
Snagging creds from locked Windows/OS X machines using USB-Armory/Hak5-Turtle - liotier
https://room362.com/post/2016/snagging-creds-from-locked-machines/
======
profeta
anyone understand what exactly is the system broadcasting to the new DHCP
server? I can't imagine any system is so bad to the point of sending anything
more sensitive than a user name

~~~
cjcampbell
The explanation is somewhat convoluted, but I believe they're impersonating a
Windows server and convincing the target to send NTLMv2 credentials for the
logged in user. Haven't looked at the protocols for a bit, but there may be
some restrictions on when you're able to use this attack vector, e.g., local
file sharing permitted, domain member, etc.

I'm thinking our intern might be willing to test out a few more theories and
put together a more comprehensive blog post.

~~~
cjcampbell
Check out
[https://github.com/Spiderlabs/Responder](https://github.com/Spiderlabs/Responder)
for some additional info and links.

