Attack Path: Credential Capture & MITM Chain

[samugit83]

Description

Implement a dedicated classified attack path for credential capture via fake services, network poisoning, and hash cracking — Metasploit capture servers + LLMNR/NBNS/mDNS spoofing + john/hashcat cracking pipeline.

Why the unclassified fallback isn't enough

Credential capture is fundamentally different from every other attack path because it requires running multiple services simultaneously and waiting for the victim to authenticate:

1. Temporal coordination: the agent must start a capture server (SMB, HTTP NTLM, FTP) as a background job, THEN start a spoofing module (LLMNR, NBNS, mDNS) as ANOTHER background job, THEN wait. These must run concurrently — killing one to start the other defeats the purpose. Without workflow guidance, the agent runs use auxiliary/server/capture/smb → run (foreground, blocks) → never starts the spoofing module.
2. The "wait and monitor" pattern is unique: every other attack path is fire-and-forget (exploit → session) or iterative (brute force → found/not found). Credential capture requires patience — the agent sets up the trap and must periodically check jobs, review captured hashes, and decide when to stop waiting. This is a completely different execution model that the unclassified fallback doesn't understand.
3. Output file management: capture modules save hashes to files (JOHNPWFILE /tmp/smb_hashes). The agent must know to set this option, then read the file after captures arrive, then feed it to john/hashcat with the correct hash format flag. Without workflow prompts, it doesn't set JOHNPWFILE and can't find the captured hashes.
4. Attack chaining after crack: after cracking a hash, the agent must pivot — use the credential for Pass-the-Hash (psexec), authenticate to other services, or escalate. This transition from "passive capture" to "active exploitation" requires explicit routing guidance.
5. Environment requirements: ARP poisoning and NBNS spoofing require specific network positioning. The agent needs to check if it's on the same subnet, verify interface names, and understand that these attacks only work on local networks — not across the internet.

What already exists

• All Metasploit capture server modules documented (Category 6 in README.ATTACK_PATHS.md)
• Spoofing modules (ARP, NBNS, LLMNR, mDNS, DNS, WPAD)
• kali_shell with john and hashcat access
• Metasploit background job support (run -j)

What needs to be built

• New attack path classification: credential_capture_mitm
• Workflow prompts for the 3-step pipeline (set up capture → force auth → crack hashes)
• Background job management guidance (multiple concurrent Metasploit jobs)
• "Wait and monitor" execution pattern (periodic hash file checks)
• Hash format auto-detection and cracking tool selection
• Post-crack pivot guidance (credential → lateral movement)
• Network positioning checks (same subnet verification for poisoning attacks)