Attacking Active Directory: Initial Attack Vectors Flashcards
In the context of Active Directory
What is LLMNR?
Local-Link Multicast Name Resolution is a name service used by Windows for resolving hostnames to IP addresses when a DNS request fails in a network.
How does LLMNR work? What is the key flaw that can be abused to obtain password hashes?
When a DNS request fails , a broadcast is sent to check if any other machine knows the searched hostname’s IP address. The key flaw is that when a machine responds positively to thist broadcast, the machine that sent the broadcast can be tricked into sending a username and password hash.
What is LLMNR Poisoning?
It’s a type of man-in-the-middle attack that exploits the LLMNR protocol in Windows systems. An attacker will listen for LLMNR broadcasts and it will respond positively to the request, tricking the victim machine into sending an username and password hash in order to get connected.
What event can result in the success of a LLMNR Poisoning attack?
A user typing a wrong hostname, causing the DNS request to fail and a LLMNR broadcast to be sent.
What is the SMB Relay attack?
It’s an attack where the attacker captures a NLTM hash and relays it to another machine, masquerading as the user to authenticate against SMB.
What are the two aspects needed for a SMB attack to be possible?
SMB signing must be disabled on the target and the relayed user credentials must be admin on the target machine.
What is the nmap script used to look for hosts with SMB signing disabled?
smb2-security-mode.nse. Example:
~~~
$ nmap –script=smb2-security-mode.nse -p<ports> <ip>/<CIDR>
~~~</CIDR></ip></ports>
Explain the main idea of an IPv6 DNS takeover in Active Directory.
The attacker will place himself as a DHCP server and will respond to configuration requests, more specifically, IPv6 DNS requests. The spoofed DNS reply is passed to nltmrelayx, that captures NLTM credentials with a fake WPAD proxy and relays it to the authentication service. Once the authentication is successful it dumps the domain information.
What are the steps of an IPv6 DNS takeover? Explain each one of them.
The first one is IPv6 DNS spoofing, where the attacker will use mitm6, a tool that acts as an IPv6 DHCP server and will listen on the attacker machine for any DHCPv6 configuration requests. Since Windows prefers IPv6 it will send DHCPv6 configuration requests regularly, so mitm6 will reply to those requests to assign an IPv6 address to the target machine and set the attacker’s IP as the DNS server.
The second one is Relaying Credentials, where the attacker will abuse WPAD. Since he is acting as the DNS server, he will host a fake WPAD, setting the attacker machine’s ip address as the web proxy. Once connected, the fake WPAD will send a 407 response, prompting the target to send a NLTM challenge/response. The NLTM credential is then relayed to the LDAPS server and once authenticated it dumps the domain information.
What is WPAD?
Web Proxy Auto-Discovery is a protocol used to ensure that every device on the network use the same web proxy configuration. Devices can use WPAD to automatically detect the proxy configuration URL which is stored in a proxy auto-configuration file (PAC). By default the cleint queries the DNS server to request the URL for the PAC file. If this file exists, all the web traffic will be routed through the web proxy configured in the PAC file.
The credentials obtained after relaying the NLTM hash to LDAPS are from a higher privilleged user. With them, you want to authenticate and create an user to perform a DCSync attack. What privilleges should this created user have in order to the attack to be successful?
DC-Replication-Get-Changes and DC-Replication-Get-Changes-All.
What is a Multifunction peripheral (MFP)?
It’s a device that performs a variety of functions, usually at least two of the following: Print, scan or copy. Modern MFPs have the ability to connect to the network, making them a possible target for pentesters.
Why MFP hacking is important?
The MFP must be configured with the right credentials in order to make queries on the LDAP server. These credentials must be stored somewhere in it and with them an attacker may have an entrypoint to the network.
Other aspect is that usually MFP security is neglected in companies, making them an easy target.
What is a Pass-Back attack?
The main idea of this attack is to enter the device’s EWS (Embedded Web System) and change the LDAP server field with a malicious LDAP server IP. So when the device makes a LDAP query, it will try to authenticate to the malicious LDAP server using the configured credentials or user-supplied ones.
What will we receive when carrying out a successful LLMNR attack?
User hash
