Hi everybody,I want to suggest you a new nice tool:Responder (https://github.com/SpiderLabs/Responder)I think it can be useful in a penetration distro, in particular to gain Domain Access to an internal network.You can see some working examples here:http://blog.spiderlabs.com/2012/10/introducing-responder-10.htmlhttp://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.htmlhttp://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.htmlAnd thank you for BackBox, it's a great distro!
General description:Responder is a passive credentials gathering tool, focused primarily on Windows environments. It listens for specific NBT-NS (NetBIOS Name Service) and LLMNR (Link-local Multicast Name Resolution) queries and poisons the issuer. Responder has several rogue authentication servers listening on several UDP and TCP ports.Functionalities: - LLMNR poisoner.- NBT-NS poisoner.- Rogue SMB server with a NTLMv1/v2 hash graber.- Rogue HTTP server, with basic auth and NTLMv1/v2 hash graber.- Rogue SQL Windows auth server with a NTLMv1/v2 hash graber.- Rogue SMB server now makes use of SMB Extended Security NTLMSSP authentication (NTLMv1/v2) by default, so you won't miss a hash!- Rogue FTP server clear text credential capture module (enabled by default).- Small DNS server (enabled by default).- ICMP Redirects utility for Windows =< 5.2 Domain members.- Stealth mode Domain Controller finder (enabled by default).- Host Fingerprint module (need to specify -f On).- All activity is now logged into a file named Responder-Session.log with date and time for each entry.- Ability to switch On/Off any rogue server via command line.- Ability to specify a different challenge for all NTLM rogue servers.- NT4 specific SMB clear text credentials support.- Built-in proxy server, supporting NTLMSSP and Basic authentication scheme. This proxy is listening on port TCP 3141 and can be switched to on/off. - The HTTP server was updated to handle WPAD requests.- Built-in LDAP rogue server supporting NTLMSSP and Simple Bind (clear text) authentication schemes. This module can be combined with the ICMP-Redirect utility and the DNS server to be reliably effective.- Customizable default configuration file- Bound listening on a specific network interface.- Scoping improvements to only answer requests from target IP addresses.- New options to serve files to target systems— Serve-Always and Serve-Exe.- Custom Proxy Auto-Configuration (PAC) script.- User-specified HTML to target systems post “authentication”. Working examples in real cases:http://blog.spiderlabs.com/2012/10/introducing-responder-10.htmlhttp://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.htmlhttp://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.htmlhttp://blog.spiderlabs.com/2013/11/spiderlabs-responder-updates.html
