responder v-1.8 released : is a LLMNR and NBT-NS poisoner

responder v-1.8 released : is a LLMNR and NBT-NS poisoner

This tool is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior.

responder

ChangeLog from 0.6 to 1.8:
- Added: Rogue LDAP auth server. Supports clear text password and NTLMSSP.
- Added: Ability to turn on/off the DNS server.
- Added: Icmp-Redirect.py for MITM Windows =< 5.2 Domain members.
- Added: SMB Clear Text function for NT4 specific.
- Added: DNS server module.
- Added: FTP server module.
- Added: Ability to find the PDC in stealth mode with the Browser listener.
- Several changes.
- Removed: -d option (Domain), useless for now.
- Added: SMB Extended Security NTLMSSP authentication.
- Added: Fingerprint module.
- Added: Ability to turn off independently capture services.(mubix)
- Added: Function to grab HTTP cookies.
- Fix: Typo in logfile description.
- Added: Option for logging to a file (ravenium).
- Added: Basic exception handling for server sockets (ravenium).
- Added: Logging functionality, now logs all Responder activity to a file with date and time.
- Added: Print IP address to stdout for each protocol.
- Improvement: Added new line on Writedata (atucom).
- Improvement: final Hash is now printed to stdout instead of NT and LM.
- Fix: Fixed spelling in README (atucom).
- Fix: Removed hardcoded challenge for SQL NTLM.
- Fix: Removed hardcoded challenge for HTTP NTLM.
- Added an HTTP server with support for ntlmv1/v2 and basic Auth.
- Added command line switch support with optparse.
- Added -r switch, which allows turning On/Off Wredir answers.
- Added the possibility to turn off HTTP server using the -s switch.
- Added LLMNR module.
- Fixed bug in NTLMv1 hash parsing when clientOs and ClientVersion are
empty.
- Several minor changes.

FEATURES
========

- Built-in SMB Auth server.
Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP. Successfully tested from NT4 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4. This functionality is enabled by default when the tool is launched.

- Built-in MSSQL Auth server.
In order to redirect SQL Authentication to this tool, you will need to
set the option -r to 1(NBT-NS queries for SQL Server lookup are
using the Workstation Service name suffix) for systems older than
windows Vista (LLMNR will be used for Vista and higher). This server
supports NTLMv1, LMv2 hashes. This functionality was successfully tested
on Windows SQL Server 2005 & 2008.

- Built-in HTTP Auth server.
In order to redirect HTTP Authentication to this tool, you will need
to set the option -r to 1 for Windows version older than Vista (NBT-NS
queries for HTTP server lookup are sent using the Workstation Service
name suffix). For Vista and higher, LLMNR will be used. This server
supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server
was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari.
Note: This module also works for WebDav NTLM authentication issued from
Windows WebDav clients (WebClient).

- Built-in LDAP Auth server.
In order to redirect LDAP Authentication to this tool, you will need
to set the option -r to 1 for Windows version older than Vista (NBT-NS
queries for HTTP server lookup are sent using the Workstation Service
name suffix). For Vista and higher, LLMNR will be used. This server
supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server
was successfully tested on Windows Support tool “ldp” and LdapAdmin.

- Built-in FTP Auth server.
This module will collect FTP clear text credentials.

- Built-in small DNS server. This server will answer type A queries. This
is really handy when it’s combined with ARP spoofing.

- All hashes are printed to stdout and dumped in an unique file John
Jumbo compliant, using this format:
(SMB or MSSQL or HTTP)-(ntlm-v1 or v2 or clear-text)-Client_IP.txt
The file will be located in the current folder.

- Responder will logs all its activity to a file Responder-Session.log.

- When the option -f is set to “On”, Responder will fingerprint every host who issued an LLMNR/NBT-NS query.
All capture modules still work while in fingerprint mode.

- Browser Listener finds the PDC in stealth mode.

- Icmp Redirect for MITM on Windows =< 5.2 Domain members. This attack combined with the DNS module is pretty effective.

USAGE
=====

Running this tool:

- python Responder.py [options]

Usage Example:

python Responder.py -i 10.20.30.40 -b 1 -r 0 -f On

Options List:

-h, –help show this help message and exit.

-i 10.20.30.40, –ip=10.20.30.40 The ip address to redirect the traffic to.
(usually yours)

-b 0, –basic=0 Set this to 1 if you want to return a
Basic HTTP authentication. 0 will return
an NTLM authentication.

-s Off, –http=Off Set this to On or Off to start/stop the
HTTP server. Default value is On.

-S Off, –smb=Off Set this to On or Off to start/stop the
SMB server. Default value is On.

-q Off, –sql=Off Set this to On or Off to start/stop the
SQL server. Default value is On.

-r 0, –wredir=0 Set this to enable answers for netbios
wredir suffix queries. Answering to wredir
will likely break stuff on the network
(like classics ‘nbns spoofer’ will).
Default value is therefore set to Off (0).

-c 1122334455667788, –challenge= The server challenge to set for NTLM
authentication. If not set, then defaults
to 1122334455667788, the most common
challenge for existing Rainbow Tables.

-l file.log, –logfile=filename.log Log file to use for Responder session.

-f Off, –fingerprint=Off This option allows you to fingerprint a
host that issued an NBT-NS or LLMNR query.

-F On, –ftp=On Set this to On or Off to start/stop the FTP server.
Default value is On

-L On, –ldap=On Set this to On or Off to start/stop the LDAP server.
Default value is On

-D On, –dns=On Set this to On or Off to start/stop the DNS server.
Default value is On

Download : Responder_master.zip (41.1 KB) 
Resource : https://github.com/SpiderLabs/Responder | http://blog.spiderlabs.com/2012/10/introducing-responder-10.html