🛠️ Step 1: Initial Network Poisoning & Traffic Capture

• Start with mitm6 or Responder to intercept authentication traffic. (Early in the morning/After lunch)
• Use ntlmrelayx to relay captured credentials if possible.
• Monitor for IPv6 fallback attacks in case IPv4 is prioritized.

🔍 Step 2: Network & Host Enumeration

• Run network scans (nmap, crackmapexec) to generate and capture traffic.
• If scans take too long, focus on low-noise recon (e.g., http_version, smbmap).
• Identify open shares (smbclient, net view).
• Check Group Policy Preferences (GPP) for stored credentials.
• Query LDAP for user and machine accounts (ldapsearch, bloodhound).

🔑 Step 3: Exploiting Web-Based Targets

• Look for default credentials in:
  • Printers (hp, ricoh, canon, sharp)
  • Jenkins, Tomcat, Webmin, Splunk, etc.
  • SharePoint, Confluence, GitLab
• Try password spraying on portals with common passwords.
• Identify exposed API endpoints for unauthenticated access.

📌 Step 4: Lateral Movement & Privilege Escalation

• Use captured NTLM hashes to relay (ntlmrelayx, smbexec).
• Attempt Pass-Back Attacks on trusted devices.