Active Directory

PreviousWindows Privilege Escalation NextWhat is AD?

Last updated 4 years ago

Was this helpful?

Beginner

Netbios and LLMNR Name Poisoning

To assist you with cracking your intercepted hashes, there are now advanced frameworks to help with password brute forcing like .
great success using a common word-list that can be obtained for a nominal fee: " " and the out of box common hashcat ruleset "best64". But sometimes complex passwords are enforced, and you're left with no other option but to crack some hashes.
Responder, is arguably the go-to tool for all things related to mitm poisoning and spoofing
, is the native Windows .NET sibling of the Unix/Linux Python based Responder.
- Inveigh its core is a .NET packet sniffer that listens for and responds to LLMNR / mDNS / NBNS requests while also capturing incoming NTLMv1 / NTLMv2 authentication attempts over the Windows SMB service.

Relay attacks

MultiRelay tool
impacket tools
SMB Relaying
- It receives the list of targets and for every connection received it will choose the next target and try to relay the credentials. Also, if specified, it will first authenticate against the client connecting to us. It is implemented by invoking SMB and HTTP Server, hooking to a few functions and then using the smbclient portion. It is supposed to be working on any LM Compatibility level. The only way to stop this attack is to enforce the server SPN checks and or signing. If the authentication against the targets succeed, the client authentication success as well as a valid connection is set against the local smbserver. It's up to the user to set up the local smbserver functionality. One option is to set up shares with whatever files you want to the victim thinks it's connected to a valid SMB server. All that is done through the smb.conf file or programmatically.
NTLM Relaying
- :
  NTLM Authentication is a challenge-response based protocol. Challenge-response protocols use a commonly shared secret, in this case the user password, to authenticate the client. The server sends a challenge, and the client replies with the response on this challenge. If the challenge matches the one calculated by the server, the authentication is accepted. The NTLM Authentication is a complex protocol, and how it is explained here is the simplification. A very good and detailed description can be found at

(Eternal Blue)

ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that uses seven Equation Group vulnerabilities. Petya is a ransomware program that first uses CVE-2017-0199, the vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.

The Microsoft implementation of Kerberos can be a bit complicated, but the gist of the attack is that it takes advantage of legacy Active Directory support for older Windows clients and the type of encryption used and the key material used to encrypt and sign Kerberos tickets. Essentially, when a domain account is configured to run a service in the environment, such as MS SQL, the Service Principal Name (SPN) is used in the domain to associate the service with a login account. When a user wishes to use the specific resource they receive a Kerberos ticket signed with NTLM hash of the account that is running the service

mitm6

Mitm6 is an incredibly powerful tool for obtaining and escalating privileges on your typical Windows broadcast network. When other attacks above fail on their own; try chaining smbrelay + mitm6 or it's default counterpart ntlmreayx.

mitm6 is designed to be used with ntlmrelayx. You should run the tools next to each other, in this scenario it will spoof the DNS, causing victims to connect to ntlmrelayx for HTTP and SMB connections. For this you have to make sure to run ntlmrelayx with the -6option, which will make it listen on both IPv4 and IPv6. To obtain credentials for WPAD, specify the WPAD hostname to spoof with -wh HOSTNAME(any non-existing hostname in the local domain will work since the DNS server is mitm6). Optionally you can also use the -wa Nparameter with a number of attempts to prompt for authentication for the WPAD file itself in case you suspect victims do not have the MS16-077 patch applied.
mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server. It does this by replying to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server. The DNS server, mitm6 will selectively reply to DNS queries of the attackers choosing and redirect the victims traffic to the attacker machine instead of the legitimate server. For a full explanation of the attack, see our . Mitm6 is designed to work together with for WPAD spoofing and credential relaying.

Beginner

Netbios and LLMNR Name Poisoning

To assist you with cracking your intercepted hashes, there are now advanced frameworks to help with password brute forcing like .
great success using a common word-list that can be obtained for a nominal fee: " " and the out of box common hashcat ruleset "best64". But sometimes complex passwords are enforced, and you're left with no other option but to crack some hashes.
Responder, is arguably the go-to tool for all things related to mitm poisoning and spoofing
, is the native Windows .NET sibling of the Unix/Linux Python based Responder.
- Inveigh its core is a .NET packet sniffer that listens for and responds to LLMNR / mDNS / NBNS requests while also capturing incoming NTLMv1 / NTLMv2 authentication attempts over the Windows SMB service.

Relay attacks

MultiRelay tool
impacket tools
SMB Relaying
- It receives the list of targets and for every connection received it will choose the next target and try to relay the credentials. Also, if specified, it will first authenticate against the client connecting to us. It is implemented by invoking SMB and HTTP Server, hooking to a few functions and then using the smbclient portion. It is supposed to be working on any LM Compatibility level. The only way to stop this attack is to enforce the server SPN checks and or signing. If the authentication against the targets succeed, the client authentication success as well as a valid connection is set against the local smbserver. It's up to the user to set up the local smbserver functionality. One option is to set up shares with whatever files you want to the victim thinks it's connected to a valid SMB server. All that is done through the smb.conf file or programmatically.
NTLM Relaying
- :
  NTLM Authentication is a challenge-response based protocol. Challenge-response protocols use a commonly shared secret, in this case the user password, to authenticate the client. The server sends a challenge, and the client replies with the response on this challenge. If the challenge matches the one calculated by the server, the authentication is accepted. The NTLM Authentication is a complex protocol, and how it is explained here is the simplification. A very good and detailed description can be found at

(Eternal Blue)

ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that uses seven Equation Group vulnerabilities. Petya is a ransomware program that first uses CVE-2017-0199, the vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.

The Microsoft implementation of Kerberos can be a bit complicated, but the gist of the attack is that it takes advantage of legacy Active Directory support for older Windows clients and the type of encryption used and the key material used to encrypt and sign Kerberos tickets. Essentially, when a domain account is configured to run a service in the environment, such as MS SQL, the Service Principal Name (SPN) is used in the domain to associate the service with a login account. When a user wishes to use the specific resource they receive a Kerberos ticket signed with NTLM hash of the account that is running the service

mitm6

Mitm6 is an incredibly powerful tool for obtaining and escalating privileges on your typical Windows broadcast network. When other attacks above fail on their own; try chaining smbrelay + mitm6 or it's default counterpart ntlmreayx.

mitm6 is designed to be used with ntlmrelayx. You should run the tools next to each other, in this scenario it will spoof the DNS, causing victims to connect to ntlmrelayx for HTTP and SMB connections. For this you have to make sure to run ntlmrelayx with the -6option, which will make it listen on both IPv4 and IPv6. To obtain credentials for WPAD, specify the WPAD hostname to spoof with -wh HOSTNAME(any non-existing hostname in the local domain will work since the DNS server is mitm6). Optionally you can also use the -wa Nparameter with a number of attempts to prompt for authentication for the WPAD file itself in case you suspect victims do not have the MS16-077 patch applied.
mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server. It does this by replying to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server. The DNS server, mitm6 will selectively reply to DNS queries of the attackers choosing and redirect the victims traffic to the attacker machine instead of the legitimate server. For a full explanation of the attack, see our . Mitm6 is designed to work together with for WPAD spoofing and credential relaying.

Active Directory

Active Directory

Beginner

Advanced

Beginner

Advanced