Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Gaining Access In Internal Network (RedTeam)

Monish Kumar
October 31, 2022

Gaining Access In Internal Network (RedTeam)

Will be updated

Monish Kumar

October 31, 2022
Tweet

More Decks by Monish Kumar

Other Decks in Research

Transcript

  1. PWNING AD INTERNAL NETWORK !! AD Environment in Enterprises Lots

    of Windows Machines to pivot More CVEs & 0-Days Poor Security Misconfiguration Human Errors MOST IMPORTANT: Recon & Patience...
  2. POSSIBLE SCENARIOS: Walk In, Get 'Guest' credentials and Pivot KeyLogger

    on Victim, Dump creds, Connect Finding secrets from Dorking & etc.. Dropping payloads through phishing & pwn Application related attack vectors (Eg: MS-SQL DB pwned via SQL Injection)
  3. AD

  4. More legitimacy, More the chance ! Chaining proxies and redirectors

    Good domain reputation E-Mail spoofing via poor SPF, DMARC records Frameworks to manage phishing campaigns Using Open Redirection Vulnerability SPEAR PHISHING (INTERNAL) GoPhish + Evilginx2 =
  5. NTLM RELAY ATTACK SCENARIO ATTACKER VICTIM TARGET mNR Poisoning 1.

    2. Get NTLM hash 3. Relay NTLM hash 4. Get privs
  6. RELAYING OVER IPv6 IPv6 enabled by default From Windows Vista

    ManuallyConfigure IPv6 ? IPv6 DNS >> IPv4 DNS *mitm6 *ntlmrelayx
  7. WPAD - Windows Proxy Auto Discovery Phase 1 : Abusing

    default IPv6 configuration to spoof DNS servers Phase 2: Relay credentials over WPAD to access other services WPAD server has wpad.dat file which contains proxy configuration The PAC (Proxy Auto Configuration) file is responsible for enabling proxy in machines to connect to the internet
  8. Windows machine requesting IPv6 config via DHCPv6 protocol mitm6 assigns

    IPv6 address mitm6 acts as DHCP Attackers IPv6 becomes DNS server mitm6 listens for target domains needed to be spoofed IPv6 DNS will be preferred rather than IPv4 Client starts to request WPAD at the moment it gets connected to IPv6 mitm6 serves wpad.dat through spoofed WPAD server and asks authentication NTLM RELAY