How to hack active directory with Icebreaker?

Icebreaker Automates network attacks against Active Directory to deliver you plaintext credentials when you’re inside the network but outside of the Active Directory environment. Cyber security researchers explain that Icebreaker perform 5 different network attacks for plaintext credentials as well as hashes. Autocracks hashes found with JohnTheRipper and a custom 1 million password wordlist specifically for Active Directory passwords.

icebreaker

RID cycling

Uses Nmap to find NULL SMB sessions

Performs asynchronous RID cycling to find valid usernames

Performs a 2 password reverse bruteforce of found usernames

Passwords tested: P@ssw0rd and <season><year>, e.g., Winter2018

SCF file upload

Uses Nmap to find anonymously writeable shares on the network

Writes an SCF file to the share with a file icon that points to your device

When a user opens the share in Explorer their hash is sent to you

Autocracks the hash with john and top 10 million password list

LLMNR/NBTNS/mDNS

Uses Responder.py to poison the layer 2 network and capture user hashes

Autocracks the hash with john and top 10 million password list

SMB relay

Uses ntlmrelay.py and Responder.py to relay SMB hashes

After a successful relay it will do the following on the victim machine:

Add an administrative user – icebreaker:P@ssword123456

Run an obfuscated and AMSI bypassing version of Mimikatz and parse the output for hashes and passwords

IPv6 DNS poison

Uses mitm6 and ntlmrelayx.py to poison IPv6 DNS and capture user and machine hashes

Creates fake WPAD server with authentication

This can easily cause network connectivity issues for users so data security specialists recommend use sparingly

How It Works

It will perform the above 5 network attacks in order. RID cycling and SCF file uploads usually go fast, then it lingers on attack 3, Responder.py, for 10 min by default. After that amount of time or the user-specified amount of time has passed, it will move on to the final two attacks which are run in parallel and indefinitely.

Once performing RID cycling and an asynchronous bruteforce it moves on to upload SCF files to anonymously writeable shares. According to cyber security experts, if an SCF file was successfully uploaded and a user visits that file share in Explorer the user’s hash will be captured and attempted to be cracked by icebreaker. If the hash is captured while attack 4, SMB relay, is running, the hash will be relayed for potential command execution. Relaying a hash to another machine allows us to impersonate the user whose hash we captured and if that user has administrative rights to the machine we relayed the hash to then we can perform command execution.

When ntlmrelayx relays a captured hash it will run a base64-encoded PowerShell command that first adds an administrative user (icebreaker:P@ssword123456) then runs an obfuscated and AMSI-bypassing version of Mimikatz. This mimikatz output is parsed and delivered to the user in the standard output as well as in the found-passwords.txt file if any plaintext passwords or NTLM hashes are found.

If icebreaker is run with the –auto flag, then upon reaching attack 4 icebreaker will run Empire and DeathStar in xterm windows. With this option, instead of running mimikatz on the remote box that we relayed the hash to, icebreaker add an administrative user and right after that it’ll run Empire’s PowerShell launcher code to get an agent on the remote machine. DeathStar will use this agent to automate the process of achieving domain admin. The Empire and DeathStar xterm windows will not close when you exit icebreaker.

Password cracking is done with JohnTheRipper and a custom wordlist. The wordlist was pruned and includes no passwords with: all lowercase, all uppercase, all symbols, less than 7 characters, more than 32 characters. These rules conform to the default Active Directory password requirements and brought the list from 20 million to just over 1 million which according to data security professionals makes password cracking extremely fast.

IPv6 DNS poisoning: this attack is prone to causing issues on the network. It causes certificate errors on client machines in the browser. It’ll also slow the network down. According to data security researchers, Windows AD environments are vulnerable by default.

Icebreaker 1

(Visited 161 times, 1 visits today)