AD - Initial Attack Vectors
โก๏ธ LLMNR (Link-Local Multicast Name Resolution) protocol (NetBIOS / NBT-NS successor) allows hosts to perform name resolution for hosts on the same local network without requiring a DNS server.
When a host DNS query fails -> the host broadcast an LLMNR query across the local network
An attacker can listen for these queries and respond to them with its IP to redirect traffic, leading to relay attacks and credentials theft (username & NTLM hash)
Responder
โก๏ธ Responder - LMNR, NBT-NS and MDNS poisoner
HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server
Supports NTLMv1/NTLMv2/LMv2 with Extended Security NTLMSSP
Built-in HTTP and HTTPS auth servers
Built-in MSSQL auth server
... more ...
Login to
THEPUNISHERVM withfcastleuser and try to open WinExplorer and navigate to\\192.168.31.131(Kali IP)An event occurs and triggers LLMNR
victim's username and password NTLMv2 hash received
NTLMv2 Crack
Save the hash into a
hashes.txtfile and try to crack it
โก๏ธ SMB (Server Message Block) is a network file sharing protocol. Common in Windows, it allows shared access to files and printers. However, when unsecured and paired with NTLM authentication, it becomes a target to relay attacks.
Attackers intercept and relay SMB authentication attempts to another server, impersonating the user and exploiting SMB due to lack of SMB signing, gaining unauthorized access
Requirements:
SMB signing disabled or not enforced
Relayed user must have local admin credentials
Credentials cannot be relayed to the same machine
Identify the hosts without SMB signing.
SMB signing is not enforced (default setting for Windows workstations)
Create a
targets.txtfile with the gathered targets
Setup Responder configuration file
ntlmrelayx.py
โก๏ธ ntlmrelayx.py - This module performs the SMB Relay attacks to many target protocols (SMB, MSSQL, LDAP, etc).
Setup the NTLM relay
(
ntlmrelayx.pyis older version installed via PimpMyKali)
Login to
THEPUNISHERVM withfcastleuser and try to open WinExplorer and navigate to\\192.168.31.131(Kali IP)An event occurs and triggers LLMNR, is captured by responder, passed to
ntlmrelayxwith relays the credentials to the targets in ourtargets.txtfile
The local SAM hashes are dumped from
SPIDERMANand automatically saved into the192.168.31.92_samhashes.samfile
Try to start an interactive shell via
ntlmrelayx.py
msfconsole - shell access
psexec.py - shell access
โก๏ธ psexec.py
IPv6 DNS Takeover
mitm6
โก๏ธ mitm6 - exploits the default Windows config to take over the default DNS server by replying to DHCPv6 messages, providing the victim with a link-local IPv6 address and setting the attacker's host as default DNS server
Setup the relay attack
Reboot
THEPUNISHERVM and check thentlmrelayx.pyoutputGo to
~/tcm/peh/ad-attacks/lootmedirectorythe files contain data about domain users, computers, groups, policies, etc
Login to
THEPUNISHERusing theMARVEL\administratorand check the successful attackUser
bkVKFfXduDhas been created
Mitigation
Mitigate IPv6 poisoning:
Block DHCPv6 traffic and router advertisements in Windows Firewall using Group Policy
Use specific rules:
(Inbound) Core Networking -
DHCPv6-In(Inbound) Core Networking -
ICMPv6-In(Outbound) Core Networking -
DHCPv6-Out
Disable WPAD if not in use:
Use Group Policy and disable
WinHttpAutoProxySvcservice
Mitigate LDAP/LDAPS relaying:
Enable both LDAP signing and LDAP channel binding
Protect administrative accounts:
Consider marking accounts as sensitive or adding them to the Protected Users group to prevent delegation and impersonation
Pass-Back Attack
Check this article for more information about the attack - How to Hack Through a Pass-Back Attack: MFP Hacking Guide
MFPs (Multi-Function Peripherals - printers, copiers) are often overlooked targets but can be exploited for serious security breaches
Pass-Back Attack - involves redirecting MFP's LDAP authentication to a malicious server to capture user credentials
Tools like PRET can be used to access MFP settings.
High-risk, low-effort - exploiting MFPs can yield sensitive data with minimal effort.
Last updated
Was this helpful?