![the dns server is waiting for active directory domain services the dns server is waiting for active directory domain services](https://docs.oracle.com/cd/E29542_01/doc.1111/e29751/img/ad_026.png)
In addition to translating names to IP addresses, DNS serves other purposes as well. DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. “ Domain Name System (DNS) is one of the industry-standard suite of protocols that comprise TCP/IP, and together the DNS Client and DNS Server provide computer name-to-IP address mapping name resolution services to computers and users.” – Microsoft.ĭNS primarily uses the User Datagram Protocol (UDP) on port 53 to serve requests.
#THE DNS SERVER IS WAITING FOR ACTIVE DIRECTORY DOMAIN SERVICES WINDOWS#
Therefore, we decided to focus our research on a less publicly explored attack surface that exists primarily on Windows Server and Domain Controllers. To obtain Domain Admin privileges, a straightforward approach is to directly exploit the Domain Controller. Most of the published and publicly available materials and exploits focus on Microsoft’s implementation of SMB ( EternalBlue) and RDP ( BlueKeep) protocols, as these targets affect both servers and endpoints.
![the dns server is waiting for active directory domain services the dns server is waiting for active directory domain services](https://www.vkernel.ro/blog/wp-content/uploads/2012/02/Creating.Additional.DC_.in_.Existing.Domain-15.gif)
There is a lot of related research by various independent security researchers as well as those sponsored by nation-states.
![the dns server is waiting for active directory domain services the dns server is waiting for active directory domain services](https://www.interfacett.com/wp-content/uploads/2012/07/019-dns-structure-active-Directory-child-domain-ad-ds-windows-server.png)
Our main goal was to find a vulnerability that would let an attacker compromise a Windows Domain environment, preferably unauthenticated. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.
![the dns server is waiting for active directory domain services the dns server is waiting for active directory domain services](https://www.cloudflare.com/img/learning/ddos/glossary/domain-name-system-dns/ddos-dns-request.png)
SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. “Windows DNS Server” is the Microsoft implementation and is an essential part of and a requirement for a Windows Domain environment. Because it is such a core component of the internet, there are many solutions and implementations of DNS servers out there, but only a few are extensively used. TcoreRUH.SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS ServersĭNS, which is often described as the “phonebook of the internet”, is a network protocol for translating human-friendly computer hostnames into IP addresses. Running enterprise tests on : TcoreRUH.local Configuration passed test CrossRefValidation Running partition tests on : Configuration Running partition tests on : DomainDnsZones Running partition tests on : ForestDnsZones Testing server: Default-First-Site-Name\PLUTO Text C:\Users\Administrator.TCORERUH>dcdiag This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. When i do nslookup i get response that the server is unknownĪlso i have this error on PLuto DNS 4013: I had a server called saturn (192.168.3.20), that have active directory and dns, i changed the domain controller to another server called pluto (192.168.3.31)