A blog about generally interesting infosec stuff..

Tuesday, 8 May 2018

From Beginner Responder to Intermediate - Utilising the Whole Suite


Responder is a well-known tool used by many penetration testers since its release. In case you are not familiar with Responder, it is a suite of hash capturing NTLMSSP servers which use LLMNR/NBNS to trick clients on a network to connect to them. If you want to read about using the basics of Responder you should check out the usage section at the bottom of the README here: https://github.com/lgandx/Responder. This article will not cover the basic usage of Responder in a comprehensive manner; instead we will be aiming to look at expanding penetration testers' knowledge of the tool beyond basic command line switches by exposing you to tools and flags/switches you may not have used before. Step by step guides will not be included in this article, however; recommended guides will be linked to.

A second, more advanced, article is planned to be released a week after this article. When it is, it will be linked to here. That article will discuss the adaption of Responder to your network environment for the purpose of releasing Responder's full potential.

Thinking About Responder in a Different Light

Responder is one of those tools that we take for granted as performing a niche attack. Like many other tools, it tends to be used with a copy and pasted command or otherwise with limited knowledge of its true potential. Instead of thinking about Responder as an inflexible niche tool designed to achieve one goal, you should think about how you can leverage the victim's network against them. For example, a writeable SMB share without administrator permissions can be turned into an Empire shell on the domain controller with ease.

The following sections will cover each of the different ways we can extend Responder's functionality and truly conquer the target network using just the tools provided. The next article will expand upon this further, and show you how you can use Responder alongside other tools and your own creations to execute attacks like the SMB scenario presented above.

Tips and Tricks

·         Responder is capable of performing recon of a network drastically quieter than a port scanner. If for some reason you are unable to run nmap on the network (such as an aggressive IDS is present), Responder could help you map the network. Using either the –A or –f flags in Responder you can gather a good amount of information on workstations and SMB servers on the network. The RunFinger.py and FindSQLSrv.py tools can be used to discover SMB and MS-SQL servers on the network.

·         The configuration file in Responder is more useful than you might initially think. Inside this file you can customise several options which will ensure you stay within scope on your test. In addition to this, you can deliver executable files, custom HTML or a custom WPAD script. For example; Empire launcher executables can be delivered by the HTTP module using the custom executable option.

·         The hash files found in logs that are formatted as <Capture Module>-NTLMv2-<Victim IP> can be used directly with John for ease of use. They do, however, generally contain duplicates. The Linux file match expression *-*-* can be used to easily select all of these files and run them all through John at once.

·         The most effective method for grabbing hashes on the network is with the WPAD module. If you aren't familiar with WPAD, WPAD is the Web Proxy Auto-Discovery Protocol which is used to automatically configure browser proxy settings. If an entry for WPAD does not exist in the victim network's DNS server, then you may be able to exploit this. To use this, ensure the HTTP module is enabled in Responder and then run Responder with the –rwFP options.

The Tools Directory

Responder comes bundled with some useful tools, these can be found in the directory named "tools". The most interesting and useful of these tools is likely MultiRelay, and as such it is the main tool we will discuss.

MultiRelay

MultiRelay is a tool capable of passing hashes from two different Responder servers, SMB and HTTP. On its original release MultiRelay was called SMBRelay and could only pass NetNTLM hashes acquired by Responder's SMB servers. MultiRelay v2 can now support the capture of NetNTLM hashes via HTTP WEBDAV. If you have SMBRelay instead of MultiRelay you are likely using an old copy or have downloaded Responder from the old repository. There is a newer repository hosted by lgandx and not SpiderLabs. You can find it here: https://github.com/lgandx/Responder. A Windows version of Responder built in PowerShell can also be found here: https://github.com/lgandx/Responder-Windows. This can be useful for pivoting from a compromised Windows machine on a remote test.

To use MultiRelay, you will need to edit the Responder config file to turn off the services you want to run through MultiRelay. I would recommend turning off both if you are simply looking to maximise effectiveness, if you are targeting a specific service rather than casting a broad net you could turn off all un-needed servers and only target a specific victim IP.

Once you have turned off the relevant modules in the Responder config file, you will need to start the main Responder tool followed by the MultiRelay tool. If you receive any error messages from MultiRelay claiming that HTTP or SMB services have failed to start you have not disabled the respective options in the Responder config correctly. MultiRelay will also check the network to determine if SMB signing is on or off, if SMB signing is on then MultiRelay will not function. The section below titled The Rest covers a useful tool you can use to check for SMB signing on a domain.
MultiRelay has a few different options; the only options that matter for basic usage of the program are the user flag and the target flag. The target should be set to the SMB server you wish to exploit, Domain Controllers have signing turned on for their SMB shares by default so they generally are not a good target. The user flag should be set to ALL if you are unsure of what the Admin's usernames are or you can specify users in a space separated list if you know who has admin rights on the targeted SMB server. The only other flag you will use regularly is the command flag. By default MultiRelay will place a shell somewhat similar to Meterpreter on the target system which you can use to execute basic commands and modules like mimikatz. You can expand this functionality yourself by providing a custom command, such as the multi/launcher output from Empire. By providing an Empire launcher you can effectively spread your Empire agents across a network using Responder.
For a step by step guide on utilising MultiRelay basics and using an Empire Launcher I recommend reading this article: https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html.
Example Usage: Multirelay.py –u ALL –t <target IP>

The Rest

In addition to MultiRelay Responder comes bundled with a small collection of recon and exploit tools.
BrowserListener is a tool which listens for browser announcements on Windows domains/workgroups from SMB servers. This is a useful plugin, but seems to be made redundant by Responder's analyse mode which does a better job of the same thing. Should you need to perform recon of a network silently or are interested in identifying SMB shares on the network, this tool or the analysis mode for the main tool could be useful. Whilst this tool is theoretically useful, I have never been able to get it to work on Windows 7 and 10 victims. I would recommend the –A mode for the main tool instead.
Example Usage: This tool doesn't have any arguments, just run it! The image below shows the error encountered when a Windows 10 client sends a Browser announcement.

DHCP and DHCP_Auto are exploit tools designed to exploit a flaw in the DHCP implementation of Windows XP, Windows 2000 and Server 2003. If you are on a network with these servers then you can use DHCP Inform takeover through the DHCP.py and DHCP_Auto.sh files. A much noisier and less effective version is accessible via the –R switch; this is capable of exploiting Vista and above in theory. The arguments for the python file can be identified with –h and the shell file should fill these arguments for you automatically. For the sake of scope and safety I would recommend configuring the parameters yourself, there is always the chance the automated option may choose an incorrect network or similar. This tool will only work on a heavily unpatched network.
Example Usage: DHCP.py –I <interface> -d <domain> -r <new router> -p <primary DNS> -s <secondary DNS> -R

The FindSMB2UpTime and RunFinger tools can be used to discover and enumerate SMB shares on the network. They can be used in much the same way as the BrowserListener tool or the analysis mode for the main program, however, these two tools perform an active scan of the network for SMB shares. RunFinger can be pointed at a subnet rather than a single IP address and it will return a list of all SMB shares on the network. The FindSQLSrv tool can be used in a similar manner to discover MS-SQL servers on the network. This tool does not require any parameters.
RunFinger Example Usage: RunFinger.py –I <target, can be a subnet> (-g for grepable format)

FindSQLSrv Example Usage: This tool doesn't have any arguments, just run it!

The ICMP—Redirect tool allows you to redirect traffic on a network to pass through your own machine. This is an effective MITM technique; however, it only works on Windows XP, 2003 and older. The early service packs for XP patch this issue, which means this tool will only work on very old infrastructures. Use the –h flag to discover the parameters, this tool is self-explanatory.
Example Usage: Icmp-Redirect.py –I <interface> -i <your IP> -g <gateway> -t <target> -r <destination target ag: DNS server>

The rest of the files in the tools directory, such as RunFingerPackets and odict are simply library files for the tools and do not have any standalone functionality.

Summary

Responder is an excellent network exploit tool, whilst it was originally designed to work with just LLMNR and NBNS its many in built servers offer significant potential for use with other tools. Utilising methods like ARP and DNS spoofing or the tools provided in the tools directory, can expand the power of Responder beyond normal. In the next article we will discuss some advanced methods for attacking networks with Responder, such as the creation of malicious desktop.ini files and multiple ways which you can use these to conquer a Windows network.