Gaining Shell Access in Active Directory

After conducting an LLMNR or SMB relay attack, one of the steps an attacker can take is to use the collected credentials, specifically the domain NTLMv2 hashes or the local NTLMv2 hashes belonging to local users, to gain shell access in an Active Directory environment. This access can provide valuable information about the systems. There are various scripts available in Python that can facilitate shell access, such as impacket-psexec, impacket-smbexec , and impacket-wmiexec. Some of these tools are also integrated into Metasploit. By providing the appropriate arguments, attackers can easily gain shell access using these tools.

However, there is a possibility that Metasploit may be detected during real-world use, which could hinder its effectiveness. Therefore, we will also demonstrate how to use one of the most powerful alternatives to Metasploit, impacket-smbexec, to gain shell access. The Metasploit module and the impacket-smbexec tool will be explained in parallel, allowing you to choose the option that best suits your needs.

Let's begin our shell-gaining attack!

Gaining Shell Access Using the PsExec Module in Metasploit

After successfully performing an LLMNR attack, the attacker acquires the domain name, username, and the NTLMv2 hash of the targeted user, which can be cracked using Hashcat. In this scenario, we have already executed our LLMNR attack and collected the necessary credentials, including the domain name, username, NTLMv2 hash, and the plaintext password after cracking the NTLMv2 hash.

Now, we want to gain shell access to the system of that user by entering their domain username and password. To achieve this, we will use the PsExec module in Metasploit.

First, open your terminal and type msfconsole to launch Metasploit. Once it is open, use the command search psexec to locate the PsExec module. After identifying the module, you can view the required options by typing options.

Next, set the necessary parameters using the following commands:

Once all required fields are filled, simply type run to initiate the attack and gain shell access to the user's system.

Gaining Shell Access with Impacket-SMBExec

We can achieve the same outcome as in the previous section using impacket-smbexec, and this time the probability of the attack being detected or prevented is significantly lower. To gain shell access, we will use the following command:

For example, the command would look like this:

Gaining Shell Access Using Uncracked NTLMv2 Hashes

In the previous section, we demonstrated how to gain access using a cracked NTLMv2 hash. However, in this scenario, we will show that even with a NTLMv2 hash , which has not yet been cracked, we can still gain shell access.

In this case, we have the credentials of a local user along with their local NTLMv2 hash. We will use the PsExec module in Metasploit again, but this time we will unset the smbdomain parameter. This is necessary because the NTLMv2 hash belongs to a local user rather than a domain user, meaning there is no need to authenticate with the Domain Controller (DC).

Next, we will change the IP address to that of the target system and set the smbpass to the LM

By following these steps, you can successfully establish a shell connection to the target system using the NTLMv2 hash without needing domain authentication.

Gaining Shell Access with Uncracked NTLMv2 Using SMBExec

With smbexec, we can achieve the same goal as mentioned above, even when we have an uncracked NTLMv2 hash. To gain shell access, use the following command:

For example, if the local username is Tom, the target IP address is 192.168.1.118, and the NTLM hashes are lm_hash and ntlm_hash, the command would look like this:

This command allows you to authenticate using the NTLMv2 hash without needing to crack it first. By providing the username and the target IP address, along with the appropriate LM and NTLM hashes, you can successfully establish a shell connection to the target system.