Ntlm

Quick Reference Technique Tool Prerequisite Output LLMNR/NBT-NS Poisoning Responder Network access, no SMB signing required NTLMv1/v2 hashes SMB Relay ntlmrelayx.py SMB signing disabled on target SAM dump / shell LDAP Relay ntlmrelayx.py LDAP on DC accessible Computer accounts / RBCD IPv6 Poisoning mitm6 + ntlmrelayx IPv6 not disabled on network LDAP relay → DA Coercion + Relay PetitPotam / printerbug Auth path to coerced machine NTLM relay or TGT DCSync secretsdump.py Domain Admin or replication rights All NTLM hashes + AES keys LSASS Dump lsassy Local admin on target Plaintext / hashes GPP Passwords nxc -M gpp_password Domain user Cleartext credential Password Spraying nxc smb/ldap Valid username list Valid credentials LLMNR/NBT-NS Poisoning with Responder LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are fallback name resolution protocols used by Windows when DNS fails. When a host cannot resolve a name, it broadcasts an LLMNR/NBT-NS query to the local subnet. Responder answers these queries with the attacker’s IP, forcing the victim to authenticate — capturing NTLMv1 or NTLMv2 hashes. ...