Reviewing the Practical Network Penetration Tester (PNPT) Courses Pt. 6

Let’s dive into the Practical Ethical Hacking — The Complete Course: Attacking Active Directory — Initial Attack Vectors, and Attacking Active Directory — Post Compromise Enumeration

The Initial Attack Vectors section starts off with Heath’s overview of what LLMNR (formerly NetBIOS Name Service) is, how it’s used to identify hosts when DNS resolution fails, and the major flaw that exists which utilizes a user’s username and NTLMv2 hash when an appropriate response is issued.

LLMNR Posioning Overview from the Practical Ethical Hacker course material.

During the poisoning, the attacker sits on the network, waits for the victim to issue attempt a connection to a server, observes a request for the name resolution, responds to that request, and is able to obtain the victim’s username and NTML hash. A great tool for LLMNR Poisoning is Responder, a part of the Impacket toolkit, that listens in the background and automatically responds to received requests.

According to Heath:

“I’m running this first thing… I will start this up before starting any Nmap scans, Nessus scans, anything at all. This is one of the first things that goes up.”

Use of Responder typically occurs in 4 stages:

  1. Setup Responder
  2. An Event Occurs..
  3. Get The Hashes
  4. Crack The Hashes

Heath then proceeds to demonstrate how NTLMv2 hashes while using Responder, and how to crack them through the use of Hashcat. Now that we know how LLMNR poisoning occurs, and a practical demonstration of how to exploit it, it’s important to know what can be done to defend against attacks. Two options are recommended by Heath: Disable LLMNR and NBT-NS, or Require Network Access Controls with a Strong User Password. As many companies may require the use of LLMNR, network access controls and a strong password will make it more difficult for an attacker to crack the hash.

From this the course material moves onto SMB Relay Attacks. Where Responder is utilized to crack an NTLM hash, in a relay attack the hashes are relayed to specific machines with the hope of gaining access. In order for this to be successful SMB signing must be disabled and the relayed credentials must be associated with the machine’s admin user.

Use of Responder for SMB Relay typically occurs in 4 stages:

  1. Setup Responder (configure SMB and HTTP to listen but not respond)
  2. Run Responder
  3. Set Up the Relay
  4. An Event Occurs..
  5. Gain Access!

To known what targets are vulnerable to SMB Relay Attacks, we must fist identify which machines have SMB signing disabled. To do this, we can use the Nmap script smb2-security-mode.nse and scan the network.

The command looks like the following:

nmap --script=smb2-security-mode.nse -p 445 xxx.xxx.xxx.0/24

Once scanning is finished, we can start to identify vulnerable hosts within the output. A vulnerable host will appear in the results as those with Message signing enabled but not required whereas non-vulnerable hosts will be those with Message signing enabled and required. With this information we can then start to compile a target list and start relaying credentials through Responder. After walking through a demonstration of how an SMB Relay attack looks from both the attacker and victim point of view, Heath then walks through the use of an interactive shell and the functions that can be run, before moving to mitigation strategies. Heath’s strategies include: The enabling of SMB Signing across all devices, the disabling of NTLM authentication on networks, tiering accounts for limiting domain admins to specific tasks, and the restriction of local admins to prevent lateral movement within the network.

From SMB Relays we then move onto IPv6 attacks and their use in DNS takeovers. Described by Heath as his “go-to attack” and something that is “much more reliable” when compared to LLMNR Poisoning and SMB Relay attacks. To pull off IPv6 man-in-the-middle (MITM) attacks, we utilize the mitm6 tool. Once a machine attempts to join the network, IPV6 will send a reply to identify the DNS, when authentication occurs, the credentials will be relayed and enumerated, and it will start to see what privileges they have. From there, the domain information will be stored in a loot folder to be viewed later. Heath then links a great post from Dirk-jan Mollema that shows use many uses IPv6 attacks have.

Like the other attack methods highlighted in these sections, Heath also provides mitigation guidance to help prevent against these attacks: If IPv6 isn’t used, then blacking DHCPv6 traffic and incoming router advertisements in the Windows Firewall may prevent attacks from working but could have unwanted side effects. Additionally, the disabiling of WPAD, the enabling of LDAP and LDAPS channel binding, and marking administrative accounts as sensitive and cannot be delegated could prevent the impersonation of that user via delegation.

Finally, the Initial Attack Vectors module closes with the introduction of Passback attacks and other vector strategies. While passback attacks typically effect devices such as printers, the underlying LDAP vulnerability is an old issue that still pops up today. By modifying a device’s LDAP Server address, we can set up a listener to capture credentials sent over cleartext.

Now that we’ve covered some cool tools and techniques to gain access to hosts on the network and compromise a user, we can start to move on to post-compromise enumeration and the leveraging of stuff covered in the previous section. Using tools like PowerView and BloodHound to visualize and look at enumeration of the network using the compromises we’ve found. These tools also allow us to enumerate the network, the domain controller, policy, user groups, and helps us to find the shortest path to gaining domain admin.

Now that we’ve learned how to compromise an account through various attack methods, and have identified tools that will help us gain administrative access, we can start to move onto post-compromise attacks such as token impersonation and pass the hash that will be covered in the next modules.

Leave a Comment