Overview
OctoPwn's servers allow hosting services on the local system enabling man-in-the-middle (MitM) attacks and credential harvesting by exploiting network protocols like LLMNR, mDNS, NTLM, and more. These servers can enable you to do poisoning, spoofing, and relaying attacks to capture credentials or escalate privileges in Active Directory environments.
Please note that you will need to open the ports required for these protocols to operate.
Getting Started
1. Configure Prerequisites
- Targets: Add victim IPs/hostnames to the Targets Window.
- Credentials: Ensure credentials for spoofing/relaying are stored in the Credentials Hub.
- Firewall: Open ports (e.g., UDP 5355 for LLMNR, TCP 80/443 for Relay).
2. Start a Server
-
LLMNR/mDNS Server:
-
Set
spoof=1
to enable response spoofing. -
Use
localip
to define the attacker’s IP. -
Captured hashes are saved to
/browserfs/volatile/results.txt
.
-
-
Relay Server:
-
Specify
ldaptargets
orhttptargets
for relay destinations. -
Use
adcstemplate
to request certificates during ADCS relaying.
-
3. Trigger Authentication
-
Coercion Techniques:
-
Use
printerbug
(via SMB Client) or host malicious WebDAV shares. -
Combine relay with LLMNR/mDNS poisoning to redirect victims.
-
4. Analyze Results
-
Hashes: Crack captured Net-NTLMv2 hashes with tools like Hashcat.
-
Certificates: Use obtained certificates for Kerberos authentication.