Attack Vectors

Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)Medium

LLMNR Poisoning

LLMNR and NBT-NS Poisoning Using Responder4ARMED Cloud Security Professional Services

Basically we are mitm and wait for someone in the domain to access non-existing domain which will lead to sending a broadcast request through which we capture the hash and then maybe crack it to get access.

hashcat -m 5600 ntlmhash wordlist //5600 - NetNTLMv2

SMB Relay

We search for devices in domain with smb signing disabled. for example with nse script in nmap for smb https://nmap.org/nsedoc/scripts/smb2-security-mode.html

We change configs in responder.conf, run the responder again with the same command and setup relay with ntlmrelayx.py. Same as LLMNR poisoning but we use the hash to relay it to smb service and get access. In ntmlrelayx.py, we can use -i to get interactive smb shell.

Getting Shell with credentials using psexec psexec.py marvel.local/fcastle:password1@192.168.1.12

IPv6 Attacks

GitHub - dirkjanm/mitm6: pwning IPv4 via IPv6GitHub

Feature like Active Directory Certificate Services can make the attack more powerful. If a AD CS certificate is enabled, we can run LDAP or LDAPS to attack

mitm6 – compromising IPv4 networks via IPv6Fox-IT International blog

Login from admin dc led to relay and create another user for you to get inside