A very common attack that many networks are vulnerable to is called LLMNR or NBT-NS poisoning. Through this attack it is possible to gain access to a user's NTLMv1 or v2 password hash. A more interesting attack can be carried out under the same premise though. Instead of just obtaining a password hash the user's authenticated session to another host can be exploited to run arbitrary code on the server. In this episode of Tradecraft Security Weekly Beau Bullock (@dafthack) shows how to perform this attack using the PowerShell tool Inveigh.

LINKS: Inveigh Nmap SMB-Signing Discovery byt3bl33der blog post SANS blog post LLMNR & NBT-NS Blog Post Responder Multi-Relay Impacket SMBRelayx Metasploit SMB_Relay Module

[audio src="http://traffic.libsyn.com/tswaudio/Relaying_NTLMv1_v2_-_Tradecraft_Security_Weekly_14_converted.mp3"]