Merge pull request #437 from jenaye/responder-fix

[fix]  - Responder option
This commit is contained in:
Carlos Polop 2022-07-22 00:32:25 +02:00 committed by GitHub
commit d6be036fb5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -41,7 +41,7 @@ Responder automates the WPAD attack—running a proxy and directing clients to a
> Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to _specific_ NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: [http://support.microsoft.com/kb/163409](http://support.microsoft.com/kb/163409)). By default, the tool will only answer to File Server Service request, which is for SMB.
>
> The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.
> The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior.
[Responder](https://github.com/lgandx/Responder) is installed in kali by default and the config file is located in _/etc/responder/Responder.conf_
@ -114,7 +114,7 @@ responder -I <Iface> --wpad
You can also **resolve NetBIOS** requests with **your IP**. And create an **authentication proxy**:
```bash
responder.py -I <interface> -rPv
responder.py -I <interface> -Pv
```
You won't be able to intercept NTLM hashes (normally), but you can easily grab some **NTLM challenges and responses** that you can **crack** using for example _**john**_ option `--format=netntlmv2`.
@ -132,7 +132,7 @@ However, spoofing DHCP answers has unique benefits. **It's definitely stealthier
> This attack is highly effective and gives you assured NTLMv1/2 hashes.
```bash
./Responder.py -I eth0 -rPdv
./Responder.py -I eth0 -Pdv
```
## Capturing credentials
@ -159,7 +159,7 @@ This attack uses the Responder toolkit to **capture SMB authentication sessions*
The 3 main **tools** to perform this attack are: **smb\_relay** (metasploit), **MultyRelay** (responder), and **smbrealyx** (impacket).
Independently of the tool, first, you need to **turn Off SMB and HTTP servers** in **/usr/share/responder/Responder.conf** and then execute responder on the desired **interface**: `responder -I eth0 -rv`
Independently of the tool, first, you need to **turn Off SMB and HTTP servers** in **/usr/share/responder/Responder.conf** and then execute responder on the desired **interface**: `responder -I eth0 -v`
You can perform this attack using **metasploit module**: `exploit/windows/smb/smb_relay`