• Stars
    star
    1,182
  • Rank 39,575 (Top 0.8 %)
  • Language
    PowerShell
  • License
    MIT License
  • Created almost 7 years ago
  • Updated about 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment

icebreaker

Break the ice with that cute Active Directory environment over there. When you're cold and alone staring in at an Active Directory party but don't possess even a single AD credential to join the fun, this tool's for you.

Sequentially automates 5 internal network attacks against Active Directory to deliver you plaintext credentials. Use the --auto option to automatically acquire domain admin privileges after gaining a foothold.

Summary Details

The following attacks are performed sequentially until the fourth and fifth attacks which run in parallel and indefinitely.

  • Reverse bruteforce
    • Automatically acquires a list of usernames and tests each one with two of the most common AD passwords (more than two attempts may trigger account lockout policies)
  • Upload to network shares
    • Capture users' passwords with malicious file uploads to available network shares
  • Poison broadcast network protocols
    • Uses common network protocols to trick users' computers into sending you passwords
  • Man-in-the-middle SMB connections
    • Performs remote command execution against AD computers in order to gather passwords
  • Poison IPv6 DNS
    • Exploits DNS to trick AD computers into sending their users' passwords to you

Technical Details

All NetNTLMv2 hashes which are captured in the techniques below are autocracked with JohnTheRipper and an AD-specific password list of 1 million in length.

  • Reverse bruteforce
    • Uses rpcclient to find hosts that accept null SMB sessions
    • Uses ridenum to find valid usernames via RID cycling on null SMB hosts
    • Can use theHarvester to gather additional potential usernames from a specified internet domain
    • Performs a 2 password reverse bruteforce of found usernames or you can specify a password list to use
    • Default passwords tested: P@ssw0rd and <current_season><year>, e.g., Spring2018
  • SCF upload
    • Uses Nmap to find anonymously writeable network shares via NSE script smb-enum-shares
    • Writes an SCF file to the share with a file icon path that points to your machine
    • When an AD user opens the share in File Explorer their NetNTLMv2 hash is sent to you
  • LLMNR/NBTNS/mDNS poisoning
    • Uses Responder.py to poison the layer 2 broadcast/multicast network protocols (LLMNR, NBT-NS, mDNS) and capture NetNTLMv2 hashes
  • SMB relay
    • Uses ntlmrelayx.py and Responder.py to relay SMB hashes
    • Uses Nmap to identify vulnerable relay targets via the NSE script smb-security-mode
    • Vulnerable targets will have SMBv1 enabled and SMB signing disabled
    • Successful relaying of a hash will result in the capture of a user's NetNTLMv2 hash which will be autocracked
    • If a user hash is relayed to a machine and that user is a local administrator, command execution will occur and the following will be remotely performed:
      • Add an administrative user - icebreaker:P@ssword123456
      • Run an obfuscated and AMSI bypassing version of Mimikatz
      • Mimikatz output is parsed for NTLM hashes and plaintext passwords
      • Run an obfuscated and AMSI bypassing version of Invoke-PowerDump for SAM hashes
      • Output is parsed for NTLM hashes
  • IPv6 DNS poison
    • Uses mitm6 and ntlmrelayx.py to poison IPv6 DNS in order to capture NetNTLMv2 user hashes
    • Creates fake WPAD server with authentication
    • IPv6 DNS is enabled by default in Active Directory environments
    • Note: this can cause network connectivity issues for users

How It Works

It will perform the above 5 network attacks in order. Reverse bruteforcing and SCF file uploads usually go pretty quick, then it lingers on attack 3, Responder.py, for 10 min by default. After that amount of time, or the user-specified amount of time has passed, it will move on to the final two attacks which are run in parallel and indefinitely.

If any hosts are discovered to allow null SMB sessions, icebreaker will use ridenum to perform RID cycling for valid usernames. If you use the "-d <somedomain.com>" option, theHarvester will scrape any email addresses from the specified website. Any email usernames that are AD-compatible will be added to the reverse bruteforce username list. Icebreaker uses the asyncio library to perform the reverse bruteforce using the linux tool rpcclient using 10 async workers.

The SCF upload attack abuses Shell Command Files against anonymously writeable network shares. SCFs are files that can perform basic actions like showing the desktop or opening a File Explorer window. They have the curious property of allowing you to set its file icon to a network path. If you set this network path to your own machine, users who open the file share in File Explorer will automatically send their NetNTLMv2 password hash to you. Icebreaker uses the Nmap script smb-enum-shares to find anonymously writeable shares then automatically generates and uploads the payloaded SCF.

Attack 3 uses Responder.py to poison LLMNR, NBT-NS, and mDNS multicast/broadcast protocols. When users navigate to a nonexistent network path, Responder will tell them your attacker machine is the correct path. The user's NetNTLMv2 password hash is now yours. Responder will capture hashes sent via the SCF attack, but the next attack is generally more useful for capturing SCF hashes because it has the potential of using the hash for command execution.

SMB relay is an old network attack where attackers place themselves inbetween the SMB client and the SMB server. This allows attackers to capture and relay NetNTLMv2 hashes to hosts that have SMBv1 enabled and SMB signing disabled. ntlmrelayx.py from the Impacket library is used to relay while Responder.py is used to man-in-the-middle SMB connections. Should the SMB client user have administrative rights to any host on the network that has SMB signing disabled, ntlmrelayx.py will perform command execution on that host.

Once ntlmrelayx relays a captured hash it will run a base64-encoded powershell command that first adds an administrative user (icebreaker:P@ssword123456) then runs an obfuscated and AMSI-bypassing version of Mimikatz, followed by an obfuscated and AMSI-bypassing version of Invoke-PowerDump. The output of Invoke-Mimikatz and Invoke-PowerDump is parsed for plaintext passwords or NTLM hashes and delivered to the user in the standard output as well as in the found-passwords.txt file. NTLM hashes, unlike NetNTLMv2 hashes, can be used just like a plaintext password for authentication to other AD hosts. The one caveat is that ever since Microsoftโ€™s KB2871997 patch, only the builtin RID 500 local administrator account can be used in pass-the-hash attacks.

The final attack uses the tool mitm6 to perform a man-in-the-middle IPv6 DNS attack against the whole network. This forces hosts on the network to use the attacker's machine as their DNS server. Once set as their DNS server, the attacker serves malicious WPAD proxy setting files to the victims and gathers their NetNTLMv2 hashes. These hashes are relayed using ntlmrelayx.py for further remote code execution possibilities. One thing to note is that this attack is prone to causing issues on the network. It often causes certificate errors on client machines in the browser. It'll also likely slow the network down. The beauty of this attack, however, is that Windows AD environments are vulnerable by default.

If icebreaker is run with the --auto [tmux/xterm] flag, then upon reaching attack 4 icebreaker will run Empire and DeathStar in either a tmux session or xterm windows. With this option, instead of running mimikatz on the remote host that we relayed the hash to, icebreaker will add an administrative user then run Empire's powershell launcher code to get an agent on the remote machine. DeathStar will use this agent to automate the process of achieving domain admin. The Empire and DeathStar will not close when you exit icebreaker.

Password cracking is done with JohnTheRipper and a custom wordlist. The origin of this list is from the merged.txt which is every password from the SecLists GitHub account combined. The wordlist was pruned and includes no passwords with: all lowercase, all uppercase, all symbols, less than 7 characters, more than 32 characters. These rules conform to the default Active Directory password requirements and brought the list from 20 million to just over 1 million which makes password cracking extremely fast.

Installation

As root:

./setup.sh
pipenv install --three
pipenv shell

You might get an error after running pipenv install. Update to a version of pipenv higher than 11.9.0 if that is the case. You can git clone pipenv from github and just apt-get remove python-pipenv && python setup.py install from within the folder.

Docker Usage

Still a few bugs to work out with the docker image so this is likely to error for you but it's almost there. From the Git Repo:

docker build --rm -t danmcinerney/icebreaker .
docker run danmcinery/icebreaker

Or append the commands you'd normally add to icebreaker (don't forget to map volumes):

docker run -v $(pwd)/logs:/icebreaker/logs -v $(pwd)/hashes:/icebreaker/hashes -v $(pwd)/icebreaker-scan.xml:/icebreaker/icebreaker-scan.xml -v $(pwd)/submodules:/icebreaker/submodules -e PYTHONUNBUFFERED=0 danmcinerney/icebreaker -x icebreaker-scan.xml

**Note: You'll want to map ports for listeners with docker's -p <host>:<container> flag.

Usage

Run as root. Read from a newline separated list of IP addresses (single IPs or CIDR ranges) and instead of having ntlmrelayx add a user and mimikatz the victim upon hash relay, have it execute a custom command on the victim machine. In this example we're giving it a command similar to what Empire might give us for a powershell launcher one-liner.

./icebreaker -l targets.txt -c "powershell -nop -w hidden -exec bypass -enc WwFk..."

Read from a hostlist, tell Responder to use the eth0 interface rather than the default gateway interface, let Responder run for 30m instead of the usual 10m, and run the default ntlmrelayx post-relay commands to dump the SAM off the victim server.

./icebreaker -l targets.txt -i eth0 -t 30 -c default

Use an Nmap XML output file, skip all five attacks plus don't autocrack hashes, and use a custom password list for the reverse bruteforce attack (note that since this example is skipping attack 1 via '-s rid' the password list specified won't even get used; this is just used as an example)

./icebreaker.py -x nmapscan.xml -s rid,scf,llmnr,relay,dns,crack -p /home/user/password-list.txt

Fire-and-forget usage: input targets file, scrape companydomain.com for email usernames to be added to the reverse bruteforce attack, skip mitm6's IPv6 DNS poisoning, and run Empire and DeathStar in either tmux or xterm windows once attack 4 starts in order to gain automated domain admin. The goal of this usage is to fire off the command Monday at 9am then go take a short, uninterrupted break until Friday at 4:30pm at which point we come back to a domain admin shell waiting for us. We skip attack 5 (mitm6) because it can sometimes cause network issues and we don't want angry clients interrupting our hard-earned break.

./icebreaker.py -l targets.txt -d companydomain.com -s dns --auto [tmux/xterm]

More Repositories

1

wifijammer

Continuously jam all wifi clients/routers
Python
3,982
star
2

LANs.py

Inject code and spy on wifi users
Python
2,583
star
3

net-creds

Sniffs sensitive data from interface or pcap
Python
1,689
star
4

xsscrapy

XSS spider - 66/66 wavsep XSS detected
Python
1,648
star
5

pymetasploit3

Automation library for Metasploit
PowerShell
370
star
6

pentest-machine

Automates some pentest jobs via nmap xml file
Ruby
319
star
7

dnsspoof

DNS spoofer. Drops DNS responses from the router and replaces it with the spoofed DNS response
Python
276
star
8

fakeAP

Create fake AP in Kali with 1 command
Python
265
star
9

elite-proxy-finder

Finds public elite anonymity proxies and concurrently tests them
Python
249
star
10

msf-autoshell

Feed the tool a .nessus file and it will automatically get you MSF shell
Python
234
star
11

creds.py

Harvest FTP/POP/IMAP/HTTP/IRC creds
Python
166
star
12

fast-recon

Does some google dorks against a domain
Python
158
star
13

device-pharmer

Opens 1K+ IPs or Shodan search results and attempts to login
Python
144
star
14

wifi-monitor

Prints the IPs on your local network that're sending the most packets
Python
142
star
15

msf-autopwn

Autoexploitation of some of the most common vulnerabilities in wild
Python
123
star
16

search-google

Scrape google search results
Python
93
star
17

autorelay

Automatically performs the SMB relay attack
Python
71
star
18

msfbot

WORK IN PROGRESS. Waits for MSF session then automatically gets domain admin
PowerShell
64
star
19

get_proxy

Py class that returns fastest http proxy
Python
54
star
20

best-channel

Find wifi channel with least interference
Python
52
star
21

SMB-reverse-brute

Async'ly gather unique usernames thru null SMB sessions and bruteforce them with 2 passwords
Python
51
star
22

Invoke-Cats

Obfuscated Invoke-Mimikatz
PowerShell
51
star
23

shellshock-hunter

Concurrently test bing results for shellshock vulnerability
Python
42
star
24

Autobloodhound

Automatically parses and attacks BloodHound-generated graphs
Python
41
star
25

smb-autopwn

Discovers and exploits hosts vulnerable to MS08-067/MS17-010
Python
41
star
26

autoresp

Runs Responder, uploads hashes for cracking, alerts when cracked
Python
37
star
27

FuzzStrings

Simple, hand-picked list of fuzz strings
Python
32
star
28

cookiejack

ARP spoof then session jack within your browser
Python
27
star
29

shellshock-hunter-google

Search google for shellshock vulnerable sites
Python
27
star
30

crawler.py

async web crawler
Python
26
star
31

nmap-parser

Parses Nmap XML files
Python
25
star
32

net-sniffer

Sniffs an interface/pcap file and concatenates fragmented packet loads
Python
21
star
33

MsfWrapper

Asynchronous MSF RPC API wrapper
Python
20
star
34

shodan-search

Python
19
star
35

WPSmash

Python
17
star
36

mailspy

Catch IMAP/POP passwords and see incoming and outgoing messages
Python
17
star
37

arp-ping-detector

ARP ping detector on local network
Python
15
star
38

Obf-Cats

Obfuscated Invoke-Mimikatz script
PowerShell
15
star
39

injecthtml

injecthtml
Python
12
star
40

async-meterpreter-controller

Template for asynchronously controlling meterpreter sessions
Python
12
star
41

postanalyzer

Analyze and log POSTs your machine makes
Python
11
star
42

search-bing

Search bing with python
Python
11
star
43

flashforge-finder-api

FlashForge Finder 3D Printer API with temperature control
Python
10
star
44

joomla-addon-hunter

Find potential SQLi in Joomla URLs
Python
8
star
45

vimrc

My .vimrc
Vim Script
8
star
46

UfcstatsScraper

Scrapes ufcstats.com for data
Python
8
star
47

BestfightoddsScraper

Asynchronously scrape bestfightodds.com for odds data
Python
7
star
48

Invoke-Pwds

Obfuscated Invoke-PowerDump for SAM hash retrieval
PowerShell
7
star
49

basic-xss-spider

sort of functional - abandoned
Python
6
star
50

arpdet

Detects and deauths arp spoofers automatically. Broken.
Python
5
star
51

SherdogScraper

Scrapes sherdog.com for fights
Python
4
star
52

async-requests

Python
3
star
53

quickscan

beta
Python
2
star
54

bashrc

My bashrc
Shell
2
star
55

Dating-service

Written by kid I was teaching python to.
Python
2
star
56

mma

Python
1
star
57

dotfiles

Dotfiles
Vim Script
1
star
58

UFCScraper

Python
1
star