Tag: Responder | Yw4rf

2025-01-26

Noxious - LLMNR Poisoning and NTLMv2 Hash Cracking

Network forensics writeup detailing the analysis of an LLMNR poisoning attack. The process covers identifying the rogue device via LLMNR and DHCP traffic, locating the victim's credential leak (NTLMv2 hash) within SMB Session Setup packets, extracting NTLM Challenge/Response components, and performing hash cracking with Hashcat to recover the plaintext password, providing full context on the credential theft incident.

HackTheBox Sherlocks Threat-Hunting SOC Wireshark LLMNR-Poisoning Responder NTLMv2 Hashcat Windows-Forensics
2024-11-23

Responder - LFI/RFI Chain to NTLMv2 Hash Capture and WinRM Access

Technical writeup detailing the initial compromise of the Responder machine. The attack chain involves exploiting a Local File Inclusion (LFI) vulnerability in a PHP application, escalating it to an RFI-style attack by injecting a UNC path to force an SMB authentication attempt. The resulting NTLMv2 hash is captured using the Responder tool, cracked with Hashcat, and used to gain full remote access via Evil-WinRM on port 5985.

HackTheBox WinRM LFI RFI UNC-Path-Injection SMB-Relay NTLMv2-Hashcat Responder Evil-WinRM PHP-Exploitation Windows-Exploitation