rootđź’€senseicat:~#
Hack. Eat. Sleep. Repeat!!!
Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham
Active Directory Enum
- External recon-: Gathering data on your target
- ASN/IP registrars: iana,arin for Americas,ripe for Europe and BGP toolkit
- Domain Registrars-: Domain tools,PTR Archive and ICANN
- Social Media-: Linkedin, Facebook, Twitter and News Article
- Cloud and Dev storage places-: Github dorks, Grayhatwarfare and Google dorks
- Breach Data Sources-: HaveIbeenPwned for breaches and Dehashed for corporate mails and passwords.
Initial Enumeration
- Gathering hosts
- Wireshark can be used to gather hosts with the syntax below-:
sudo wireshark -E enss224 -A
- Tcpdump-:
sudo tcpdump -i ens224 - Gather host with
fping,Fping provides us with a similar capability as the standard ping application in that it utilizes ICMP requests and replies to reach out and interact with a host.
fping -asgq 172.16.5.0/23
- Nmap-:
sudo nmap -A -iL hosts.txt -oN result2
Username Enumeration[Internal AD Username enum with Kerbrute]
- Wordlist Use
jsmith.txtandjsmith2.txtto brute force it - Installing
kerbruteprecompiled releases
- Syntax-:
kerbrute userenum -d <DOMAIN> --dc 172.16.5.5 jsmith.txt -o valid_ad_users
LLMNR/NBT-NS Poisoning
- After internal enumeration of the hosts and services, In this phase, we will work through two different techniques side-by-side: network poisoning and password spraying. We will perform these actions with the goal of acquiring valid cleartext credentials for a domain user account, thereby granting us a foothold in the domain to begin the next phase of enumeration from a credentialed standpoint.
- LLMNR-: port 5355
- NBT-NS: 137
- A Man-in-the-Middle attack on Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) broadcasts. Depending on the network, this attack may provide low-privileged or administrative level password hashes that can be cracked offline or even cleartext credentials. Though not covered in this module, these hashes can also sometimes be used to perform an SMB Relay attack to authenticate to a host or multiple hosts in the domain with administrative privileges without having to crack the password hash offline. Let’s dive in!Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification that can be used when DNS fails
- LLMNR/NBT-NS can be used for name resolution and this is where responder comes in.We can spoof an authoritative name resolution source ( in this case, a host that’s supposed to belong in the network segment ) in the broadcast domain by responding to LLMNR and NBT-NS traffic as if they have an answer for the requesting host.his poisoning effort is done to get the victims to communicate with our system by pretending that our rogue system knows the location of the requested host. If the requested host requires name resolution or authentication actions, we can capture the NetNTLM hash and subject it to an offline brute force attack in an attempt to retrieve the cleartext password. The captured authentication request can also be relayed to access another host or used against a different protocol (such as LDAP) on the same host.
- Quick Explanation-:
- A host attempts to connect to the print server at \print01.inlanefreight.local, but accidentally types in \printer01.inlanefreight.local.
- The DNS server responds, stating that this host is unknown.
- The host then broadcasts out to the entire local network asking if anyone knows the location of \printer01.inlanefreight.local.
- The attacker (us with Responder running) responds to the host stating that it is the \printer01.inlanefreight.local that the host is looking for.
- The host believes this reply and sends an authentication request to the attacker with a username and NTLMv2 password hash.
- Responder-:
sudo responder -I ens224 - Cracking NTLMv2 hash with hashcat-:
hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt
- Use John the Ripper-:
john --wordlist=[] hash.txt
- Responder logs are stored in
/usr/share/responder/logs-:
Exploitng LLMNR/NBT-NS attacks with Inveigh.exe on windows
- Inveigh-: If we end up with a Windows host as our attack box, our client provides us with a Windows box to test from, or we land on a Windows host as a local admin via another attack method and would like to look to further our access, the tool Inveigh works similar to Responder, but is written in PowerShell and C#. Inveigh can listen to IPv4 and IPv6 and several other protocols, including LLMNR, DNS, mDNS, NBNS, DHCPv6, ICMPv6, HTTP, HTTPS, SMB, LDAP, WebDAV, and Proxy Auth.
- Let’s start Inveigh with LLMNR and NBNS spoofing, and output to the console and write to a file.Don’t forget to run as adminstrator
powershell start powershell -v runAs.Using Inveigh-:
Invoke-Module .\Inveigh.ps1
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
- Captured Hashes-:
- C# Inveigh Zero-:
- Usage-:
.\Inveigh.exe - We can hit the esc key to enter the console while Inveigh is running.
- Hit “help” for several options-:
- We can quickly view unique captured hashes by typing
GET NTLMV2UNIQUE.
- We can type in
GET NTLMV2USERNAMESand see which usernames we have collected.
Using ldap-search
- To filter objects, use -W “objectClass=”
ldapsearch -x -H ldap://[ip] -b 'dc=support,dc=htb' -D "support\ldap" -W 'objectClass=user'
- All objects, use -W “objectClass=*”
- Users in the directory -:
objectClass=user
ldapsearch -x -H ldap://[ip] -b 'dc=support,dc=htb' -D "support\ldap" -W 'objectClass=user'
- Using ldapsearch with password stored in a file.I used
-nto prevent newline in text file.Use-yto specify passwd file.
ldapsearch -x -H ldap://support.htb -b 'dc=support,dc=htb' -D "support\ldap" -W 'objectClass=user' -y passwd
echo -n "password" > passwd
chmod 600 passwd
- Finding the user without -W “filter” -:
ldapsearch -x -H ldap://support.htb -b 'cn=support,cn=users,dc=support,dc=htb' -D "support\ldap" '(objectClass=user)' -y passwd
- Groups-:
ldapsearch -x -H ldap://support.htb -b 'dc=support,dc=htb' -D "support\ldap" '(objectClass=group)'
- Computer Accounts-:
ldapsearch -x -H ldap://support.htb -b 'dc=support,dc=htb' -D "support\ldap" '(objectClass=computer)' -y passwd
- Users of a group-:
ldapsearch -x -H ldap://support.htb -b 'dc=support,dc=htb' -D "support\ldap" '(sAMAccountName=*)' -y passwd
Using Bloodhound-ce
pip install bloodhound-ce #community edition
pip install bloodhound #legaacy version
#same syntax tho
- Usage
[-c -> 'all']-:
bloodhound-ce-python -u [user@domain] -p '[password]' -ns [nameserver / IP] -d [domain] -c [collection method]
- Collector for Bloodhound 4.3.1