HTB Academy: Active Directory Enumeration and Attacks - LLMNR Poisoning Linux & Windows Lab

Introduction

This tutorial will guide you through the process of performing LLMNR and NBT-NS poisoning attacks using both Linux and Windows environments. We will cover how to capture user hashes, crack them using Hashcat, and provide practical advice for each step, ensuring you have a clear understanding of the procedures involved.

Chapter 1: Windows Lab

Step 1: Establish Remote Desktop Connection

• Use the provided credentials to connect to the target machine via Remote Desktop.
• Note that you may experience connectivity issues; be prepared to reset the connection if needed.

Step 2: Launch PowerShell

• Once connected, open PowerShell as an Administrator to gain full privileges.

Step 3: Run the Inve Tool

• Navigate to the directory where the Inve tool is located. Typically, this is in C:\tools.

• Execute the Inve tool to start capturing hashes.

  .\inve.exe
  

Step 4: Monitor Captured Data

• Let the tool run for a while to capture user hashes. You can interrupt it with the Escape key to issue commands.

• To check captured usernames, run the following command:

  get ntlmv2 unique
  

Step 5: Stop the Tool

• Once you have captured the necessary hashes, type stop to halt the Inve tool.

Step 6: Extract User Hash

• Locate the hash for the target user (e.g., SVC user). If you missed it scrolling by, use the command from Step 4 to retrieve it.

Step 7: Save the Hash

• Copy the hash into a text file on your drive for later use.

Step 8: Crack the Hash with Hashcat

• Open a new terminal tab and run Hashcat with the saved hash. Use the following command structure:

  hashcat -m 5600 -a 0 <path_to_hash_file> <path_to_rockyou_wordlist>
  

Step 9: View Cracked Password

• After a brief processing time, you should see the clear text password for the user in the results.

Step 10: Save Other Hashes

• For thoroughness, store all captured hashes for potential future use.

Chapter 2: Linux Lab

Step 1: SSH to the Target

• Use SSH to connect to your target machine using the provided credentials.

Step 2: Identify Network Adapter

• Confirm the network adapter you will use, such as ens224.

Step 3: Run Responder

• Launch Responder with root privileges to begin capturing hashes.

  sudo responder -I ens224
  

Step 4: Monitor Capturing Process

• Let Responder run for a while to gather user hashes. Use Ctrl+C to stop the process when you are ready.

Step 5: Review Log Files

• Check the log files created by Responder, typically found in the /var/lib/responder/logs/ directory.
• Look for relevant files such as mssql.txt or SMB-NTLMv2.txt to find the captured hashes.

Step 6: Extract Target User Hash

• Identify and copy the hash for the user you are targeting (e.g., B user).

Step 7: Save the Hash

• Create a text file to store the hash using Nano:

  nano B_user_hash.txt
  

Step 8: Crack the Hash with Hashcat

• Use Hashcat to attempt to crack the hash stored in your text file using the Rockyou wordlist:

  hashcat -m 5600 -a 0 B_user_hash.txt /path/to/rockyou.txt
  

Step 9: Check Results

• After processing, retrieve the clear text password from the Hashcat output.

Step 10: Repeat for Additional Users

• If needed, repeat Steps 6-9 for any additional users, such as the WLE user.

Conclusion

In this tutorial, you learned how to conduct LLMNR and NBT-NS poisoning attacks to capture and crack user hashes in both Windows and Linux environments. You gained hands-on experience with tools like Inve and Responder, and practiced using Hashcat for password cracking. Remember to keep all captured hashes organized for future reference, as they may be useful in subsequent tasks.