Quick Creds with Responder and Kali Linux

Tool website: https://github.com/lgandx/Responder
Tool Author: Laurent Gaffie

Responder is a powerful tool for quickly gaining credentials and possibly even remote system access. It is a LLMNR, NBT-NS & MDNS poisoner that is easy to use and very effective against vulnerable networks.

For the last few years one of the favorite tools in the pentester’s toolbox has been Responder. Responder works by imitating several services and offering them to the network. Once a Windows system is tricked into communicating to responder via one of these services or when an incorrect UNC share name is searched for on the LAN, responder will respond to the request, grab the username & password hash and log them. Responder has the ability to prompt users for credentials when certain network services are requested, resulting in clear text passwords. It can also perform pass-the-hash style attacks and provide remote shells.

In this article we will see how to use Responder in Kali Linux. In the next article we will dig a little deeper and look at some of the additional tools that are included with Responder.

Basic Usage

Responder is installed by default in Kali Linux. To view the Responder help screen and see what options are available, just use the “-h” switch.

Kali Linux Responder 1

From the help screen, the usage is:

responder -I eth0 -w -r -f

or:

responder -I eth0 -wrf

So, basically run the program, provide your network interface with the “-I” switch and then any other switches that you want. You can combine the switches together if you wish, as shown in the second usage example above. You can also use the verbose switch, “-v” to increase the text output of the program for more formation.

Analyze mode

A good place to start is “Analyze mode”. This mode runs responder but it does not respond to requests. It is specified with the “-A” switch. This can be handy to see what types of requests on the network responder could respond to, without actually doing it.

Kali Linux Responder 2

Any events will be shown on the screen, as below:

Kali Linux Responder 3

Analyze mode is also a good way to passively discover possible target systems.

Enough intro, let’s see Responder in action.

Poisoning with Responder

You can start Responder with the basic poisoner defaults by just typing:

responder -I eth0

Kali Linux Responder 4

Responder will poison responses and, if it can, capture any credentials. If a user tries to connect to a non-existing server share, Responder will answer the request and prompt them with a login prompt for access. If they enter their credentials, Responder will display and save the password hash:

Kali Linux Responder 5

We could then take the hash and attempt to crack it.

Basic Authentication & WPAD

WPAD is used in some corporate environments to automatically provide the Internet proxy for web browsers. Many Internet browsers have “enable system proxy” set by default in their internet settings, so they will seek out a WPAD server for a proxy address.

We can enable WPAD support in Responder to have it respond to these requests. If we use WPAD with the “Force Basic Authentication” option, Responder prompts users with a login screen when they try to surf the web and grabs the entered creds in clear text.

Command:

Responder -I eth0 -wbF

  • -w” Starts the WPAD Server
  • -b” Enables basic HTTP authentication
  • -F” Forces authentication for WPAD (a login prompt)

Kali Linux Responder 6

When a user goes to surf the web, the browser will reach out for proxy settings using WPAD. Responder will respond to the request and trigger a login prompt:

Kali Linux Responder 7

If the user enters their credentials, you get a copy of them in clear text. No cracking needed!

Kali Linux Responder 8

As you can see in the picture above, the user “Joe User” is using the password, “SuperSecurePassword”, which it isn’t.  🙂

Log Files

Log files for Responder are located in the /usr/share/responder/logs directory:

Kali Linux Responder 9

Along with the regular program log files, any credentials recovered will be stored in a file that includes the IP address of the target. You can view these files to see the hash or clear text creds:

Kali Linux Responder 10

If only the password hashes were recovered you can take the hash file and use it directly with your favorite cracking program:

john [responder password hash file]

Kali Linux Responder 11

Obviously, this is just an example as corporate networks should never allow “12345” as a password. But sadly enough, I have seen companies remove password complexity requirements so users could continue to use simple passwords.

Conclusion

In this article we saw how easy it is to use Responder to obtain both clear text and password hashes. How would you defend against this tool?

Basic Network Security Monitoring (NSM) will pick up and flag Basic plain text authentication attempts and WPAD auto-proxy requests. This is just one reason why NSM is so important.

You can disable the services that Responder is taking advantage of, but you must be sure that this will not affect your network functionality before you do, especially in environments with old systems still running.

For WPAD based attacks, provide an entry for WPAD in DNS, or don’t use the “system proxy” setting in the browser.

In the next article, we will look at some of the extra tools included with Responder.

 

Advertisements

Book Review: Basic Security Testing with Kali Linux 2

Basic Kali 2

A fully updated version of the very popular “Basic Security Testing with Kali Linux” is now available! Now totally re-written from the ground up to cover the new Kali Linux “2016-Rolling” with the latest pentesting tools and Ethical Hacking techniques.

I was honestly shocked how well received the first Basic Security Testing book was received by the security community. But all in all, it was my first book attempt and definitely had room for improvement. I was flooded with requests and advice from students, instructors and even military personnel on recommended changes and ways the book could be improved.

I took every comment to heart and with the help of an amazing editorial and reviewer team, that included a computer security professor and a CTF player, created Basic Security Testing 2!

What’s new:

  • Completely re-written to cover topics more logically
  • Better lab layout that is used consistently throughout the book
  • Written for the latest version of Kali (Kali 2.0 “Sana” & Kali “2016-Rolling”)
  • Includes an introduction chapter for the new Kali 2016-Rolling
  • All tools sections have been updated – old tools removed, new tools updated
  • Now uses PowerShell for most of the remote Windows Shells
  • XP removed, Windows 7 used as the main Windows target (though Windows 10 is mentioned a couple times  🙂  )
  • More tool explanations and techniques included
  • 70 pages longer than original book

What’s the same:

  • Learn by doing
  • Hands on, Step-by-Step tutorials
  • Plenty of pictures to make steps more understandable
  • Covers the same major topics as the original, but using the latest tools
  • The front cover, well, except for the “2”!

My goal was to provide a common sense Ethical Hacking how-to manual that would be useful to both new and veteran security professionals. And hopefully I have accomplished that task. Thank you to everyone for your continuous support and feedback, it is greatly appreciated!

So what are you waiting for, check it out!

Basic Security Testing with Kali Linux 2

 

 

 

 

New NSA Director Rogers Speaks on NSA Spying, Snowden

Last week a host of government and industry security experts met at the Reuters Cybersecurity Summit in Washington. During the summit NSA Director and CyberCommand Commander Admiral Rogers shared his views on NSA privacy issues, Snowden and the threats we face today.

Director Rogers, the new head of the NSA, inherits a mess. American citizen trust in the NSA and other government intelligence organizations hit an all time low after Edward Snowden “blew the whistle” on questionable practices at the agency.

Rogers will not only have to try to restore public faith in the NSA, he will have to deal with the fallout.

“They’re changing the way they communicate,” Admiral Rogers said concerning NSA targets. Foreign nations, terror groups and others targeted by the NSA have taken direct measures to protect themselves from current American collection techniques.

And while many see Snowden as a hero, they neglect to see that his actions go far beyond bringing attention to NSA spying and US citizen privacy.

“Mr. Snowden stole from the United States government and national security a large amount of very classified information, a small portion of which is germane to his apparent central argument regarding NSA and privacy issues. The great majority of which has zero to do with those viewpoints,” Director Rogers said.

“I would characterize it as … a broad range about NSA capabilities against a range of traditional military targets, issues of concern to the nation,” Rogers added. “Nothing to do with privacy rights or actions that NSA does or does not take involving citizens of the United States.”

Snowden then took this classified information and ended up seeking asylum in Russia, of all places…

Director Rogers has a full plate in front of him – leading US CyberCommand, and not only directing but fixing the public image of the NSA. And, honestly I could not think of a better man for the job.

When watching news about government spying in the ’70s with his family, Rogers turned to his father and said, “Dad, what kind of nation would we ever want to be that would allow something like this to happen?

What kind of nation indeed.

Rogers is highly regarded in both the military and the intelligence community. He also seems to be a man of integrity and a great leader. If anyone can right the ship, my money is on him.

Iran inside US Navy Unclassified Intranet System for Four Months

Navy NMCI

It took the Navy longer than previously reported to remove Iranian hackers from the Navy and Marine Corps Intranet (NMCI). According to the Wall Street Journal, the hackers had access to the system last year for four months.

The hackers were able to gain access via a hole in a public facing website and conducted surveillance on the intranet, though a senior official told the WSJ that no emails were hacked and no data was extracted.

The NMCI is the largest enterprise network in the world and second only to the internet itself in size. It handles about 70% of the Department of the Navy’s IT needs. It encompasses more than 360,000 computers and 4,100 servers connected together in over 600 locations.

The sheer size of this network makes is very difficult to secure. IT specialists have to make sure everything is kept updated and all security issues are dealt with on the hundreds of thousands of systems.

Attackers just need to find one opening to exploit.

Then once someone does gain access into a network of this size, it can take a long time for security specialists to analyze what was touched, what was compromised and what, if any, backdoors were left.

Though the system is the Navy’s unclassified network, the fact that Iran was able to gain access to this military intranet is very concerning.

It was a real big deal, it was a significant penetration that showed a weakness in the system.” a senior official told the WSJ.

Of interest to this story too, is that just five days after the breach was initially disclosed last year, an Iranian cyber commander was apparently assassinated.

Iranian Cyber Commander Mojtaba Ahmadi’s body was found in a remote area near Karaj. Initial police reports stated that he has shot by two men on a motorbike.

An eyewitness reported that there were “two bullet wounds on his body”, and that ‘”The extent of his injuries indicated that he had been assassinated from a close range with a pistol“.

This style of attack seems to be a very similar to a tactic used by Israeli secret agents.

Though it has not been proved that Israel was involved, and Iranian officials later denied that Ahmadi was assassinated – One thing seems true, physical responses for cyber attacks seem to be on the table.

And, you don’t mess with the United States Marine Corps!