Off The Record - Weaponizing DHCP DNS Dynamic Updates

...As every sysadmin knows - DNS is hard. It is a complex ecosystem with many moving pieces. One such “piece“ is a seemingly harmless feature in the DHCP protocol called “DHCP DNS Dynamic Update“, which allows a DHCP server to register DNS records on behalf of its clients. This feature is also present and enabled by default in the Microsoft DHCP server, one of the most common DHCP servers in the market. In this session, we will explore this feature and show the attack surface it exposes in Microsoft environments - we will detail a novel attack tactic that could allow unauthenticated attackers to spoof arbitrary DNS records in Active Directory DNS zones, and show how this could be abused to intercept authentication and achieve remote code execution. We will examine the different security settings that should prevent these attacks, and show how they fail to do so in some cases.... By: Ori David Full Abstract and Presentation Materials: #off-the-record---weaponizing-dhcp-dns-dynamic-updates-35439