Responder v2.3-git - an LLMNR, NBT-NS and MDNS poisoner.

Responder v2.3-git – an LLMNR, NBT-NS and MDNS poisoner.

Latest change v2.3-git 8/6/2016:
+ Fingerprint.py; Fixed color bug in Analyze mode.
+ settings.py; fixed minor bug.
+ Responder.conf; Set AutoIgnoreAfterSuccess = Off by default, up to the pentester to disable it.
+ Responder.py; Fixed some tools and +x on some executables.Responder

This tool is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior.

Responder On Windows XP/2003 Server/7/8.1

Responder On Windows XP/2003 Server/7/8.1

Responder On Unix Platform. Intallation; using giit.

Responder On Unix Platform; MacOSX, Kali-Sana, Arch Linux, Debian, Ubuntu etc.. Intallation; using giit.

FEATURES
========

– Built-in SMB Auth server.
Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP. Successfully tested from NT4 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4. This functionality is enabled by default when the tool is launched.

– Built-in MSSQL Auth server.
In order to redirect SQL Authentication to this tool, you will need to set the option -r to 1(NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested
on Windows SQL Server 2005 & 2008.

– Built-in HTTP Auth server.
In order to redirect HTTP Authentication to this tool, you will need to set the option -r to 1 for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari.

Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient).

– Built-in LDAP Auth server.
In order to redirect LDAP Authentication to this tool, you will need to set the option -r to 1 for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool “ldp” and LdapAdmin.

– Built-in FTP Auth server.
This module will collect FTP clear text credentials.

– Built-in small DNS server. This server will answer type A queries. This is really handy when it’s combined with ARP spoofing.

– All hashes are printed to stdout and dumped in an unique file John
Jumbo compliant, using this format:
(SMB or MSSQL or HTTP)-(ntlm-v1 or v2 or clear-text)-Client_IP.txt
The file will be located in the current folder.

– Responder will logs all its activity to a file Responder-Session.log.

– When the option -f is set to “On”, Responder will fingerprint every host who issued an LLMNR/NBT-NS query.
All capture modules still work while in fingerprint mode.

– Browser Listener finds the PDC in stealth mode.

– Icmp Redirect for MITM on Windows =< 5.2 Domain members. This attack combined with the DNS module is pretty effective.

USAGE
=====

Running this tool:

Download stable version : v2.3.0.zip | v2.3.0.tar.gz
source : https://github.com/SpiderLabs/Responder | http://blog.spiderlabs.com/2012/10/introducing-responder-10.html | Our post Before