Network Attacks

ko-fi

Network Recon

Host Discovery
bash find_cidrs.sh eth0
LogoInternal_Pentest/find_cidrs.sh at main · nullenc0de/Internal_PentestGitHub

Dismap

LogoGitHub - zhzyker/dismap: Asset discovery and identification tools 快速识别 Web 指纹信息,定位资产类型。辅助红队快速定位目标资产信息,辅助蓝队发现疑似脆弱点GitHub

NetScan - From Windows Host

LogoSoftPerfect Network Scanner : fast, flexible, advancedwww.softperfect.com

Bettercap

Sniffing

Wireshark or tcpdump - Credentials in clear text ?

Miscellaneous TechniquesInteracting with Users

Extract NTLMv1, etc

Extract NTLMv2

LogoGitHub - mlgualtieri/NTLMRawUnHide: NTLMRawUnhide.py is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The following binary network packet capture formats are supported: *.pcap *.pcapng *.cap *.etlGitHub

NFS Data Extraction

LogoGitHub - Rysess/NFSExtractor: Extract NFS files from wireshark capture (pcap)GitHub

Finding vulnerabilities - Above

LogoGitHub - caster0x00/Above: Network Security SnifferGitHub

Above is an invisible network sniffer for finding vulnerabilities in network equipment. It is based entirely on network traffic analysis, so it does not make any noise in the air. He’s invisible.

Convert pcapng to pcap

Open outbound ports / Filtering

Web content filtering

For example, try to connect to 4chan or exploit-db with CLI but also with a browser

Living Off Trusted Sites

Try to access some of LOTS

LogoLOTS Project - Living Off Trusted Siteslots-project.com

Port Filtering

Test for other ports: 22, 21, 23, etc.

Outgoing Port Testerportquiz.net

Protocol Filtering

For example, if port 22 is blocked, also test for protocol filtering: SSH on port 443 ?

Server side:

Try to connect over port 443

The Protocol Filter feature is used to block unwanted traffic from your network. The feature is commonly used to make sure employees, students or end users are using their Internet access for its intended productive use. The filter can block dozens of different protocols, including: peer-to-peer traffic (Source: ClearOS)

ARP - DNS Spoofing

Bettercap

Standalone version:

LogoBettercap Tutorial & Top Commands (2025 Update)StationX

Arpspoof

Eavesarp

Detect and exploit Stale Network Address Configurations (SNACs) via network traffic analysis and ARP poisoning techniques

LogoGitHub - ImpostorKeanu/eavesarp-ngGitHub

LLMNR NBT-NS Poisoning

LLMNR NBT-NS Poisoning

ADIDNS Spoofing

ADIDNS Spoofing

MITM6

LogoGitHub - dirkjanm/mitm6: pwning IPv4 via IPv6GitHub
https://cheatsheet.haax.fr/windows-systems/exploitation/ipv6/cheatsheet.haax.fr

MITM MySQL

Use CredSLayer to extract salts and password hash

LogoCrackeando credenciales de MySql obtenidos por un MITM like a Sir!Follow The White Rabbit

MITM - ASReproast

Misconfiguration

MITM - Kerberoast

Kerberoast

No LDAP Signing - KrbRelayUp

No-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).

LogoGitHub - Dec0ne/KrbRelayUp: KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).GitHub

KrbRelay

Logor-tec Blog | Windows is and always will be a Potatolandwww.r-tec.net
LogoGitHub - cube0x0/KrbRelay: Framework for Kerberos relayingGitHub

  • Cross-session attack:

    • KrbRelay.exe -s <SESSION-ID> -clsid 354FF91B-5E49-4BDC-A8E6-1CB6C6877182 -ntlm

  • Read out local SAM database hashes:

    • KrbRelay.exe -cslid F8842F8E-DAFE-4B37-9D38-4E0714A61149 -session <TARGET-SESSION-ID> -spn cifs/<TARGET-SYSTEM>.<DOMAIN> -secrets

  • Relaying Kerberos to SMB for remote access:

    • KrbRelay.exe -cslid f8842f8e-dafe-4b37-9d38-4e0714a61149 -session <SESSION-ID> -spn cifs/<TARGET-SYSTEM>.<DOMAIN> -console

NTLM Relay

SMB (445, 139) / RPCAD CS

Kerberos Relay

https://github.com/CICADA8-Research/Penetration/blob/main/KrbRelay%20MindMap/KrbRelay.drawio.png

Over HTTP

LogoAbusing multicast poisoning for pre-authenticated Kerberos relay overSynacktiv

Over SMB

LogoFrom NTLM relay to Kerberos relay: Everything you need to knowDecoder's Blog
SMB (445, 139) / RPCAD CS

Via DHCPv6-DNS-Takeover

LogoGitHub - RedTeamPentesting/pretender: Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover as well as mDNS, LLMNR and NetBIOS-NS spoofing.GitHub
PreviousBasic Windows CommandsNextLLMNR NBT-NS Poisoning

Last updated