<aside> 💡 Man in the middle attacks are best done between a subnet's default gateway and a box that sends information through the gateway into a different network. Use arp spoofing to see what's going on between you and a network you don't have access to. Assuming you've already found a network you don't have access to by doing a zone transfer.
</aside>
Run the following command in two separate terminals and capture traffic between spoofed host IP and target IP using wireshark. Look out for credentials via http, ftp etc and also NTLM/LM hashes.
arpspoof -i <interface> -t <target_ip> -r <host_ip>
meterpreter > use sniffer
meterpreter > sniffer_interfaces
meterpreter > sniffer_start <interface_id>
meterpreter > sniffer_dump 2 /tmp/sniff2.pcap
#pcap can then be downloaded and analysed in wireshark
TCPDUMP (command-line sniffer/analyzer) for Windows
If a windows client cannot resolve a hostname using DNS, it will use the Link-Local Multicast Name Resolution (LLMNR) protocol to ask neighbouring computers. LLMNR can be used to resolve both IPv4 and IPv6 addresses.
If this fails, NetBios Name Service (NBT-NS) will be used. NBT-NS is a similar protocol to LLMNR that serves the same purpose. The main difference between the two is NBT-NS works over IPv4 only.
On these occasions when LLMNR or NBT-NS are used to resolve a request, any host on the network who knows the IP of the host being asked about can reply. Even if a host replies to one of these requests with incorrect information, it will still be regarded as legitimate.
Responder can answer LLMNR and NBT-NS queries giving its own IP address as the destination for any hostname requested.
responder -I <interface> --lm
--lm Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False