDAP](ldap-protocol/query-ldap.md) From 0cf862d36b352c4652518c0eb96204288675f19a Mon Sep 17 00:00:00 2001 From: Hakan Yavuz Date: Fri, 27 Jun 2025 13:00:00 +0300 Subject: [PATCH 2/4] Create dns.md Add DNS Module --- ldap-protocol/dns.md | 171 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 171 insertions(+) create mode 100644 ldap-protocol/dns.md diff --git a/ldap-protocol/dns.md b/ldap-protocol/dns.md new file mode 100644 index 0000000..4d4f476 --- /dev/null +++ b/ldap-protocol/dns.md @@ -0,0 +1,171 @@ +--- +description: >- + dns module allows to manage DNS records in an Active-Directory integrated DNS over the LDAP protocol. +--- + +# dns + +The `dns` module allows for the management of DNS records in an Active Directory-integrated DNS environment directly over the LDAP protocol. + +## Module Options + +This is the help menu for the module, displayed with the `-o HELP` option. + +``` +Usage: -M dns -o + +ACTIONS (specify with -o ACTION= or A=): + + add: Adds a new A record. Requires RECORD and DATA. + Example: -M dns -o ACTION=add RECORD=new-pc.winterfell.local DATA=10.4.10.100 + modify: Modifies an existing A record. Requires RECORD and DATA. + Example: -M dns -o ACTION=modify RECORD=new-pc.winterfell.local DATA=10.4.10.101 + query: Queries an existing record. Requires RECORD. + Example: -M dns -o A=query R=new-pc.winterfell.local + remove: Removes a record by tombstoning it. Requires RECORD and optionally DATA. + Example: -M dns -o ACTION=remove RECORD=new-pc.winterfell.local DATA=10.4.10.101 + ldapdelete: Deletes a record object directly from LDAP. Requires RECORD. + Example: -M dns -o A=ldapdelete R=new-pc.winterfell.local + resurrect: Resurrects a tombstoned record object. Requires RECORD. + Example: -M dns -o ACTION=resurrect RECORD=tombstoned-pc.winterfell.local + list: Lists all DNS zones. (Default action if no options are given) + Example: -M dns + list-dn: Lists all DNS zones with their Distinguished Names. + Example: -M dns -o ACTION=list-dn + + +OTHER OPTIONS: + RECORD / R: The FQDN of the record to target (e.g., 'new-host.domain.com'). + DATA / D: The data for the record. For A records, this is the IP address. + OPTIONS / O: DNS partition to use ('forest' or 'legacy'). Default is DomainDnsZones. + ZONE / Z: Zone to search in, if different from the current domain. + ALLOWMULTIPLE / M: Allow multiple A records for the same name (e.g., 'true'). + HELP / H: Show this help message. +``` + +## Usage Examples + +{% tabs %} +{% tab title="list" %} +Lists the available DNS zones. This is the default action if no `ACTION` is specified. + +**Command:** +```bash +netexec ldap -u -p -M dns +``` + +**Output:** +``` +LDAP 192.168.1.10:389 DC01 [+] winterfell.local\User:Password123! +DNS 192.168.1.10:389 DC01 Found 2 domain DNS zones: +DNS 192.168.1.10:389 DC01 _msdcs.winterfell.local +DNS 192.168.1.10:389 DC01 winterfell.local +``` +{% endtab %} + +{% tab title="add" %} +Adds a new `A` record. + +{% hint style="info" %} +* **`RECORD` (required):** FQDN of the computer to add. +* **`DATA` (required):** IP address of the computer to add. +{% endhint %} + +**Command:** +```bash +netexec ldap -u -p -M dns -o ACTION=add RECORD=new-pc.winterfell.local DATA=10.10.10.100 +``` + +**Output:** +``` +LDAP 192.168.1.10:389 DC01 [+] winterfell.local\User:Password123! +DNS 192.168.1.10:389 DC01 Adding new record +DNS 192.168.1.10:389 DC01 LDAP operation completed successfully +``` +{% endtab %} + +{% tab title="query" %} +Queries an existing DNS record. + +{% hint style="info" %} +* **`RECORD` (required):** FQDN of the record to query. +{% endhint %} + +**Command:** +```bash +netexec ldap -u -p -M dns -o A=query R=new-pc.winterfell.local +``` + +**Output:** +``` +LDAP 192.168.1.10:389 DC01 [+] winterfell.local\User:Password123! +DNS 192.168.1.10:389 DC01 Found record new-pc +DNS 192.168.1.10:389 DC01 DC=new-pc,DC=winterfell.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=winterfell,DC=local +DNS 192.168.1.10:389 DC01 Record entry: +DNS 192.168.1.10:389 DC01 - Type: 1 (A) (Serial: 1679412345) +DNS 192.168.1.10:389 DC01 - Address: 10.10.10.100 +``` +{% endtab %} + +{% tab title="modify" %} +Modifies the IP address of an existing `A` record. + +{% hint style="info" %} +* **`RECORD` (required):** FQDN of the record to modify. +* **`DATA` (required):** The new IP address. +{% endhint %} + +**Command:** +```bash +netexec ldap -u -p -M dns -o ACTION=modify RECORD=new-pc.winterfell.local DATA=10.10.10.101 +``` + +**Output:** +``` +LDAP 192.168.1.10:389 DC01 [+] winterfell.local\User:Password123! +DNS 192.168.1.10:389 DC01 Modifying record +DNS 192.168.1.10:389 DC01 LDAP operation completed successfully +``` +{% endtab %} + +{% tab title="remove" %} +Temporarily removes a DNS record by "tombstoning" it. + +{% hint style="info" %} +* **`RECORD` (required):** FQDN of the record to remove. +* **`DATA` (optional):** Used to remove a specific record if multiple IPs exist for the same name. +{% endhint %} + +**Command:** +```bash +netexec ldap -u -p -M dns -o ACTION=remove RECORD=new-pc.winterfell.local +``` + +**Output:** +``` +LDAP 192.168.1.10:389 DC01 [+] winterfell.local\User:Password123! +DNS 192.168.1.10:389 DC01 Target has only one record, tombstoning it +DNS 192.168.1.10:389 DC01 LDAP operation completed successfully +``` +{% endtab %} + +{% tab title="ldapdelete" %} +Permanently deletes a DNS record object directly from the LDAP database. + +{% hint style="info" %} +* **`RECORD` (required):** FQDN of the record to delete. +{% endhint %} + +**Command:** +```bash +netexec ldap -u -p -M dns -o A=ldapdelete R=new-pc.winterfell.local +``` + +**Output:** +``` +LDAP 192.168.1.10:389 DC01 [+] winterfell.local\User:Password123! +DNS 192.168.1.10:389 DC01 Deleting record over LDAP +DNS 192.168.1.10:389 DC01 LDAP operation completed successfully +``` +{% endtab %} +{% endtabs %} From 8b18ad35be84640b4ca352be9c55c05efd774357 Mon Sep 17 00:00:00 2001 From: Hakan Yavuz Date: Fri, 27 Jun 2025 13:04:52 +0300 Subject: [PATCH 3/4] Update dns.md Add legacy option --- ldap-protocol/dns.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/ldap-protocol/dns.md b/ldap-protocol/dns.md index 4d4f476..0c445dc 100644 --- a/ldap-protocol/dns.md +++ b/ldap-protocol/dns.md @@ -1,11 +1,15 @@ --- description: >- - dns module allows to manage DNS records in an Active-Directory integrated DNS over the LDAP protocol. + DNS module allows to manage DNS records in an Active-Directory integrated DNS over the LDAP protocol. --- -# dns +# DNS -The `dns` module allows for the management of DNS records in an Active Directory-integrated DNS environment directly over the LDAP protocol. +The `dns` module allows for the management of DNS records in an Active Directory-integrated DNS environment directly over the LDAP protocol. It can perform actions like adding, modifying, querying, and deleting DNS records by manipulating their corresponding objects in Active Directory. + +{% hint style="warning" %} +By default, the module operates on the `DomainDnsZones` partition. However, it also supports targeting older DNS partitions via the `OPTIONS=legacy` parameter. This is useful for environments with legacy DNS configurations, typically from pre-Windows 2000 systems, where DNS data was stored in the `CN=MicrosoftDNS,CN=System` container within the domain partition. + {% endhint %} ## Module Options From f2c8f8a23bf7b1f36d3c2ff48912d2e338196c9a Mon Sep 17 00:00:00 2001 From: Hakan Yavuz Date: Fri, 27 Jun 2025 13:23:36 +0300 Subject: [PATCH 4/4] Update dns.md Update records --- ldap-protocol/dns.md | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/ldap-protocol/dns.md b/ldap-protocol/dns.md index 0c445dc..2da10d7 100644 --- a/ldap-protocol/dns.md +++ b/ldap-protocol/dns.md @@ -21,17 +21,17 @@ Usage: -M dns -o ACTIONS (specify with -o ACTION= or A=): add: Adds a new A record. Requires RECORD and DATA. - Example: -M dns -o ACTION=add RECORD=new-pc.winterfell.local DATA=10.4.10.100 + Example: -M dns -o ACTION=add RECORD=new-pc DATA=10.4.20.05 modify: Modifies an existing A record. Requires RECORD and DATA. - Example: -M dns -o ACTION=modify RECORD=new-pc.winterfell.local DATA=10.4.10.101 + Example: -M dns -o ACTION=modify RECORD=new-pc DATA=10.4.20.05 query: Queries an existing record. Requires RECORD. - Example: -M dns -o A=query R=new-pc.winterfell.local + Example: -M dns -o A=query R=new-pc remove: Removes a record by tombstoning it. Requires RECORD and optionally DATA. - Example: -M dns -o ACTION=remove RECORD=new-pc.winterfell.local DATA=10.4.10.101 + Example: -M dns -o ACTION=remove RECORD=new-pc DATA=10.4.10.101 ldapdelete: Deletes a record object directly from LDAP. Requires RECORD. - Example: -M dns -o A=ldapdelete R=new-pc.winterfell.local + Example: -M dns -o A=ldapdelete R=new-pc resurrect: Resurrects a tombstoned record object. Requires RECORD. - Example: -M dns -o ACTION=resurrect RECORD=tombstoned-pc.winterfell.local + Example: -M dns -o ACTION=resurrect RECORD=tombstoned-pc list: Lists all DNS zones. (Default action if no options are given) Example: -M dns list-dn: Lists all DNS zones with their Distinguished Names. @@ -60,10 +60,10 @@ netexec ldap -u -p -M dns **Output:** ``` -LDAP 192.168.1.10:389 DC01 [+] winterfell.local\User:Password123! +LDAP 192.168.1.10:389 DC01 [+] lodosdomain.local\Lodos:2005 DNS 192.168.1.10:389 DC01 Found 2 domain DNS zones: -DNS 192.168.1.10:389 DC01 _msdcs.winterfell.local -DNS 192.168.1.10:389 DC01 winterfell.local +DNS 192.168.1.10:389 DC01 _msdcs.lodosdomain.local +DNS 192.168.1.10:389 DC01 lodosdomain.local ``` {% endtab %} @@ -77,12 +77,12 @@ Adds a new `A` record. **Command:** ```bash -netexec ldap -u -p -M dns -o ACTION=add RECORD=new-pc.winterfell.local DATA=10.10.10.100 +netexec ldap -u -p -M dns -o ACTION=add RECORD=new-pc DATA=10.10.10.100 ``` **Output:** ``` -LDAP 192.168.1.10:389 DC01 [+] winterfell.local\User:Password123! +LDAP 192.168.1.10:389 DC01 [+] lodosdomain.local\Lodos:2005 DNS 192.168.1.10:389 DC01 Adding new record DNS 192.168.1.10:389 DC01 LDAP operation completed successfully ``` @@ -97,14 +97,14 @@ Queries an existing DNS record. **Command:** ```bash -netexec ldap -u -p -M dns -o A=query R=new-pc.winterfell.local +netexec ldap -u -p -M dns -o A=query R=new-pc ``` **Output:** ``` -LDAP 192.168.1.10:389 DC01 [+] winterfell.local\User:Password123! +LDAP 192.168.1.10:389 DC01 [+] lodosdomain.local\Lodos:2005 DNS 192.168.1.10:389 DC01 Found record new-pc -DNS 192.168.1.10:389 DC01 DC=new-pc,DC=winterfell.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=winterfell,DC=local +DNS 192.168.1.10:389 DC01 DC=new-pc,DC=lodosdomain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=winterfell,DC=local DNS 192.168.1.10:389 DC01 Record entry: DNS 192.168.1.10:389 DC01 - Type: 1 (A) (Serial: 1679412345) DNS 192.168.1.10:389 DC01 - Address: 10.10.10.100 @@ -121,12 +121,12 @@ Modifies the IP address of an existing `A` record. **Command:** ```bash -netexec ldap -u -p -M dns -o ACTION=modify RECORD=new-pc.winterfell.local DATA=10.10.10.101 +netexec ldap -u -p -M dns -o ACTION=modify RECORD=new-pc DATA=10.10.10.101 ``` **Output:** ``` -LDAP 192.168.1.10:389 DC01 [+] winterfell.local\User:Password123! +LDAP 192.168.1.10:389 DC01 [+] lodosdomain.local\Lodos:2005 DNS 192.168.1.10:389 DC01 Modifying record DNS 192.168.1.10:389 DC01 LDAP operation completed successfully ``` @@ -142,12 +142,12 @@ Temporarily removes a DNS record by "tombstoning" it. **Command:** ```bash -netexec ldap -u -p -M dns -o ACTION=remove RECORD=new-pc.winterfell.local +netexec ldap -u -p -M dns -o ACTION=remove RECORD=new-pc ``` **Output:** ``` -LDAP 192.168.1.10:389 DC01 [+] winterfell.local\User:Password123! +LDAP 192.168.1.10:389 DC01 [+] lodosdomain.local\Lodos:2005 DNS 192.168.1.10:389 DC01 Target has only one record, tombstoning it DNS 192.168.1.10:389 DC01 LDAP operation completed successfully ``` @@ -162,12 +162,12 @@ Permanently deletes a DNS record object directly from the LDAP database. **Command:** ```bash -netexec ldap -u -p -M dns -o A=ldapdelete R=new-pc.winterfell.local +netexec ldap -u -p -M dns -o A=ldapdelete R=new-pc ``` **Output:** ``` -LDAP 192.168.1.10:389 DC01 [+] winterfell.local\User:Password123! +LDAP 192.168.1.10:389 DC01 [+] lodosdomain.local\Lodos:2005 DNS 192.168.1.10:389 DC01 Deleting record over LDAP DNS 192.168.1.10:389 DC01 LDAP operation completed successfully ```