lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAG_zyZ_dPCUbacTWBNJoqUuBXG_y3ZM7i9OLv5oWNF3pH=+Qvg@mail.gmail.com>
Date: Tue, 10 Jun 2014 01:33:08 -0400
From: laurent gaffie <laurent.gaffie@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] [Tool] Responder v2.0.9

Responder is an Active Directory/Windows environment takeover tool suite
that can stealthily take over any default active directory environment
(including Windows 2012) in minutes or hours. Most of the attacks in this
tool are hard to detect and are highly successful.

Responder attacks 5 Windows core protocols:
 - LLMNR Poisoning (Windows >=vista).
 - Netbios Name Service Poisoning (NBT-NS poisoning, any by default).
 - WPAD (Any by default).
 - ICMP Redirect (Windows <=2003/XP).
 - DHCP INFORM (Windows <=2003/XP) and ability to perform normal DHCP
attacks (Linux, OSX, Windows) [unicast answer].

An extra protocol has been added, for OSX and Linux distributions using
avahi: MDNS (Linux, Apple, any .local)

When exploiting these protocol flaws, Responder has its own rogue servers
listening:
- SMB Auth server. Supports NTLMv1, NTLMv2 hashes with Extended Security
NTLMSSP by default. Successfully tested from Windows 95 to Server 2012 RC,
Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM
hashing downgrade when the --lm option is set. This functionality is
enabled by default when the tool is launched.

- MSSQL Auth server. In order to redirect SQL Authentication to this tool,
you will need to set the option -r (NBT-NS queries for SQL Server lookup
are using the Workstation Service name suffix) for systems older than
windows Vista (LLMNR will be used for Vista and higher). This server
supports NTLMv1, LMv2 hashes. This functionality was successfully tested on
Windows SQL Server 2005 & 2008.

- HTTP Auth server. In order to redirect HTTP Authentication to this tool,
you will need to set the option -r for Windows versions older than Vista
(NBT-NS queries for HTTP server lookup are sent using the Workstation
Service name suffix). For Vista and higher, LLMNR will be used. This server
supports NTLMv1, NTLMv2 hashes and Basic Authentication. This server was
successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari. Note: This
module also works for WebDav NTLM authentication issued from Windows WebDav
clients (WebClient). You can also send your custom files to a victim.

- HTTPS Auth server. In order to redirect HTTPS Authentication to this
tool, you will need  to set the -r option for Windows versions older than
Vista (NBT-NS queries for HTTP server lookups are sent using the
Workstation Service  name suffix). For Vista and higher, LLMNR will be
used. This server supports NTLMv1, NTLMv2, and Basic Authentication. This
server was successfully tested on IE 6 to IE 10, Firefox, Chrome, and
Safari. The folder Cert/ was added. It containa 2 default keys, including a
dummy private key. This is intentional. The purpose is to have Responder
working out of the box. A script was added in case you need to generate
your own self signed key pair.

- LDAP Auth server. In order to redirect LDAP Authentication to this tool,
you will need to set the option -r for Windows versions older than Vista
(NBT-NS queries for HTTP server lookup are sent using the Workstation
Service name suffix). For Vista and higher, LLMNR will be used. This server
supports NTLMSSP hashes and Simple Authentication (clear text
authentication). This server was successfully tested on Windows Support
tool "ldp" and LdapAdmin.

- FTP Auth server. This module will collect FTP clear text credentials.

- Kerberos v5 pre-auth server.

- Small DNS server. This server will answer type A queries. This is really
handy when it's combined with ARP spoofing, ICMP Redirect, DHCP INFORM.

- WPAD rogue transparent proxy server. This module will capture all HTTP
requests from anyone launching Internet Explorer on the network. This
module is highly effective. You can send your custom PAC script to a victim
and inject HTML into the server's responses. See Responder.conf.

- Analyze mode: This module allows you to see NBT-NS, BROWSER and LLMNR
requests between systems without poisoning any requests. You can also map
domains, MSSQL servers, workstations passively and also see if ICMP
Redirects attacks are plausible on your subnet. No port scans.

- POP3 auth server. This module will collect POP3 plaintext credentials

- SMTP auth server. This module will collect PLAIN/LOGIN clear text
credentials.

- IMAP auth server.

Responder also:
- Logs all its activity to a file: Responder-Session.log.
- All hashes are printed to stdout and dumped in an unique hashcat
compliant file using this format: (SMB or MSSQL or HTTP)-(ntlm-v1 or v2 or
clear-text)-Client_IP.txt. The file will be located in the current folder.
- When the option -f is set, Responder will fingerprint every host that
issued an LLMNR/NBT-NS query. All capture modules still work while in
fingerprint mode.


Responder also lets you:

- Customizes your penetration test via Responder.conf.
- Responds to specific in-scope Netbios/LLMNR names.
- Responds to specific in-scope IP addresses.
- Injects SMB share pictures into WPAD responses.
- Replaces requested .exe files with your own, but shown as the original
one requested.
- Replaces any requested page with your custom html page, exe file, etc
(S-E).
- Set you custom NETNTLM Challenge.

- Logs all its activity to a file: Responder-Session.log.
- All hashes are printed to stdout and dumped in an unique hashcat
compliant file using this format: (SMB or MSSQL or HTTP)-(ntlm-v1 or v2 or
clear-text)-Client_IP.txt. The file will be located in the current folder.
- When the option -f is set, Responder will fingerprint every host that
issued an LLMNR/NBT-NS query. All capture modules still work while in
fingerprint mode.

Usage example:
./Responder.py -i Your_IP_Address -rvF
MUse NBT-NS workstation redirects, be verbose, force WPAD file retrieval
authentication

./Responder.py -i Your_IP_Address -A
Analyze mode shows NBT-NS/LLMNR/MDNS queries without responding and finds
all MSSQL servers, Workstations, Domains, prints if you can ICMP-Redirect
on the subnet. Passive reconnaissance at its best. No port scan, map a
network within minutes.

Github:
https://github.com/Spiderlabs/Responder

More info:
- https://github.com/SpiderLabs/Responder/blob/master/README.md
- http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
-
http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html
-
http://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.html
-
http://blog.spiderlabs.com/2014/02/responder-20-owning-windows-networks-part-3.html

Twitter:
- https://twitter.com/PythonResponder

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists