Table of Contents
Responder Rogue Authentication Servers
Responder has several rogue authentication servers supporting Basic authentication, NTLMv1/v2 and Kerberos.
These servers are listed below:
-
SMBv1 & SMBv2: Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2022, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set.
-
MSSQL: This server supports NTLMv1, NTLMv2 hashes and MSSQL Authentication (plaintext). These functionalities were successfully tested on Windows SQL Server 2005, 2008, 2012, 2019.
-
HTTP: This server supports NTLMv1, NTLMv2 hashes and Basic Authentication and also handles WebDAV authentication. This server was successfully tested on IE 6 to IE 11, Edge, Firefox, Chrome, Safari. You can also customize this server to send files or server a custom HTML page, see Responder.conf.
-
HTTPS: This server supports NTLMv1, NTLMv2 hashes and Basic Authentication. This server was successfully tested on IE 6 to IE 11, Edge, Firefox, Chrome, Safari. You can also customize this server to send files or server a custom HTML page, see Responder.conf.
-
LDAP: This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested with Windows Support tool "ldp" and LdapAdmin on Windows 2003, 2008, 2012, 2019.
-
RDP: This server supports NTLMSSP hashes. It was successfully tested on Windows versions ranging from 7 to Server 2019.
-
DCE-RPC: This server supports NTLMSSP hashes. This server was successfully tested on Windows versions ranging from XP to Server 2019.
-
WinRM: This server supports NTLMSSP hashes and Basic authentication. This server was successfully tested on Windows versions ranging from XP to Server 2019.
-
Kerberos: This module grabs Kerberos 5 TGS-REP (type 23) and formats it in a hashcat format.
-
Proxy Server: This module is a proxy authentication server and is highly efficient during WPAD attacks.
-
Rogue DHCP: This server listen on layer 2 and wait for DHCP clients Discover or Renew requests. Once it gets one it will race against the legitimate DHCP server and will send its answer to the victim. Usually, only a WPAD URL is injected via DHCP option 252, to prevent modification of previous network setting and therefore cause disruption. This module is highly effective.
-
WPAD: This module will capture and proxy all HTTP requests from anyone launching Internet Explorer on the network if they have "Auto-detect settings" enabled. This module is highly effective. You can configure your custom PAC script in Responder.conf and inject HTML into the server's responses. See Responder.conf.
-
DNS: This server will answer SRV and A queries. This is really handy when it's combined with ARP spoofing.
-
FTP, POP3, IMAP, SMTP: All these servers collects plaintext authentication.