Hi!
I’m running into a question while doing the lab: DNS &S MB Relay Attack in course: Host & Network Penetration Testing:Network based attacks
The goal is to intercept the NTLM hash from the client to authenticate to the target system 172.16.5.10. The client, the fileserver and the target system are all in the same local network.
The client (Windows 7) issues a SMB connection to the fileserver every 30 seconds.
In the solution as well as the explaining video however, they set up an arp spoof between the client and the router (default gateway). What I don’t understand: to catch the smb traffic between the client and the file server shouldn’t they set up the arpspoof between those 2 devices then? I don’t understand why the interception is set up between the client and the default gateway, then it will only catch smb traffic that goes to subnet 10.10.10.0/24
Am I missing something?
I though setting up spoofing between the client and the fileserver would be the solution to catch the hash.
If someone can clarify and help me with this I would be very grateful. Already tried chat gpt but she came to the same conclusion, so not sure now what’s right!
Thank you!!!
Lisa