Responder (owning windows network)

Started by dalzo, October 10, 2013, 08:05:56 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

dalzo

October 10, 2013, 08:05:56 PM
Hi everybody,
I want to suggest you a new nice tool:
Responder (https://github.com/SpiderLabs/Responder)

I think it can be useful in a penetration distro, in particular to gain Domain Access to an internal network.

You can see some working examples here:
http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html
http://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.html

And thank you for BackBox, it's a great distro!  ;)

b4d_bl0ck

#1
October 10, 2013, 09:53:48 PM
Hi dalzo,
welcome and thanks for your hint. I guess team testers will take your request into account, and will try the tool and decide if it can be included in the next releases.
If you want you can have a jump on our IRC chan too.

Enjoy BB!
Bye!
bool secure = check_paranoia() ? true : false;

dalzo

#2
October 10, 2013, 11:44:21 PM
Hi b4d_bl0ck,
thank you for your quick replay.

Maybe we'll see on IRC.

Bye!

Bhashit

#4
November 29, 2013, 12:50:54 PM
Hello Delzo,
Nice suggestion!!
Hope BB testers add this!

ostendali

#5
November 29, 2013, 07:42:27 PM
Quote from: dalzo on October 10, 2013, 08:05:56 PM
Hi everybody,
I want to suggest you a new nice tool:
Responder (https://github.com/SpiderLabs/Responder)

I think it can be useful in a penetration distro, in particular to gain Domain Access to an internal network.

You can see some working examples here:
http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html
http://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.html

And thank you for BackBox, it's a great distro!  ;)
hi there and welcome,
if you don't mind can you give a brief explanation here about this tool?
This will help to us and our users to get the better evaluation and have a quick reference here.

Be aware that it will be better if you do check between the tools that backbox already has it, to see if any similar tool is there..

Many thanks for your hint,

dalzo

#6
November 30, 2013, 12:22:17 AM
Hi,
I'll try to explain the tool using the orginal descriptions from the SpiderLabs website.

Quote
General description:
Responder is a passive credentials gathering tool, focused primarily on Windows environments. It listens for specific NBT-NS (NetBIOS Name Service) and LLMNR (Link-local Multicast Name Resolution) queries and poisons the issuer. Responder has several rogue authentication servers listening on several UDP and TCP ports.

Functionalities:
- LLMNR poisoner.
- NBT-NS poisoner.
- Rogue SMB server with a NTLMv1/v2 hash graber.
- Rogue HTTP server, with basic auth and NTLMv1/v2 hash graber.
- Rogue SQL Windows auth server with a NTLMv1/v2 hash graber.
- Rogue SMB server now makes use of SMB Extended Security NTLMSSP authentication (NTLMv1/v2) by default, so you won't miss a hash!
- Rogue FTP server clear text credential capture module (enabled by default).
- Small DNS server (enabled by default).
- ICMP Redirects utility for Windows =< 5.2 Domain members.
- Stealth mode Domain Controller finder (enabled by default).
- Host Fingerprint module (need to specify -f On).
- All activity is now logged into a file named Responder-Session.log with date and time for each entry.
- Ability to switch On/Off any rogue server via command line.
- Ability to specify a different challenge for all NTLM rogue servers.
- NT4 specific SMB clear text credentials support.
- Built-in proxy server, supporting NTLMSSP and Basic authentication scheme. This proxy is listening on port TCP 3141 and can be switched to on/off.

- The HTTP server was updated to handle WPAD requests.
- Built-in LDAP rogue server supporting NTLMSSP and Simple Bind (clear text) authentication schemes. This module can be combined with the ICMP-Redirect utility and the DNS server to be reliably effective.
- Customizable default configuration file
- Bound listening on a specific network interface.
- Scoping improvements to only answer requests from target IP addresses.
- New options to serve files to target systems— Serve-Always and Serve-Exe.
- Custom Proxy Auto-Configuration (PAC) script.
- User-specified HTML to target systems post "authentication".

Working examples in real cases:
http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html
http://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.html
http://blog.spiderlabs.com/2013/11/spiderlabs-responder-updates.html

At the moment I don't think that in BB there is a similar tool.

Bye!
Print
Go Up Pages1
User actions