Pwning with a Responder

Overview:

Responder is a great tool that every pentester needs in their arsenal. If a client/target cannot resolve a name via DNS it will fall back to name resolution via LLMNR (introduced in Windows Vista) and NBT-NS.

Modes of Responder:

If you want to target a specific IP/range of IPs, you can edit Responder.conf and change the RespondTo argument. This is extremely useful when you have a specific target in sight and don’t want to potentially cause network-wide disruption. You can use Responder in listen-only mode, i.e. analyze, but don’t actively respond to any requests. This can be achieved using the -A parameter and again this is a useful feature to see how chatty the network is without actively targeting any hosts.

Multi Relay Attack:

Using this tool, we can relay our NTLMv1/2 authentication to a specific target and then, during a successful attack, execute code. Before we get into the nitty-gritty of this attack it should be stated that only privileged users are targeted by default (good reasoning behind this) and the target cannot have SMB signing in place. A nice script RunFinger.py has been packaged within the tools directory of Responder and this allows us to verify the latter on our target(s) before actively targeting any hosts.

In preparation of this attack we need to disable the SMB and HTTP servers used by Responder otherwise we’ll get some conflicts between this and Multi-relay.

Again, running Responder with default options it is possible to see that these two services are now disabled.

The syntax for this tool is shown below, where the IP is the address to which you want to relay authentication and hopefully obtain shell access:

python MultiRelay.py -t IP -u ALL

Remediation activities:

To tighten the security of your windows systems the following changes can be made.

Disable LLMNR via group policy

Open gpedit.msc and navigate to Computer Configuration > Administrative Templates > Network > DNS Client > Turn off multicast name resolution and set to Enabled.

Disable NBT-NS

This can be achieved by navigating through the GUI to Network card > Properties > IPv4 > Advanced > WINS and then under “NetBIOS setting” select Disable NetBIOS over TCP/IP.

Multi-relay

Enable SMB signing via group policy