Hello, aspiring ethical hackers. In this article, you will learn about Responder tool, a tool that is helpful in harvesting credentials and passwords on the target network. It is useful mostly in internal penetration testing of services.
What is Responder?
Responder is a LLMNR, NBT-NS and MDNS poisoner with a built in HTTP, SMB, MSSQL, FTP, LDAP rogue authentication servers. It harvests credentials and password hashes by answering to specific NBT-NS (NetBIOS Name Service queries). The goal of responder is to stay stealthy on the network without making much noise.
Let’s see how this tool works. For this, we will be using Kali Linux as attacker system as Responder is installed by default on it. We are performing this tutorial in an Active Directory Hacking Lab. In this lab, Windows 10 is a client system (although any other Windows OS will do), PFSense firewall acts as gateway and firewall and Windows Server 2016 is the server. To use Responder on Kali , Kali Linux needs to be connected to the LAN network in the Active Directory. i.e the internal network.
Kali Linux, the attacker system however need not be joined to the domain. But it will still collect password hashes below belong to users in the network. In real-world scenarios, Responder tool is uploaded to the target system or network.
Once Kali is connected to the internal network, all you have to do is to start Responder on the interface you want as shown below.
sudo responder -I <network_interface>
For example, here are are starting it on interface eth1 where our target domain network is connected.
It starts poisoners and servers as shown below.
Now, all we have to do is WAIT for any user in the network to do a mistake. For example, lets say a user of the organization tries to access a local network share “LOOKRECKAH” and makes a mistake while doing it as shown below. He wants to access network share “LOOKRECKAH” but hits ‘ENTER’ after only typing “LOOK”.
As soon as he does that, he is prompted for his network credentials. This is done by Responder tool.
However, there is no need for any credentials. Responder already logs lots of traffic on the attackers machine i.e. kali.
While we scroll down the traffic, we can see password hash of that user and his username.
While waiting patiently, we can also grab credentials of different users.
All this information is stored by Responder in the /usr/share/responder/logs directory on Kali.
In this directory, credentials and hashes are stored in text files.
Analysis mode
Responder has different modes of operation. Analysis mode is one such mode. In this mode, Responder allows users to see NBT-NS, BROWSER, LLMNR and DNS requests on the network but doesn’t perform any poisoning. Analysis mode can be started using command shown below.
sudo responder -I <interface_name> -A
This mode can still reveal some information about the network.
Using WPAD Proxy Server
WPAD stands for Web Proxy Auto-Discovery protocol. Organizations often make their users connect to a web server through proxies. WPAD allows web browsers and other clients to automatically discover the URL of a proxy server pac files. You can use responder tool to poison these web requests as shown below. WPAD proxy can be started on Responder using command show below.
sudo responder -I <interface_name> -wd
As you can see in the above image, WPAD proxy is on. Now, when a employee of an organization tries to access the internal website and mistypes it on a browser, he will be prompted with a credential screen as shown below.
When he enters his credentials assuming it to be a genuine prompt
We get the user’s password hashes as shown below.
That’s all in Responder tool for now.
Follow Us
