AD_Initial_Attack_Vectors

• There are a lot of posts compromise attack which require some sort of credential or lateral movement occurring.

• in initial attack vector , we first have to find a way into the network ( and you are in as pentester ) but you are given no credentials and nothing so you are going to go through how we can abuse feature of Windows and utilize this to get user accounts credentials and get access to the machine as well.

LLMNR Poisoning

• LLMNR : is link local multicast and name resolution ( It ‘s used to identify hosts when DNS failed to do that) and this previously known as NetBios . Key flaw here is that when we respond to this service it actually responds back to us with username and password hash (NTLMv2) and it’s really bad.

• LLMNR Poisoning : User type something wrong and this cause issue with DNS and DNS can’t resolve so decided to send a broad cast message to anybody know who it this and we set in middle and saying we know what you ‘re looking for and send me your hash and I will get you connected.

  

  164.jpg
• Using Responder tool to make LLMNR Poisoning (Responds to these request - You need a lot of traffic with this tool - Listening and not generating much traffic as Nmap so it’s the first step) - Event happens (Failing DNS in any way ) then Get Hash and username of what we captured - Crack the hash (hashcat -m 5600 hashes.txt rockyou.txt) :

  

  164.jpg
• Responder in the wild - This tool using for different poisoners :

  • rwd : this saying these are different types of what we ‘re gonna be listening on.

    

    170.jpg
  • Hash of machine we are attacking :

    

    171.jpg
  • hashcat -m 5600(cracking type) (folder name) (wordlist) - -force.

• Defenses : LLMNR fails goes to DNS and the opposite is right.

  

  172.jpg

SMB Relay Attacks

( SMB ‘s off this is the best choice - One local admin to machines “Exploit the design” )

• SMB Relay : SMB signing is a packet level protocol and if SMB signing is enables when we try to relay credentials and it’s going to say hey you’re not really that person ( As packets not sign by you ) and When SMB disables , it never checks for that - The user being relayed has to have admin credentials on that machine - Should happen on 2 different(separate) machines not on the same machine - Take captured hash relay it over to another machine where is also an admin and do malicious things to that machine - Listening but not responding to SMB and HTTP server.

  

  173.jpg
• ntmrelayx tool : There Responder capture( we didn’t use it here as it requires SMB to be open and this can’t happen) but not responding so we another tool use ntlmrelayx - This tool takes the relay and passes it to a target file that you specify.

• Our responder listening - Our Relay ready to go - Wait for an event to happen - Event happens ( DNS fail using wrong network drive ) - We are going to dumb SAM files (Shadow of the windows world) (These are all of our usernames and hashes for the local users on this computer).

• Discovering Hosts with SMB Signing Disabled : Check SMB signing enable or disables for entire network - Return if port is open and if SMB signing enables or disabled - We can do relay attack if no requirement or disabled SMB.

  nmap --script=smb2-security-mode.nse -p445 (whole network)

• Edit Responder.conf for do Relay attack (Turn off HTTP , SMB).

• Using ntlmrelayx.py to do relay attack and set target :

  

  175.jpg
• Received connection from machine and connect to another machine :

  

  176.jpg
• Remember fcastle here is an administrator of 2 machines - Now we have dumped SAM Hashes which like shadow file on Linux - With these hashes like gaining shells and getting access - This attack is by design ( many Local admins on different machines) :

  

  178.jpg
• Getting interactive shell (SMB shell) using SMB Relay attack :

  

  179.jpg

  

  180.jpg
• We have many options like -c to execute specific command on the machine :

  

  181.jpg
• Remember we must trigger this event.

• Defense :

  

  182.jpg
• Gaining Shell Access : All we have is credential - If we have SMB open and we have a username and password , we can use this user especially that user has a machine and their local administrator to get a shell using psexec.

  • Using psexec with metasploit - Set subdomain & smbpass :

    

    183.jpg
  • Get a shell using psexec.py and more different options to get shell:

    

    184.jpg
  • If you can , they are only like half shells (not fully interactive) but good enough to navigate around C:drive and navigate around to know what ‘s antivirus is running , you will try to disable it and can run thing more robust like windows meterprter ( to get full shell) [Re use metasploit or any payload that ‘s not working after knowing about antivirus and disabling it]

IPv6 Attacks (DNS takeover attacks using IP6)

• Another form of relaying but it’s so much reliable because it utilized IPv6.

• On windows machines IPv6 is turned on but you utilize IPv4 (Who does DNS for version 6 and the answer is no one) - An attacker listen for all these the six messages that come through and say hey I ‘m your DNS and spoof DNS server and send all IPv6 to the attacker - When this happens we can get authentication to the Domain Controller via LDAP or SMB - Reboot a machine is just an event comes to us and uses this machine to log into domain controller and it doesn’t have to be admin or anything and we can get information or we can potentially use that machine to create another machine - waiting for someone to log into network or use credentials then comes to use in from of NTLM like responder or SMB relay and do what is called LDAP relaying (We LDAP relay over to the Domain controller and use it for creating accounts) .

• Running the Attack using mitm6 :

  

  185.jpg
• Set a loot to be able to dump some information , -wh fakewpad.marvel.local - Shutting computer down and restart it make ipv6 asks who gets my DNS instead of asking every 30 min.:

  

  189.jpg

  

  186.jpg

  

  187.jpg
• This domain user by group .html gives me some information that be seen as it is invisible ( Succeed with a computer (Windows 10 machine) capable of accessing this domain controller via LDAPS logging into it and dumping out any useful information) :

  

  188.jpg
• When an admin try to log in the computer and attacking target LDAP and then it comes through and it tries to make a new user for us . First , it setup access control for us and then tries to create new user saying there is username and password and now we are on domain :

  

  190.jpg

  

  191.jpg

  

  192.jpg

  • New user in the domain and we have policy to have exclusive privileges with that access control :

    

    194.jpg
  • To restore the old policy we have a file with older ACL ( After attack we create new ACL) :

    

    195.jpg
  • For more : https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/

• Defense :

  • Useful Resource for LDAP and mitigation :

  

  196jpg.jpg

  • LDAP signing and channel binding add a digital signature to the connection. It ensures the authenticity and integrity of the transmitted data. This means that the recipient can verify the sender and determine whether the data has been manipulated along the way.

Passback Attacks

• Useful Resource :

  How to Hack Through a Pass-Back Attack: MFP Hacking Guide

• This attack goes with printers and IOT devices .

• We are looking for access to something that connects to LDAP or that does like an SMB connection ,etc :

  • With LDAP , if you change this from the domain controller ( or where LDAP server point to ) and change it to attacker’s machine as listener (Responder or netact) we see a pssword in clear text ( All what reach you in plain text) .

Other Attack Vectors and Strategies

• Combining Attacks against AD :

  

  197.jpg
• Notes :

  • If I found LLMNAR ‘s disables this makes my mission more complex as I can’t het the hash and work with and this means that this company has pentest before.

  • After mitm6 or Responder , you are going to run scan using Nessus or Nmap and this is very loud . If scans are taking too long and if you have a big network , here just look for websites that are in the scope and this something that can be done to be quiet (Scanning entire network for website).

  • Think about features like printer - it has scan feature - and this scan is a scan to computer feature (A lot of times , a dmin makes that user that has to be able to scan from the printer to computer via SMB a domain admin and here we can go in and dump those credential into clear text).

  • When we ‘re looking for initial attack vector : we ‘re looking for hashes with responder - Get loot back from MITM6 or get an account created on the domain controller.

  • Much information , Much Enumeration is better.