.

MITM in domain

<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Tue Jul 27, 2010 9:41 am

MITM in domain

Hey!

I have a question regarding MITM in domains.
Let's say you crack the wireless network in a company and all the machines were pretty much fully patched and the only way to gain access was using a valid account with pass/hash for a PSEXEC attack or similar.

If i started a MITM attack on a user that was part of a domain running a DC like Win2K3 or similar, would this affect any of the user shares, the authentication or cause any other types of trouble?

Im also thinking if when using fake SSL certificates etc.


Much appreciated in advance! =)
<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Sat Aug 07, 2010 4:18 am

Re: MITM in domain

Really, nobody? :D  I'll let you guys know when i come about doing it in labs...
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat Aug 07, 2010 7:23 am

Re: MITM in domain

It shouldn't because you're just passing layer-2 frames back-and-forth.
The day you stop learning is the day you start becoming obsolete.
<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Sat Aug 07, 2010 8:24 am

Re: MITM in domain

Yeah i know, but I'm not sure what kind of "security" is added when you have, lets say a 2008 server with 2 NIC's (1 ext, 1 int) and you go out on the internet. And what happens if you spoof a client before logging into the domain, will you be able to sniff the password, and will it be a successfull login etc?
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sat Aug 07, 2010 8:57 am

Re: MITM in domain

jonas wrote:If i started a MITM attack on a user that was part of a domain running a DC like Win2K3 or similar, would this affect any of the user shares, the authentication or cause any other types of trouble?


Without knowing exactly the environment it's sort of hard to answer... LDAP?

You = 00:00:be:ef:be:ef
Victim = 00:00:ba:be:ba:be

You(attacker) ---> "Hi, I'm 00:00:ba:be:ba:be" --> Router/Switches/OtherDevices

You - now pretending to be attacker would have to have the shares of Victim all in order and you'd have to have all devices in that network go through the fingerprint checks (is it LDAP?), etc. But, the approach you're taking may be the long way... "Impersonation" is your friend ;) And MS built it right into the system for you (SeImpersonatePrivilege):

http://www.argeniss.com/research/TokenKidnapping.pdf
http://support.microsoft.com/kb/821546

So, without knowing more information - are they using LDAP, Radius, Diameter, etc., will be a hard question to answer HOWEVER... You may not even have to go that far. Even if their machines are "uber patched" I'm sure there is a "circle of trust" amongst one another. Instead of focusing on the "whole domain" pick at it piecemeal impersonating one another...

Imagine for a moment you walk into an audience and say "Hi I'm Chuck Norris and I'm a star" the likelihood of someone pulling your card is obscenely high. However, imagine you trap someone in a corner, a janitor who is partially blind (in the network case, say a print server). You may fool the janitor (impersonating Chuck Norris) and abuse that trust relationship and use it to get to where you need to go. "Mr. Janitor, do you think you could let me into the bathroom's near finance... I left/lost my key..."

The reality of this answer though is... It all depends on the network and what's going on. LDAP, Radius, Diameter, what kind of rules are going on, etc.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software