Today it’s about some Active-Directory attacks.
- Getting the initial foothold by LLMNR poisoning
- Token impersonation
LLMNR (Link-Local Multicast Name Resolution) is a protocol similar to DNS used for local domain name resolution. This is used in the AD environment by windows machines for getting the IP of machines in the local network when a domain name is provided.
The vulnerable part is when the Domain Controller cannot resolve the domain name it makes a broadcast request for getting the IP which allows the attacker to set up a rogue server and responds to the request with his IP and for accessing the resource credentials must be sent to the attacker which allows us to get the initial access into the network.
The domain name must be typed in the address bar of windows explorer like below for this to work,
Another way is to enter the IP of the attacker’s machine which can be automated if we have write access to the SMB share of the machine.
We can upload SCF(Shell Command File) which is a script that opens Windows Explorer and enters the string mentioned in the variable Iconfile.
This attack can be used when we have shell access to a system in the AD environment.
Token impersonation allows us to move laterally or even escalate privilege in the AD environment.
Tokens are like cookies for accessing machines in the AD which can be used instead of credentials every time and these get deleted when the system is rebooted.
For this demonstration, we will be using a Metasploit module called incognito and discuss Delegate tokens(created when we login or RDP into a system).
- Once we get a shell, we have to escalate privilege to NT Authority/System to perform this attack.
- Now load incognito
- list_tokens -u ( to display all the tokens present in the system)
- impersonate_token <name> to get a shell as that user.
When we have a Administrator token present , once we impersonate that we have domain admin access and the entire network in now compromised!