github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2024-10-17 20:50:25 -07:00
Code Issues Packages Projects Releases Wiki Activity
Page: Rogue Authentication Servers
Pages
DHCP Server Home MultiRelay Network traffic analyze mode Poisoning LLMNR NBT NS MDNS Responder Usage Rogue Authentication Servers RunFinger WPAD
1 Rogue Authentication Servers
lgandx edited this page 2021-04-20 00:24:17 -03:00
Table of Contents

Responder Rogue Authentication Servers

Responder has several rogue authentication servers supporting Basic authentication, NTLMv1/v2 and Kerberos.

These servers are listed below:

  • SMBv1 & SMBv2: Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2022, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set.

  • MSSQL: This server supports NTLMv1, NTLMv2 hashes and MSSQL Authentication (plaintext). These functionalities were successfully tested on Windows SQL Server 2005, 2008, 2012, 2019.

  • HTTP: This server supports NTLMv1, NTLMv2 hashes and Basic Authentication and also handles WebDAV authentication. This server was successfully tested on IE 6 to IE 11, Edge, Firefox, Chrome, Safari. You can also customize this server to send files or server a custom HTML page, see Responder.conf.

  • HTTPS: This server supports NTLMv1, NTLMv2 hashes and Basic Authentication. This server was successfully tested on IE 6 to IE 11, Edge, Firefox, Chrome, Safari. You can also customize this server to send files or server a custom HTML page, see Responder.conf.

  • LDAP: This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested with Windows Support tool "ldp" and LdapAdmin on Windows 2003, 2008, 2012, 2019.

  • RDP: This server supports NTLMSSP hashes. It was successfully tested on Windows versions ranging from 7 to Server 2019.

  • DCE-RPC: This server supports NTLMSSP hashes. This server was successfully tested on Windows versions ranging from XP to Server 2019.

  • WinRM: This server supports NTLMSSP hashes and Basic authentication. This server was successfully tested on Windows versions ranging from XP to Server 2019.

  • Kerberos: This module grabs Kerberos 5 TGS-REP (type 23) and formats it in a hashcat format.

  • Proxy Server: This module is a proxy authentication server and is highly efficient during WPAD attacks.

  • Rogue DHCP: This server listen on layer 2 and wait for DHCP clients Discover or Renew requests. Once it gets one it will race against the legitimate DHCP server and will send its answer to the victim. Usually, only a WPAD URL is injected via DHCP option 252, to prevent modification of previous network setting and therefore cause disruption. This module is highly effective.

  • WPAD: This module will capture and proxy all HTTP requests from anyone launching Internet Explorer on the network if they have "Auto-detect settings" enabled. This module is highly effective. You can configure your custom PAC script in Responder.conf and inject HTML into the server's responses. See Responder.conf.

  • DNS: This server will answer SRV and A queries. This is really handy when it's combined with ARP spoofing.

  • FTP, POP3, IMAP, SMTP: All these servers collects plaintext authentication.