Responder

•

0 likes•243 views

Ilan Mindel

Ilan`s Syllbus - Infrastracture Module

Internet

Infrastructure
Responder and SMB Relay
1

2
Responder
Responder
A LLMNR & NBT-NS Spoofing Attack is a classic internal network attack that still works today,
due to low awareness and the fact it's enabled by default in Windows.
Responder is answering network requests with poisoned answers in the network for services
like http, https, wpad, ftp, smb and etc.., stilling the credentials of the users who try to
authenticate.
During the authentication process the client will send the rogue server a NTLMv2 hash for the
user that's trying to authenticate, this hash is captured and can be cracked offline with a tool
like Hashcat or John the Ripper or used in a pass-the-hash attack.
LLMNR and NBT-NS are enabled by default in Windows and with awareness of this attack being
fairly low you stand a good chance of being able to gather credentials on an internal penetration
test.

3
Responder - Example
Responder - Example
Setup Responder with the command below:
Responder –I eth0 –wfF
Flags explanation:
-I = Network interface.
-w = WPAD rogue proxy server.
-f = fingerprint (Detect windows and services versions).
-F = Force WPAD Authenticate

4
Responder - Example
Responder - Example
After we setup the responder all we have to do is wait for victim.
In our case the victim open the browser and WPAD server capture the user and hash.
The results are located at /usr/share/responder/logs.

6
Multi Relay
Multi Relay Configuration
To use Multi-Relay function need to edit responder configuration file.
/etc/responder/responder.conf
Switch Off the SMB and HTTP Servers.
Run the responder with the command below:
Responder –I eth0 –wfF
Run the Multi-Relay with the command below: (location:
/usr/share/responder/tools)
Python Multi-Replay.py –t 192.168.1.141 –u ALL
Flags explanation:
-t = target
-u = User To Relay
Why to use Multi Relay?
• Multi Relay give you a solution by giving you access without cracking
the password hash.
• Multi Relay have Build-in tools like mimikatz.
• Extract the SAM database and print hashes.
• Upload files and run as admin.

7
Multi Relay - Example
Multi Relay - Example
After we setup the responder and Multi Relay all we have to do is wait for victim (Must be Administrator).
In our case the victim open the SMB and authenticate the responder and Multi Relay capture the user and hash,
Login with the credentials

What's hot

Metasploit for Web WorkshopDennis Maldonado

Sembang2 Keselamatan It 2004Linuxmalaysia Malaysia

NTLMGuang Ying Yuan

Type of DDoS attacks with hping3 exampleHimani Singh

Openvpnmato2012

How to Block Malicious Address by Using Feed Service?İbrahim UÇAR

Hack The Box Nest 10.10.10.178Abhichai L.

Infrastructure SecurityUTD Computer Security Group

Windows xp compromise and remediesBikrant Gautam

EnumerationUTD Computer Security Group

Metasploit: Pwnage and PoniesTrowalts

Hta r33SelectedPresentations

Last mile authentication problem: Exploiting the missing link in end-to-end s...Priyanka Aash

What's hot (13)

Metasploit for Web Workshop

Sembang2 Keselamatan It 2004

NTLM

Type of DDoS attacks with hping3 example

Openvpn

How to Block Malicious Address by Using Feed Service?

Hack The Box Nest 10.10.10.178

Infrastructure Security

Windows xp compromise and remedies

Enumeration

Metasploit: Pwnage and Ponies

Hta r33

Last mile authentication problem: Exploiting the missing link in end-to-end s...

Similar to Responder

FreeBSD and Hardening Web ServerMuhammad Moinur Rahman

No more ARP : Another MiTm AttacksKhajornchol Puwarang

Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council

bettercap.pdfshehbaz15

Dc10 beale-attackdefendunixPriya Kelkar

Netcat 101 by-mahesh-beemaRaghunath G

Netcat - 101 Swiss Army Knifen|u - The Open Security Community

Hacking Ciscoguestd05b31

Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers

The Art of Grey-Box AttackPrathan Phongthiproek

IT Infrastrucutre SecurityS Periyakaruppan CISM,ISO31000,C-EH,ITILF

Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman

linuxAjay Chawda

Linux internet server security and configuration tutorialannik147

Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf

Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567

Intrusion TechniquesFestival Software Livre

04-post-connection-attacks.pdfxasako1838

Hunting for APT in network logs workshop presentationOlehLevytskyi1

DDoS-bdNOGZobair Khan

Similar to Responder (20)

FreeBSD and Hardening Web Server

No more ARP : Another MiTm Attacks

Hacker Halted 2014 - Post-Exploitation After Having Remote Access

bettercap.pdf

Dc10 beale-attackdefendunix

Netcat 101 by-mahesh-beema

Netcat - 101 Swiss Army Knife

Hacking Cisco

Bsides-Philly-2016-Finding-A-Companys-BreakPoint

The Art of Grey-Box Attack

IT Infrastrucutre Security

Metasploit for Penetration Testing: Beginner Class

linux

Linux internet server security and configuration tutorial

Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...

Lab-10 Malware Creation and Denial of Service (DoS) In t.docx

Intrusion Techniques

04-post-connection-attacks.pdf

Hunting for APT in network logs workshop presentation

DDoS-bdNOG

Recently uploaded

Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.soniya singh

Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh

Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceCall Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure

All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi

Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh

₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma

Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceCall Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure

VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure

GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson

Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Delhi Call girls

CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Onlineanilsa9823

Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5

Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe

How is AI changing journalism? (v. April 2024)Damian Radcliffe

INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.CarlotaBedoya1

WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls

Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.soniya singh

Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131

(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...Escorts Call Girls

Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh

Recently uploaded (20)

Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.

Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.

Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance

All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445

Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝

₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...

Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance

VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...

GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web

Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...

CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online

Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...

Moving Beyond Twitter/X and Facebook - Social Media for local news providers

How is AI changing journalism? (v. April 2024)

INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.

WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)

Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.

Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$

(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...

Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝

Responder

1. Infrastructure Responder and SMB Relay 1

2. 2 Responder Responder A LLMNR & NBT-NS Spoofing Attack is a classic internal network attack that still works today, due to low awareness and the fact it's enabled by default in Windows. Responder is answering network requests with poisoned answers in the network for services like http, https, wpad, ftp, smb and etc.., stilling the credentials of the users who try to authenticate. During the authentication process the client will send the rogue server a NTLMv2 hash for the user that's trying to authenticate, this hash is captured and can be cracked offline with a tool like Hashcat or John the Ripper or used in a pass-the-hash attack. LLMNR and NBT-NS are enabled by default in Windows and with awareness of this attack being fairly low you stand a good chance of being able to gather credentials on an internal penetration test.

3. 3 Responder - Example Responder - Example Setup Responder with the command below: Responder –I eth0 –wfF Flags explanation: -I = Network interface. -w = WPAD rogue proxy server. -f = fingerprint (Detect windows and services versions). -F = Force WPAD Authenticate

4. 4 Responder - Example Responder - Example After we setup the responder all we have to do is wait for victim. In our case the victim open the browser and WPAD server capture the user and hash. The results are located at /usr/share/responder/logs.

5. 5 Example

6. 6 Multi Relay Multi Relay Configuration To use Multi-Relay function need to edit responder configuration file. /etc/responder/responder.conf Switch Off the SMB and HTTP Servers. Run the responder with the command below: Responder –I eth0 –wfF Run the Multi-Relay with the command below: (location: /usr/share/responder/tools) Python Multi-Replay.py –t 192.168.1.141 –u ALL Flags explanation: -t = target -u = User To Relay Why to use Multi Relay? • Multi Relay give you a solution by giving you access without cracking the password hash. • Multi Relay have Build-in tools like mimikatz. • Extract the SAM database and print hashes. • Upload files and run as admin.

7. 7 Multi Relay - Example Multi Relay - Example After we setup the responder and Multi Relay all we have to do is wait for victim (Must be Administrator). In our case the victim open the SMB and authenticate the responder and Multi Relay capture the user and hash, Login with the credentials

Responder

Recommended

Recommended

More Related Content

What's hot

What's hot (13)

Similar to Responder

Similar to Responder (20)

More from Ilan Mindel

More from Ilan Mindel (9)

Recently uploaded

Recently uploaded (20)

Responder