GitBook: [master] 2 pages modified

pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md

@@ -35,12 +35,34 @@ responder -I <Iface>
 
 ![](../../.gitbook/assets/image%20%28235%29.png)
 
+An interesting technique is to use responder to downgrade the NTLM authentication when possible. This will allow to **capture NTLMv1 challenges and responses** instead of NTLMv2 that can be **easily cracked** [**following this guide**](../../windows/active-directory-methodology/printers-spooler-service-abuse.md)**.**
+
+```bash
+responder -I <Iface> --lm #Downgrade NTLM authntication if possible
+```
+
 By **default**, the **WPAD impersonation won't be executed**, but you can execute it doing:
 
-```text
+```bash
 responder -I <Iface> --wpad
 ```
 
+Responder can also send **fake DNS responses** \(so the IP of the attacker is resolved\) and can inject **PAC files** so the victim will get the IP of the **attacker as a proxy**.
+
+```bash
+responder.py -I <interface> -w On #If the computer detects the LAN configuration automatically, this will impersonate it
+```
+
+You can also **resolve NetBIOS** requests with **your IP**. And create an **authentication proxy**:
+
+```bash
+responder.py -I <interface> -rPv
+```
+
+You won't be able to intercept NTLM hashes \(normally\), but you can easily grab some **NTLM challenges and responses** that you can **crack** using for example _**john**_ option `--format=netntlmv2`.
+
+The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs`
+
 ### Capturing credentials
 
 Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" \(most probably a **NTLMv2 Challenge/Response**\):
@@ -62,9 +84,16 @@ Responder is going to **impersonate all the service using the mentioned protocol
 This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.  
 Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed** host and **SMB signing must be disabled**.
 
-The 2 main **tools** to perform this attack are: **MultyRelay** \(from responder\) and **smbrealyx** \(from impacket\).
+The 3 main **tools** to perform this attack are: **smb\_relay** \(metasploit\), **MultyRelay** \(responder\), and **smbrealyx** \(impacket\).
+
+Independently of the tool, first, you need to **turn Off SMB and HTTP servers** in  ****_**/usr/share/responder/Responder.conf**_ and then execute responder on the desired **interface**: `responder -I eth0 -rv`
+
+You can perform this attack using **metasploit module**: `exploit/windows/smb/smb_relay`  
+The  option `SRVHOST` is used to point the server **were you want to get access**.  
+Then, when **any host try to authenticate against you**, metasploit will **try to authenticate against the other** server.
+
+You **can't authenticate against the same host that is trying to authenticate against you** \(MS08-068\). **Metasploit** will **always** send a "_**Denied**_" **response** to the **client** that is trying to connect to you.
 
-Independently of the tool, first, you need to **turn Off SMB and HTTP servers** in  ****_**/usr/share/responder/Responder.conf**_ and then execute responder on the desired **interface**: `responder -I eth0 -rv`  
 If you want to use **smbrelayx** now you should run:
 
 ```text
@@ -145,5 +174,6 @@ To mitigate against the WPAD attack, you can add an entry for "wpad" in your DNS
 
 **Images from:** [https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)  
 [https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/)  
-[https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)
+[https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)  
+[https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
 

windows/ntlm/README.md

@@ -159,48 +159,11 @@ wce.exe -s <username>:<domain>:<hash_lm>:<hash_nt>
 
 **For more information about** [**how to obtain credentials from a Windows host you should read this page**](../stealing-credentials/)**.**
 
-## More about NTLM Relay and Responder
+## NTLM Relay and Responder
 
-**Read** [**here a more detailed guide**](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) **on howto perform those attacks**
+**Read more detailed guide on how to perform those attacks here:**
 
-## NTLM relay
-
-Because of how the NTLM authentication behaves, if you could make a **client to authenticate against you**, you could **use its credentials to access another machine**. This will work by sending the **same challenge** that the **server sends to you to the victim**, and send the **response of the challenge of the victim to the server**. You won't even need to crack the challenge response of the victim because you will use it to connect to another machine.
-
-You can perform this attack using **metasploit module**: `exploit/windows/smb/smb_relay`
-
-The  option `SRVHOST` is used to point the server **were you want to get access**.  
-Then, when **any host try to authenticate against you**, metasploit will **try to authenticate against the other** server.
-
-You **can't authenticate against the same host that is trying to authenticate against you** \(MS08-068\). **Metasploit** will **always** send a "_**Denied**_" **response** to the **client** that is trying to connect to you.
-
-You can also perform this attack using the **impacket tool**: _**smbrelayx.py**_
-
-```text
-smbrelayx.py .h <HOST_to_attack> [-c <Command_to_exec>] [-e <path_to_binary_to_exec>]
-```
-
-This **attack can be easily solved implementing SMB** _**Signing**_ \(by default only Windows servers implements that option\).
-
-Read: [https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
-
-## Getting Credentials with Responder
-
-Responder will create a lot of services that can **capture credentials when someone try to access them**. It can also send **fake DNS responses** \(so the IP of the attacker is resolved\) and can inject **PAC files** so the victim will get the IP of the **attacker as a proxy**.
-
-```text
-responder.py -I <interface> -w On #If the computer detects the LAN configuration automatically, this will impersonate it
-```
-
-You can also **resolve NetBIOS** requests with **your IP**. And create an **authentication proxy**:
-
-```text
-responder.py -I <interface> -rPv
-```
-
-You won't be able to intercept NTLM hashes \(normally\), but you can easly grab some **NTLM challenges and responses** that you can **crack** using for example _**john**_ option `--format=netntlmv2`.
-
-The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs`
+{% page-ref page="../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %}
 
 ## Parse NTLM challenges from a network capture