Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix responder option

Browse source
This commit is contained in:
enaylal 2022-07-21 23:00:59 +02:00
parent e607e1511d
commit d5bf31efb9
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
View file

@ -41,7 +41,7 @@ Responder automates the WPAD attack—running a proxy and directing clients to a
> Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to _specific_ NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: [http://support.microsoft.com/kb/163409](http://support.microsoft.com/kb/163409)). By default, the tool will only answer to File Server Service request, which is for SMB.
>
> The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.
> The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior.
[Responder](https://github.com/lgandx/Responder) is installed in kali by default and the config file is located in _/etc/responder/Responder.conf_
@ -114,7 +114,7 @@ responder -I <Iface> --wpad
You can also **resolve NetBIOS** requests with **your IP**. And create an **authentication proxy**:
```bash
responder.py -I <interface> -rPv
responder.py -I <interface> -Pv
```
You won't be able to intercept NTLM hashes (normally), but you can easily grab some **NTLM challenges and responses** that you can **crack** using for example _**john**_ option `--format=netntlmv2`.
@ -132,7 +132,7 @@ However, spoofing DHCP answers has unique benefits. **It's definitely stealthier
> This attack is highly effective and gives you assured NTLMv1/2 hashes.
```bash
./Responder.py -I eth0 -rPdv
./Responder.py -I eth0 -Pdv
```
## Capturing credentials
@ -159,7 +159,7 @@ This attack uses the Responder toolkit to **capture SMB authentication sessions*
The 3 main **tools** to perform this attack are: **smb\_relay** (metasploit), **MultyRelay** (responder), and **smbrealyx** (impacket).
Independently of the tool, first, you need to **turn Off SMB and HTTP servers** in **/usr/share/responder/Responder.conf** and then execute responder on the desired **interface**: `responder -I eth0 -rv`
Independently of the tool, first, you need to **turn Off SMB and HTTP servers** in **/usr/share/responder/Responder.conf** and then execute responder on the desired **interface**: `responder -I eth0 -v`
You can perform this attack using **metasploit module**: `exploit/windows/smb/smb_relay`