🖥️AD Attacks
Without Credentials
LLMNR / NetBIOS Poisoning
We can grab some hashed credentials if LLMNR protocol is enabled.
After some time we can get all the hashes.
NTLM Relay (SMB signing disabled)
Some tiems some server are misconfigured and have the smb signing disabled, so we can perform more attacks with responder.
Configuration
/etc/proxychains4.conf
/usr/share/responder/Responder.conf
Perform the attack
We need to get a list of the servers with the SMB sigining disabled.
Execute the attack with Responder and Impacket.
We can list the current sessions with the next command.
When a session with administrative privileges is found we can use secretsdump or other tool with proxychains to use the session captured.
Last updated
Was this helpful?