Responder attacks 5 Windows core protocols:
– LLMNR Poisoning (Windows >=vista).
– Netbios Name Service Poisoning (NBT-NS poisoning, any by default).
– WPAD (Any by default).
– ICMP Redirect (Windows <=2003/XP).
– DHCP INFORM (Windows <=2003/XP) and ability to perform normal DHCP attacks (Linux, OSX, Windows) [unicast answer].
An extra protocol has been added, for OSX and Linux distributions using avahi: MDNS (Linux, Apple, any .local)
When exploiting these protocol flaws, Responder has its own rogue servers listening:
– SMB Auth server. Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the –lm option is set. This functionality is enabled by default when the tool is launched.
– MSSQL Auth server. In order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005 & 2008.
– HTTP Auth server. In order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows versions older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari. Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient). You can also send your custom files to a victim.
– HTTPS Auth server. In order to redirect HTTPS Authentication to this tool, you will need to set the -r option for Windows versions older than Vista (NBT-NS queries for HTTP server lookups are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2, and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, and Safari. The folder Cert/ was added. It containa 2 default keys, including a dummy private key. This is intentional. The purpose is to have Responder working out of the box. A script was added in case you need to generate your own self signed key pair.
– LDAP Auth server. In order to redirect LDAP Authentication to this tool, you will need to set the option -r for Windows versions older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool “ldp” and LdapAdmin.
– FTP Auth server. This module will collect FTP clear text credentials.
– Kerberos v5 pre-auth server.
– Small DNS server. This server will answer type A queries. This is really handy when it’s combined with ARP spoofing, ICMP Redirect, DHCP INFORM.
– WPAD rogue transparent proxy server. This module will capture all HTTP requests from anyone launching Internet Explorer on the network. This module is highly effective. You can send your custom PAC script to a victim and inject HTML into the server’s responses. See Responder.conf.
– Analyze mode: This module allows you to see NBT-NS, BROWSER and LLMNR requests between systems without poisoning any requests. You can also map domains, MSSQL servers, workstations passively and also see if ICMP Redirects attacks are plausible on your subnet. No port scans.
– POP3 auth server. This module will collect POP3 plaintext credentials
– SMTP auth server. This module will collect PLAIN/LOGIN clear text credentials.
– IMAP auth server.
Responder also lets you:
– Customizes your penetration test via Responder.conf.
– Responds to specific in-scope Netbios/LLMNR names.
– Responds to specific in-scope ip addresses.
– Injects SMB share pictures into WPAD responses.
– Replaces requested .exe files with your own, but shown as the original one requested.
– Replaces any requested page with your custom html page, exe file, etc (S-E).
– Set you custom NETNTLM Challenge.
– Logs all its activity to a file: Responder-Session.log.
– All hashes are printed to stdout and dumped in an unique hashcat compliant file using this format: (SMB or MSSQL or HTTP)-(ntlm-v1 or v2 or clear-text)-Client_IP.txt. The file will be located in the current folder.
– When the option -f is set, Responder will fingerprint every host that issued an LLMNR/NBT-NS query. All capture modules still work while in fingerprint mode.
./Responder.py -i Your_IP_Address -rvF
MUse NBT-NS workstation redirects, be verbose, force WPAD file retrieval authentication
./Responder.py -i Your_IP_Address -A
Analyze mode shows NBT-NS/LLMNR/MDNS queries without responding and finds all MSSQL servers, Workstations, Domains, prints if you can ICMP-Redirect on the subnet. Passive reconnaissance at its best. No port scan, map a network within minutes.