Responder v2.1.3 – AD/Windows Environment Takeover Tool Released

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Introduction

This tool is first an LLMNR, NBT-NS and MDNS responder, it will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option via command line if you want this tool to answer to the Workstation Service request name suffix.

Changelog v2.1.3

Analyze Mode: Figure out what kind of network you’re dealing with before doing anything:
- Map all workstations, domain forests, SQL servers within maximum 12 minutes, no user interaction; The Lanman module will query any hosts who sent a Domain Master Browser announcement on the subnet to extract that domain computer list and additional forests (https://support.microsoft.com/KB/188001 -> “Only the PDC can be a domain master browser”).
- Figure out right away if you can use ICMP Redirect on that subnet automatically.
- Figure out what’s going on on this network; Is there a NAC/IPS/etc trying to detect NBT-NS/LLMNR poisoning by sending random unexistant names?
- Allows a client/sysadmin to see if remediation was done properly.
WPAD module; Choose if you want to intercept/inject traffic, get NTLMv1/2 hashes transparently or get a plain text sets of credentials. This module is highly effecive and will gather any workstations sets of credentials on a default environment with no user interaction (unless if you’re using -b for plaintext credentials).
Kerberos server. Grab Kerberos AS-REQ Pre-Auth type 23 hashes (hashcat -m 7500).
In-scope names or IPs to respond to (LLMNR/NBT-NS).
Names or IPs (LLMNR/NBT-NS) you don’t want to respond to (detected NAC/IPS, out of scope multicast LLMNR, etc).
Find MSSQL servers with the MSSQL Browser Service, one packet.
Rogue servers included:
- SMB NTLMv1/2, Clear text passwords for NT4, and LM hashing downgrade when the –lm option is set.
- MSSQL Auth server supports NTLMv1, LMv2 hashes and MSSQL plaintext auth.
- HTTP Auth server NTLMv1/2 and basic.
- HTTPS NTLMv1/2 and basic auth.
- LDAP NTLMv1/2 and plaintest auth.
- FTP clear text credentials.
- POP3 clear text credentials.
- SMTP clear text credentials.
- IMAP clear text credentials.

Features

Built-in SMB Auth server. Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the –lm option is set. This functionality is enabled by default when the tool is launched.

Built-in MSSQL Auth server. In order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005 & 2008.

Built-in HTTP Auth server. In order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari. Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient). You can now send your custom files to a victim.

Built-in HTTPS Auth server. In order to redirect HTTPS Authentication to this tool, you will need to set the -r option for Windows versions older than Vista (NBT-NS queries for HTTP server lookups are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2, and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, and Safari. The folder Cert/ was added and contain 2 default keys, including a dummy private key. This is intentional, the purpose is to have Responder working out of the box. A script was added in case you need to generate your own self signed key pair.

Built-in LDAP Auth server. In order to redirect LDAP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool “ldp” and LdapAdmin.

Built-in FTP Auth server. This module will collect FTP clear text credentials.

Built-in small DNS server. This server will answer type A queries. This is really handy when it’s combined with ARP spoofing.

All hashes are printed to stdout and dumped in an unique file John Jumbo compliant, using this format: (SMB or MSSQL or HTTP)-(ntlm-v1 or v2 or clear-text)-Client_IP.txt The file will be located in the current folder.

Responder will logs all its activity to a file Responder-Session.log.

When the option -f is set to “On”, Responder will fingerprint every host who issued an LLMNR/NBT-NS query. All capture modules still work while in fingerprint mode.

Browser Listener finds the PDC in stealth mode.

Icmp Redirect for MITM on Windows XP/2003 and earlier Domain members. This attack combined with the DNS module is pretty effective.

WPAD rogue transparent proxy server. This module will capture all HTTP requests from anyone launching Internet Explorer on the network. This module is higly effective. You can now send your custom Pac script to a victim and inject HTML into the server’s responses. See Responder.conf. This module is now enabled by default.

Analyze mode: This module allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning any requests. Also, you can map domains, MSSQL servers, workstations passively, see if ICMP Redirects attacks are plausible on your subnet.