Hash Collection
Responder
Responder can usually be used if we control a linux machine with root privileges on the same network/subnet as the target system. It will try to spoof/poison in order to collect hashes over several protocols. A common attack technique responder automatically executes is LLMNR/NBTNS poisoning.
https://github.com/lgandx/Responder
Make sure to edit the config file to specify which hosts to respond to as it might get messy responding to all hosts.
Smbserver.py
Forcing Authentication
Windows Shortcuts (.lnk)
Triggered on opening the containing folder in explorer.
Or using crop from the farmer-toolkit.
URL files (.url)
Triggered on opening the containing folder in explorer.
Windows Library Files (.library-ms)
Triggered on opening the containing folder in explorer.
Windows Search Connectors (.searchConnector-ms)
Autoupading links in Office Files
See Fertilizer. This is especially nice becauser no matter if the user clicks yes or no on the warning message, it will still send the hash.
Direct UNC Path Access
In case a webshell or similar exists we can just call an UNC path directly e.g.:
Note that if you want to actually have a successful authentication here to retrieve a file, null sessions must either be enabled on the victim (which is not default) or you need to have the correct user configured on your end (the one windows is using to authenticate as).
References
https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/
Last updated