Responder Fun

5 minute read

While researching some ways in which to obtain Domain Admin within an organization, I started playing around with Responder and figured I would share a quick walkthrough. Some of these methods are a bit dated but after talking with various pen testers and red teamers, they’re still VERY applicable even today.

Overview

The process is relatively simple

  • Start a rogue HTTP & SMB service
    • Capture NETNTLM hashes by LLMNR & NBT-NS poisoning
  • Crack the recently discovered hashes
    • Use dictionary based hash cracking to allow for asset login access
  • Harvest credentials on acquired asset
    • Pull cleartext passwords from memory, SAM file, and Active Directory MSCACHE cached credentials
  • Move laterally for domain admin credentials
    • Login with newly acquired credentials and harvest credentials until Domain Administrator credentials have been obtained

The steps are as follows

  • Obtain NETNTLM hashes by poisoning
  • Crack password hashes
  • Log into machine with cracked password
  • Harvest additional credentials
  • Log into additional assets with new credentials
  • Rinse and repeat until target acquired

Terms

SMB - Server Message Block
LLMNR - Link-Local Multicast Name Resolution
NBT-NS - Netbios Name Service
NETNTLM - NT LAN Manager

Tools

Responder
Hashcat
SMBExec - which uses WCE

Starting a rogue HTTP & SMB service

ACTION: LLMNR & NBT-NS poisoning
RESULT: Allows for NETNTLM hashes to be captured

Here’s a simplified sketch of what we want to happen

Animated LLMNR Attack

So to start our rogue HTTP & SMB service, we’ll use responder

Responder Help

A simple example for usage would be responder -I eth0

Once it’s kicked off, we simply wait for the requests to pour in. Your results should resemble the below output

LLMNR poisoned answer sent to this IP: <IP>. The requested name was : testing123.
[+]SMB-NTLMv2 hash captured from :  <IP>
Domain is : WORKGROUP
User is : testuser
[+]SMB complete hash is : user1::WORKGROUP:<really long hash>

Cracking the recently discovered hashes

ACTION: Use dictionary based hash cracking
RESULT: Clear text credential that will allow login access to asset

For sake of example, I chose to do dictionary based cracking with Hashcat. It’s simply a numbers game at this point as we will grab as many credentials as possible and throw a solid wordlist against it.

Hashcat Help

Hashcat Usage

Once successful, the output would look similar to below

Hashcat Result

Harvest credentials on acquired asset

ACTION: Pull cleartext passwords from memory
RESULT: Additional credentials obtained to move to other assets

So at this point we have a credential, so we’re just going to log into the machine and harvest additional credentials. We’ll use a tool called SMBExec to dump password hashes from the SAM file, memory, and AD MSCACHE cached credentials.

SMBExec Help

This tool is pretty straight forward and has menu options to guide you through the process. Once completed you should have something that looks similar to the text below

Choice: 2
Target IP, host list, or nmap XML file [1 hosts identified] : 
Username [localadmin] : 
Password or hash (<LM>:<NTLM>) [Pass: password] : 
Domain [domain1] :

Then a listing of the credentials will be dumped for you

The best part about SMB hashes are that they can be vulnerable to pass-the-hash attacks so no need to waste the time cracking them. This works because SMB logins do not use a salt. The hash equals access to the correct response to the server challenge.

Move laterally for domain admin credentials

ACTION: Log in with acquired credentials to various assets in search for Domain Admin credentials
RESULT: Domain Administrator credentials acquired

SMBExec has the ability to rapidly login to several assets to check for domain/enterprise admins that are logged in. So we just keep harvesting and moving onto other machines until we find what we’re looking for.

Choice: 7
Target IP, host list, or nmap XML file [No hosts identified] : <IP>
Username [No credentials provided] : <user>
Password or hash (<LM>:<NTLM>) [Pass: password] : Password1
Domain [LOCALHOST] : <DOMAIN>

Do you want to look for Domain/Enterprise processes? [y/n] y/n

Remote Login Validation
[ + ] <IP> - Remote access identified as user1
[ + ] <IP> - Admin Administrator1 logged in
[ + ] <IP> - Admin domainadmin1 logged in

There you have it!

Extra Credit - WPAD

Another popular (and dirty trick) is WPAD Poisoning/MITM attacks

On a corporate network, a DNS entry for “WPAD” should point to a proxy server that hosts a “wpad.dat” file, which tells the browser where to direct its internet traffic. If that DNS query fails, the client falls back to WINS, and finally resorts to a local broadcast to find a host named “WPAD” on the network.

The trick comes in when we answer that broadcast. We can even host the “wpad.dat” file ourselves that requires basic authentication so they have to enter in their plain text credentials

In many OS installs “Automatically detect settings” is enabled by default, thus allowing this attack to be successful.

Settings

To set this up you can use responder to start up your own WPAD rogue proxy server

Responder WPAD Usage

The results should look similar to the text below. Keep in mind that you can force basic authentication which can return cleartext credentials but it will prompt the user. In an enterprise environment this could be the norm and not raise suspicion.

[ * ] [LLMNR] Poisoned answer sent to <IP> for name wpad
[HTTP] NTLMv2 Client: <IP>
[HTTP] NTLMv2 Username: dom\user1
[HTTP] NTLMv2 Hash: <Really long hash>

Prevention

Personally, I feel that these attacks are due to poor habits, legacy systems, and a dash of laziness. Of course, the following list is not exhaustive and should be researched in greater detail.

  • Disable LLMNR and NBT-NS if at all possible
  • To mitigate WPAD attack, add an entry for “wpad” in your DNS zone or disable the autodetect proxy settings
  • MFA, password rotation, enforcing password policy, contextual authentication
  • Set up advanced monitoring
  • Least privilege model, no personal HPA accounts
  • Limit DA logins and clear memory

Conclusion

After experimenting and talking with fellow pen testers, the results are quite staggering. Most conclude that they eventually get domain admin over 80% of the time with these methods. Naturally you can combine this with something like Metasploit or your very own tool to either automate, make it quieter, or just plain faster. In many cases, attackers are spraying usernames and passwords/hashes all over the network and seeing what sticks. Primarily you should focus on how loud you can be and what your ultimate goal is; having some familiarity of what’s the “norm” at the organization certainly doesn’t hurt either.

You May Also Enjoy

USB Drop Assessment Guide

17 minute read

I recently did a talk at RVASec (great con btw) regarding USB drop assessments. I hesitated on submitting the talk as I was concerned that the interest level...

Introduction to Shodan

6 minute read

Shodan gets a bad rap. Many of you have probably heard the connotation that Shodan is “the world’s most dangerous search engine” or “dark Google” and it’s so...