Skip to main content
A blog about stuff I do
  1. Posts/

Use DNSchef to solve bloodhound connectivity issues with LDAP timeouts

·393 words·2 mins
Lacroix Raphaël (Chepycou)
Author
Lacroix Raphaël (Chepycou)
I’m Raphaël LACROIX, a French computer scientist developping various applications in my free time ranging from definitely useless to somewhat usefull. I also do quite a lot of Capture the flag and cybersecurity challenges.
Table of Contents

What is this blog post about ?
#

No need to introduce Bloodhound and its ingestor bloodhound.py.

But in the past few months I have had several issues with it either over proxies (such as Ligolo) or just with weird errors in routing/DNS resolution. These arise when the IP address for the LDAP server is not provided back to our tool or when the address in question is not the address we would want (a public address we can hit rather than a private one).

One way of solving it which I just saw Ippsec do would be to hard code the IP in the bloodhound source code.

Another -a bit less dirty- way would be using DNSChef and that is what I will be showing in this post.

What’s DNSChef ?
#

DNSChef is a highly configurable DNS proxy (aka “Fake DNS”) for Penetration Testers and Malware Analysts. It enables us to fake the DNS responses in a configured way. It is at first designed as a malware research tool, but we can use it for our purpose.

Say for instance we want every A DNS query to have <IP1> as their answer, we can run :

dnschef.py --fakeip <IP1>

and change our /etc/resolv.conf to point to the DNSchef (127.0.0.1)

How can I use it to stop LDAP timeouts ?
#

The tool is very customizable, so we can look at what queries fail in our bloodhound (by using the verbose mode and/or running a wireshark on the side) and craft these in our DNSchef config file whose syntax is detailed in the readme.

There i by default a dnschef.ini file that we can start from to create our config. Here is a real-world example with the domains pwnme.local and pwnmemore.local whose IP addresses for the DCs are 10.10.1.42 and 10.10.2.42 respectively.

We run our DNSchef using our config file as follows :

python dnschef.py --file dnschef.ini

Here is the interesting part of the config file

# file
[A]     # Queries for IPv4 address records
dc01.pwnme.local=10.10.1.42
dc02.pwnmemore.local=10.10.2.42

[SRV]
; FORMAT: priority weight port target
*.*.*.*.pwnme.local=0 5 5060 dc01.pwnme.local
*.*.*.*.pwnmemore.local=0 5 5060 dc02.pwnmemore.local

And now in an other terminal we can run bloodhound :

bloodhound-python --zip -c All -d pwnmemore.local -u 'mary_littlelamb' -p 'YouLostTheGame' -dc dc02.pwnmemore.local -ns 127.0.0.1

More resources :