Security News > 2023 > December > Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets

A series of attacks against Microsoft Active Directory domains could allow miscreants to spoof DNS records, compromise Active Directory and steal all the secrets it stores, according to Akamai security researchers.

While the current report doesn't provide technical details or proof-of-concept exploits, Akamai has promised, in the near future, to publish code that implements these attacks called DDSpoof - short for DHCP DNS Spoof.

Organizations can create DNS record using a DHCP feature called DHCP DNS Dynamic Updates.

"Whenever a client is given an IP address by the DHCP server, the latter can contact the DNS server and update the client's DNS record," Akamai's Ori David explained.

DHCP DNS Dynamic Updates does not require any authentication by the DHCP client, and Microsoft DHCP servers enable DHCP DNS Dynamic Updates by default.

In addition to creating non-existent DNS records, unauthenticated attackers can also use the DHCP server to overwrite existing data, including DNS records inside the ADI zone in instances where the DHCP server is installed on a domain controller, which David says is the case in 57 percent of the networks Akamai monitors.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/12/07/attacks_abuse_microsoft_dhcp/