• This repository has been archived on 07/Aug/2020
  • Stars
    star
    4,197
  • Rank 10,305 (Top 0.3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 12 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

â›” [DEPRECATED] Active at https://github.com/lgandx/Responder

Responder.py

LLMNR/NBT-NS/mDNS Poisoner

Author: Laurent Gaffie <[email protected] > http://www.spiderlabs.com

Intro

Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File Server Service request, which is for SMB.

The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.

Features

  • Built-in SMB Auth server.

Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. This functionality is enabled by default when the tool is launched.

  • Built-in MSSQL Auth server.

In order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005 & 2008.

  • Built-in HTTP Auth server.

In order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari.

Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient). You can now send your custom files to a victim.

  • Built-in HTTPS Auth server.

Same as above. The folder certs/ contains 2 default keys, including a dummy private key. This is intentional, the purpose is to have Responder working out of the box. A script was added in case you need to generate your own self signed key pair.

  • Built-in LDAP Auth server.

In order to redirect LDAP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool "ldp" and LdapAdmin.

  • Built-in FTP, POP3, IMAP, SMTP Auth servers.

This modules will collect clear text credentials.

  • Built-in DNS server.

This server will answer type A queries. This is really handy when it's combined with ARP spoofing.

  • Built-in WPAD Proxy Server.

This module will capture all HTTP requests from anyone launching Internet Explorer on the network if they have "Auto-detect settings" enabled. This module is highly effective. You can configure your custom PAC script in Responder.conf and inject HTML into the server's responses. See Responder.conf.

  • Browser Listener

This module allows to find the PDC in stealth mode.

  • Fingerprinting

When the option -f is used, Responder will fingerprint every host who issued an LLMNR/NBT-NS query. All capture modules still work while in fingerprint mode.

  • Icmp Redirect

    python tools/Icmp-Redirect.py

For MITM on Windows XP/2003 and earlier Domain members. This attack combined with the DNS module is pretty effective.

  • Rogue DHCP

    python tools/DHCP.py

DHCP Inform Spoofing. Allows you to let the real DHCP Server issue IP addresses, and then send a DHCP Inform answer to set your IP address as a primary DNS server, and your own WPAD URL.

  • Analyze mode.

This module allows you to see NBT-NS, BROWSER, LLMNR, DNS requests on the network without poisoning any responses. Also, you can map domains, MSSQL servers, workstations passively, see if ICMP Redirects attacks are plausible on your subnet.

Hashes

All hashes are printed to stdout and dumped in an unique file John Jumbo compliant, using this format:

(MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt

Log files are located in the "logs/" folder. Hashes will be logged and printed only once per user per hash type, unless you are using the Verbose mode (-v).

  • Responder will logs all its activity to Responder-Session.log
  • Analyze mode will be logged to Analyze-Session.log
  • Poisoning will be logged to Poisoners-Session.log

Additionally, all captured hashed are logged into an SQLite database which you can configure in Responder.conf

Considerations

  • This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553.

  • If you run Samba on your system, stop smbd and nmbd and all other services listening on these ports.

  • For Ubuntu users:

Edit this file /etc/NetworkManager/NetworkManager.conf and comment the line: dns=dnsmasq. Then kill dnsmasq with this command (as root): killall dnsmasq -9

  • Any rogue server can be turned off in Responder.conf.

  • This tool is not meant to work on Windows.

  • For OSX, please note: Responder must be launched with an IP address for the -i flag (e.g. -i YOUR_IP_ADDR). There is no native support in OSX for custom interface binding. Using -i en1 will not work. Also to run Responder with the best experience, run the following as root:

    launchcl unload /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist

    launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

    launchctl unload /System/Library/LaunchDaemons/com.apple.smbd.plist

    launchctl unload /System/Library/LaunchDaemons/com.apple.netbiosd.plist

Usage

First of all, please take a look at Responder.conf and tweak it for your needs.

Running the tool:

./Responder.py [options]

Typical Usage Example:

./Responder.py -I eth0 -wrf

Options:

  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -A, --analyze         Analyze mode. This option allows you to see NBT-NS,
                        BROWSER, LLMNR requests without responding.
  -I eth0, --interface=eth0
                        Network interface to use
  -b, --basic           Return a Basic HTTP authentication. Default: NTLM
  -r, --wredir          Enable answers for netbios wredir suffix queries.
                        Answering to wredir will likely break stuff on the
                        network. Default: False
  -d, --NBTNSdomain     Enable answers for netbios domain suffix queries.
                        Answering to domain suffixes will likely break stuff
                        on the network. Default: False
  -f, --fingerprint     This option allows you to fingerprint a host that
                        issued an NBT-NS or LLMNR query.
  -w, --wpad            Start the WPAD rogue proxy server. Default value is
                        False
  -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY
                        Upstream HTTP proxy used by the rogue WPAD Proxy for
                        outgoing requests (format: host:port)
  -F, --ForceWpadAuth   Force NTLM/Basic authentication on wpad.dat file
                        retrieval. This may cause a login prompt. Default:
                        False
  --lm                  Force LM hashing downgrade for Windows XP/2003 and
                        earlier. Default: False
  -v, --verbose         Increase verbosity.

Copyright

NBT-NS/LLMNR Responder Created by Laurent Gaffie Copyright (C) 2013 Trustwave Holdings, Inc.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/

More Repositories

1

ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence.
C++
6,764
star
2

owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
Perl
2,404
star
3

ModSecurity-nginx

ModSecurity v3 Nginx Connector
Perl
1,334
star
4

HostHunter

HostHunter a recon tool for discovering hostnames using OSINT techniques.
Python
890
star
5

portia

Portia aims to automate a number of techniques commonly performed on internal network penetration tests after a low privileged account has been compromised.
PowerShell
497
star
6

MCIR

The Magical Code Injection Rainbow! MCIR is a framework for building configurable vulnerability testbeds. MCIR is also a collection of configurable vulnerability testbeds.
PHP
435
star
7

DoHC2

DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH).
C#
432
star
8

scavenger

scavenger : is a multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as "interesting" files containing sensitive information.
Python
320
star
9

SharpCompile

SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime. This is a more slick approach than manually compiling an .NET assembly and loading it into Cobalt Strike. The project aims to make it easier to move away from adhoc PowerShell execution instead creating a temporary assembly and executing using beacon's 'execute-assembly' in seconds.
C#
288
star
10

malware-analysis

A repository of tools and scripts related to malware analysis
Ruby
236
star
11

Nmap-Tools

SpiderLabs shared Nmap Tools
Lua
227
star
12

ikeforce

Python
226
star
13

snappy

Python
219
star
14

CryptOMG

CryptOMG is a configurable CTF style test bed that highlights common flaws in cryptographic implementations.
PHP
188
star
15

jboss-autopwn

A JBoss script for obtaining remote shell access
Shell
171
star
16

cribdrag

cribdrag - an interactive crib dragging tool for cryptanalysis on ciphertext generated with reused or predictable stream cipher keys
Python
168
star
17

Airachnid-Burp-Extension

A Burp Extension to test applications for vulnerability to the Web Cache Deception attack
Java
136
star
18

beef_injection_framework

Inject beef hooks into HTTP traffic and track hooked systems from cmdline
Ruby
122
star
19

SQLol

A configurable SQL injection test-bed
PHP
121
star
20

cve_server

Simple REST-style web service for the CVE searching
Ruby
97
star
21

msfrpc

Perl/Python modules for interfacing with Metasploit MSGRPC
Python
91
star
22

ModSecurity-apache

ModSecurity v3 Apache Connector
Perl
86
star
23

IOCs-IDPS

This repository will hold PCAP IOC data related with known malware samples (owner: Bryant Smith)
84
star
24

burplay

Burplay is a Burp Extension allowing for replaying any number of requests using same modifications definition. Its main purpose is to aid in searching for Privilege Escalation issues.
Java
82
star
25

BurpNotesExtension

Burp Notes Extension is a plugin for Burp Suite that adds a Notes tab. The tool aims to better organize external files that are created during penetration testing.
Java
66
star
26

KoreLogic-Rules

Updated version of the 2010 KoreLogic password cracking rules for John the Ripper
61
star
27

thicknet

TCP session interception and injection framework
Perl
56
star
28

BlackByteDecryptor

C#
55
star
29

groupenum

Python
54
star
30

ModSecurity-log-utilities

Set of CLI tools to transform ModSecurity logs into a meaningful information, given a context.
Python
47
star
31

Firework

Firework is a proof of concept tool to interact with Microsoft Workplaces creating valid files required for the provisioning process.
Python
46
star
32

UPnP-request-generator

A tool to parse UPnP descriptor XML files and generate SOAP control requests for use with Burp Suite or netcat
PHP
45
star
33

ackack

A program to monitor network traffic and detect unauthorized sessions.
Perl
40
star
34

OWASP-CRS-Documentation

Documentation for the OWASP CRS project
Python
40
star
35

batchyDNS

A reconnaissance tool that can quickly discover hostnames from a list of IP addresses.
Perl
39
star
36

microphisher

µphisher spear phishing tool (reference implementation)
Ruby
38
star
37

deblaze

Performs method enumeration and interrogation against flash remoting end points.
Python
37
star
38

ModSecurity-status

ModSecurity status
JavaScript
34
star
39

XMLmao

A configurable XPath/XML injection testbed
PHP
33
star
40

net-tns

Net::TNS, a Ruby library for connecting to Oracle databases.
Ruby
33
star
41

deface

A Java Server Faces (JSF) testing tool for decoding view state and creating view state attack vectors.
Java
30
star
42

yara-ruby

Ruby bindings for the yara file analysis and classification library
Ruby
30
star
43

owasp-distributed-web-honeypots

Repository for the OWASP/WASC Distributed Web Honeypots Project -
Shell
28
star
44

oracle_pwd_tools

Oracle Database 12c password brute forcer
Python
27
star
45

ModSecurity-pcap

The ModSecurity Pcap Connector
C++
25
star
46

cerealbox

Arduino-based network monitor
Java
24
star
47

ModSecurity-Python-bindings

Python bindings for libModSecurity (aka ModSecurity v3)
Python
23
star
48

pingback

Python
21
star
49

modsecurity-mlogc-ng

Next generation remote logging tool for ModSecurity, supporting native and JSON format.
C
21
star
50

modsec-sdbm-util

Utility to manipulate SDBM files used by ModSecurity. With that utility it is possible to _shrink_ SDBM databases. It is also possible to list the SDBM contents with filters such as: expired or invalid items only.
C
21
star
51

XSSmh

XSSmh - A configurable Cross-Site Scripting testbed
PHP
18
star
52

advisories-poc

C
18
star
53

masher

multiple password 'asher using Python’s hashlib
Python
16
star
54

OWASP-CRS-regressions

Regression tests for OWASP CRS v3
Python
16
star
55

ShelLOL

A configurable OS shell command injection vulnerability testbed
PHP
16
star
56

secrules-language-evaluation

Set of Python scripts to perform SecRules language evaluation on a given http request.
Python
14
star
57

secrules-language-tests

Set of test cases that can be used to test custom implementations of the SecRules language (ModSecurity rules format).
Perl
12
star
58

Keystone

This repository contains the scripts released under the "Keystone Rocks" series of the SpiderLabs blog
Perl
11
star
59

nrfdump

Python script for dumping firmware from read-back protected nRF51 chips
Python
9
star
60

TWSL2011-007_iOS_code_workaround

Workaround for the vulnerability identified by TWSL2011-007 or CVE-2008-0228 - iOS x509 Certificate Chain Validation Vulnerability
Objective-C
7
star
61

json_crypto_helper

Ruby
7
star
62

Jorogumo

Red Team Stored XSS SVG phishing-companion tool with the ability to serve a malicious login page, or clone an html page and implement custom javascript. It then generates a relevant SVG.
Python
6
star
63

zpminternational

5
star
64

REvil_config

Configuration file for REvil / Kaseya July campaign
4
star
65

Misc

A repository for miscellaneous files shared by SpiderLabs
2
star
66

Scripts

Various Scripts
1
star
67

Grandoreiro-decryptor

Grandoreiro decryptor and DGA generator (26.May.2022)
Python
1
star