Open in app

Sign in

Write

Sign in

Active Directory Attacks

David Oneill
8 min readFeb 16, 2022
Photo by James Harrison on Unsplash

Companies utilize Active Directory (AD) to help manage, authorize and authenticate users in an internal network. Approximately 90% of the Global Fortune 1000 companies use AD in their companies. This means a whole lot of vulnerabilities are waiting to be exploited!

I will be covering different AD attacks in this article. I will be skipping over Anti-Virus (AV) evasion as it needs a separate piece.

I would like to give credit to TCM Security as they helped me in building my AD lab and understanding AD attacks!

Tools Used:

  • Impacket (Techniques used with Impacket version 0.9.19, new version might not work properly)
  • Needs Pimpmykali, option “!” for Impacket version 0.9.19
  • Mitm6
  • Responder
  • Crackmapexec
  • Firewall and Anti-Virus were on with Windows Virtual Machines (VMs)

LLMNR Poisoning

Link-Local Multicast Name Resolution (LLMNR) is a DNS resolution protocol that does not require a DNS server. LLMNR tries to resolve a DNS request that DNS could not fulfill. LLMNR Poisoning will provide NTLMv2 hash, which can be used to crack using a hash cracker tool like Hashcat or John the Ripper.

First, you want to make sure all services are turned on with Responder. So run the command:

$ gedit /etc/responder/Responder.conf

Now make sure the services are on and save the Responder.conf file:

According to Igandx, the creator of Responder — “Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.”. Therefore, Responder is a very useful tool with AD attacks to take advantage of Windows AD features.

Now, run Responder to capture the NTLMv2 hash of the end-user.

$ responder -I eth0 -dwv

Now go to the Windows 10 Virtual Machine (VM) and enter something random in the file manager, as seen below, and Responder will collect the NTLMv2 hash of the user.

Now, we can utilize Hashcat to crack the hash, using “rockyou.txt”. First, copy the entire NTLMv2 hash and paste it into a directory that has the rockyou.txt file. Make sure the NTLMv2 hash has no space before or after the hash in the file, or THE CRACKING WILL NOT WORK!

$ hashcat -m 5600 <ntlmv2 hash file> <password list>

-m 5600 is the option from Hashcat to crack NTLMv2 hashes.

SMB Relay Attack

Server Message Block (SMB) is a protocol used to share services and files on a network. SMB signing is a security mechanism in the SMB protocol that uses Advanced Encryption Standard (AES) to “sign” a session with SMB 3.1.1. Therefore, to avoid encryption, and for the SMB Relay attack to occur, SMB signing must not be required, or “Message signing enabled but not required”.

SMB Relay attack also dumps local NTLM hashes, which can be used to crack or pass the hash attack using crackmapexec (an Impacket tool). Another type of SMB Relay attack captures NTLMv2 hash and relays it to a target system, thus granting access to the system (SMB Relay Attack: SMB Shell). However, SMB signing needs to be “signing enabled but not required” on the Windows machines, as shown in the figure above.

NOTE: For SMB Relay attacks to work, the computer relaying (sent from)will need to be admin in the domain and must have SMB signing not required.

Before starting the SMB Relay attack, SMB and HTTP authentication servers need to be turned off in the “Responder.conf” file.

$ gedit /etc/responder/Responder.conf

Change SMB and HTTP to “off” and save the file.

Now we can check the network to see which machines have SMB signing not required.

$ nmap — script=smb2-security-mode.nse -p445 10.0.2.0/24

The /24 at the end of the network IP address is to scan the network that can have up to 254 IP addresses.

Put the IP addresses you want to relay the hash to and save it.

$ leafpad <foldername.txt> &

Run Responder again.

$ responder -I eth0 -dwv

Now run ntlmrelayx.py to relay the hash.

$ ntlmrelayx.py -tf <folder with target IP addresses> -smb2support

NOTE: Impacket 0.9.19 is the version that works great. No issues were encountered.

SMB Relay Attack: SMB Shell

Another SMB attack is gaining an SMB shell using Netcat. With the SMB shell, the user’s password can be changed, files can be placed or taken (malicious file), directories can be created and deleted, and more.

First, run responder as before.

$ responder -I eth0 -dwv

Now perform the SMB Relay attack as before, but add an “i” which will create an interactive SMB shell instead of dumping the SAM hashes:

$ ntlmrelayx.py -tf <folder with target IP addresses> -smb2support -i

As shown above, now we have an SMB client shell using TCP on 127.0.0.1 and port 11001.

We utilize Netcat to listen to the established SMB shell:

$ nc 127.0.0.1 11001

The IP address, 127.0.0.1 is considered the localhost or loopback address and is used to connect the target computer back to the attacking machine (Kali). The port was decided by ntlmrelayx.py.

Pass the Hash Attack

Pass the hash is a great attack to perform after discovering the NTLM hashes from the first SMB Relay attack. The NTLM hashes can be used to pass around the network to see which machines have the same credentials.

Crackmapexec can be run with SAM account names by using the below command.

$ crackmapexec smb <domain IPv4 IP address>/24 -u <SAM account name> -d <domain name>.local -H <NTLM hash>

To discover which computers the hash can be passed to using a system local account then you can use the command below.

$ crackmapexec smb <local IPv4 address>/24 -u <username> -H <NTLM hash> — local-auth

IPv6 Attack

IPv6 is underutilized in companies, but its presence is very prevalent. IPv6 has been enabled in Windows operating systems since Windows Vista, including server variants.

The IPv6 attack takes advantage of the default IPv6 configuration in Windows networks by spoofing DNS replies. The attack assimilates a DNS server with a malicious one and redirects traffic to an attacker-specified endpoint. The second part of the attack relays credentials and authenticates to various services within the network.

Mitm6 was run first to spoof DNS.

NOTE: mitm6 tool has been finicky with my use and will need restarting Windows VMs and possibly several attack tries. The attack might take a few minutes to run.

$ mitm6 -d <domain name.local>

Now run ntlmrelayx.py to relay the credentials, dump domain information, and create a new domain user.

$ ntlmrelayx.py -6 -t ldaps://<domain controller IPv4 address> -wh fakewpad.<domain name>.local -l <name folder for domain information dumping>

Mitm6 dumps domain information in a specified folder name, I chose “lootme” with the ntlmrelayx.py command.

This directory is located wherever the ntlmrelayx.py was run (directory). This directory contains a lot of useful information about the domain like domain users, admins, amount of users, domain policy, and sometimes even passwords in the “description” column (placed by the account creators).

The image above has the domain users as well as the new domain user created in the domain, thanks to mitm6!

Now we can use the new user to dump all the SAM hashes from the domain using secretsdump.py.

$ secretsdump.py <domain name>/<mitm6 added user>@<domain controller IPv4 address>

As you see above, the SAM hashes have been dumped. The dump contains NTLM hashes which can be taken and passed around with pass the hash attack or cracked using a password list (like rockyou.txt) with Hashcat.

References

Ch, R., & el. (2020, April 8). Credential Dumping: SAM. Hacking Articles. https://www.hackingarticles.in/credential-dumping-sam/

C, J. M. (2021, June 17). rockyou.txt. GitHub. https://github.com/josuamarcelc/common-password-list

Cybersecurity Consulting & Training — TCM Security. (n.d.). Retrieved February 16, 2022, from https://tcm-sec.com/

Dansimp. (n.d.). Account lockout threshold (Windows 10) — Windows security. Docs.microsoft.com. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-threshold#:~:text=The%20Account%20lockout%20threshold%20policy

Deland-Han. (n.d.). Overview of Server Message Block signing — Windows Server. Docs.microsoft.com. https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing

Dirk-jan. (2022, February 16). mitm6. GitHub. https://github.com/dirkjanm/mitm6

Glossary — Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.1. (n.d.). Docs.oracle.com. Retrieved February 16, 2022, from https://docs.oracle.com/cd/E26502_01/html/E29004/glossary.html#:~:text=A%20transient%20share%20of%20a

https://www.facebook.com/lifewire. (2019). What’s so Special About 127.0.0.1 in Computer Networking? Lifewire. https://www.lifewire.com/network-computer-special-ip-address-818385

SANS Penetration Testing | SMB Relay Demystified and NTLMv2 Pwnage with Python | SANS Institute. (n.d.). Www.sans.org. https://www.sans.org/blog/smb-relay-demystified-and-ntlmv2-pwnage-with-python/

Subnet Cheat Sheet — 24 Subnet Mask, 30, 26, 27, 29, and other IP Address CIDR Network References. (2021, February 12). FreeCodeCamp.org. https://www.freecodecamp.org/news/subnet-cheat-sheet-24-subnet-mask-30-26-27-29-and-other-ip-address-cidr-network-references/

Ethical Hacking
Penetration Testing
Active Directory Attack
Kali Linux

--

--

David Oneill

Written by David Oneill

28 Followers

Offensive & Defensive Security | Cloud Security 🐱‍👤

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams