Quick Creds with Responder and Kali Linux

Tool website: https://github.com/lgandx/Responder
Tool Author: Laurent Gaffie

Responder is a powerful tool for quickly gaining credentials and possibly even remote system access. It is a LLMNR, NBT-NS & MDNS poisoner that is easy to use and very effective against vulnerable networks.

For the last few years one of the favorite tools in the pentester’s toolbox has been Responder. Responder works by imitating several services and offering them to the network. Once a Windows system is tricked into communicating to responder via one of these services or when an incorrect UNC share name is searched for on the LAN, responder will respond to the request, grab the username & password hash and log them. Responder has the ability to prompt users for credentials when certain network services are requested, resulting in clear text passwords. It can also perform pass-the-hash style attacks and provide remote shells.

In this article we will see how to use Responder in Kali Linux. In the next article we will dig a little deeper and look at some of the additional tools that are included with Responder.

Basic Usage

Responder is installed by default in Kali Linux. To view the Responder help screen and see what options are available, just use the “-h” switch.

Kali Linux Responder 1

From the help screen, the usage is:

responder -I eth0 -w -r -f

or:

responder -I eth0 -wrf

So, basically run the program, provide your network interface with the “-I” switch and then any other switches that you want. You can combine the switches together if you wish, as shown in the second usage example above. You can also use the verbose switch, “-v” to increase the text output of the program for more formation.

Analyze mode

A good place to start is “Analyze mode”. This mode runs responder but it does not respond to requests. It is specified with the “-A” switch. This can be handy to see what types of requests on the network responder could respond to, without actually doing it.

Kali Linux Responder 2

Any events will be shown on the screen, as below:

Kali Linux Responder 3

Analyze mode is also a good way to passively discover possible target systems.

Enough intro, let’s see Responder in action.

Poisoning with Responder

You can start Responder with the basic poisoner defaults by just typing:

responder -I eth0

Kali Linux Responder 4

Responder will poison responses and, if it can, capture any credentials. If a user tries to connect to a non-existing server share, Responder will answer the request and prompt them with a login prompt for access. If they enter their credentials, Responder will display and save the password hash:

Kali Linux Responder 5

We could then take the hash and attempt to crack it.

Basic Authentication & WPAD

WPAD is used in some corporate environments to automatically provide the Internet proxy for web browsers. Many Internet browsers have “enable system proxy” set by default in their internet settings, so they will seek out a WPAD server for a proxy address.

We can enable WPAD support in Responder to have it respond to these requests. If we use WPAD with the “Force Basic Authentication” option, Responder prompts users with a login screen when they try to surf the web and grabs the entered creds in clear text.

Command:

Responder -I eth0 -wbF

  • -w” Starts the WPAD Server
  • -b” Enables basic HTTP authentication
  • -F” Forces authentication for WPAD (a login prompt)

Kali Linux Responder 6

When a user goes to surf the web, the browser will reach out for proxy settings using WPAD. Responder will respond to the request and trigger a login prompt:

Kali Linux Responder 7

If the user enters their credentials, you get a copy of them in clear text. No cracking needed!

Kali Linux Responder 8

As you can see in the picture above, the user “Joe User” is using the password, “SuperSecurePassword”, which it isn’t.  🙂

Log Files

Log files for Responder are located in the /usr/share/responder/logs directory:

Kali Linux Responder 9

Along with the regular program log files, any credentials recovered will be stored in a file that includes the IP address of the target. You can view these files to see the hash or clear text creds:

Kali Linux Responder 10

If only the password hashes were recovered you can take the hash file and use it directly with your favorite cracking program:

john [responder password hash file]

Kali Linux Responder 11

Obviously, this is just an example as corporate networks should never allow “12345” as a password. But sadly enough, I have seen companies remove password complexity requirements so users could continue to use simple passwords.

Conclusion

In this article we saw how easy it is to use Responder to obtain both clear text and password hashes. How would you defend against this tool?

Basic Network Security Monitoring (NSM) will pick up and flag Basic plain text authentication attempts and WPAD auto-proxy requests. This is just one reason why NSM is so important.

You can disable the services that Responder is taking advantage of, but you must be sure that this will not affect your network functionality before you do, especially in environments with old systems still running.

For WPAD based attacks, provide an entry for WPAD in DNS, or don’t use the “system proxy” setting in the browser.

In the next article, we will look at some of the extra tools included with Responder.

 

Advertisements

Kali Linux 2017.2 – New Tools Overview

Kali 2017 new tools

Last week, Kali announced the release of Kali Linux 2017.2! The new version is a collection of all updates and fixes since the last release, but also includes several new tools. In this article we will see what new tools were installed and take a closer look at some of them.

Note: The tools are not installed automatically, but are available from the repositories. So, to use them, you will need to ‘apt-install’ the ones you want.

New tools

  • APT2
  • B374K
  • BloodHound
  • BruteSpray
  • ChangeMe
  • CrackMapExec
  • CredDump7
  • Crowbar
  • Dbeaver
  • hURL
  • Phishery
  • RedSnarf
  • Secure-Socket-Funneling
  • SSH-Audit
  • Tinfoleak
  • Wgetpaste

Let’s take a closer look at some of the tools.

APT2 – An Automated Penetration Testing Toolkit

Website: https://github.com/MooseDojo/apt2

Kali 2017.2 New Tools 1

APT2 performs an NMap scan (or import scans from Nexpose, Nessus, or NMap) and launches enumeration modules and exploits against the target. Options are set in the “default.cfg” file:

Kali 2017.2 New Tools 2

Quick Usage

  • Start Metasploit and run the following command:

load msgrpc User=msf Pass=msfpass ServerPort=55552

Kali 2017.2 New Tools 3

This is needed as when APT2 runs, it it is able to open any remote sessions they will show up in Metasploit.

Then launch APT2 against a target:

apt2 -v -s 1 -b –target 192.168.1.135

The program scans the target, and will automatically begin to attack the target based on the safety level (-s) that you choose.

Any vulnerabilities are listed, and reports are saved to the designated directory:

Kali 2017.2 New Tools 4

A html report file is saved in the “Reports” folder. The “proofs” folder contains a lot of information and results from the scan:

Kali 2017.2 New Tools 5

 

BruteSpray – Service Brute Force tool

Website: https://github.com/x90skysn3k/brutespray

Kali 2017.2 New Tools 6

BruteSpray takes nmap GNMAP/XML output and automatically brute-forces services with default credentials using Medusa.

Quick Usage

Run nmap scan and save output, then start Brutespray in interactive mode:

brutespray –file nmap.xml -i

Kali 2017.2 New Tools 7

You can also run it in manual mode by supplying specific information using switches. See the help file or tool website for more information.

Crowbar

Website: https://github.com/galkan/crowbar

Kali 2017.2 New Tools 8

A brute forcing tool that supports OpenVPN, Remote Desktop Protocol, SSH Private Keys and VNC Keys.

Quick Usage

RDP target with known user and password:

crowbar -b -rdp -s 192.168.1.204/32 -u test -c monkey

Kali 2017.2 New Tools 9

Crowbar can be run against a single target or range of targets. It can use individual passwords, password lists and SSH or VNC keys. See tool website for more examples.

Redsnarf

Tool website: https://github.com/nccgroup/redsnarf

Kali 2017.2 New Tools 10

Redsnarf is a pen-testing / red-teaming tool by Ed Williams for retrieving hashes and credentials from Windows workstations, servers and domain controllers

Redsnarf looks like a very useful tool that has a ton of features.  It targets Windows computers and can pull information from the system, recover passwords, enable remote access, run remote shells and much more.

I ran it against a local test Windows 7 desktop system, and it would only run when UAC was totally disabled on the system. So, this seems to be a great post-exploitation tool.

Quick Usage

Information dump with a known admin user name and password:

redsnarf -H ip=192.168.1.93 -u dan -p password

Kali 2017.2 New Tools 11

Information including passwords and shares is displayed and saved to the log directory.

Remote Command shell

Redsnarf has the capability to create several different types of shells.

redsnarf -H ip=192.168.1.93 -u dan -p password -d WIN-42ORBM3SRVF -uD y

Running the command above will connect to the target system and list available shells, as seen below:

Kali 2017.2 New Tools 12

Stealth Mimikatz

The Stealth Mimikatz option is pretty interesting. It creates a webserver on the target system, pulls the system creds and downloads them in plain text:

redsnarf -H ip=192.168.1.93 -u dan -p password -d WIN-42ORBM3SRVF -hR y

Kali 2017.2 New Tools 13

Logging

Whenever you run a command, the program provides you with a directory that contains the program logs. The logs contain a lot of important information gleaned from the system:

Kali 2017.2 New Tools 14

Conclusion

In this article we discussed a few of the new tools included with Kali Linux. Kali Linux is the most feature rich computer security testing platform available and it continues to grow as new tools and capabilities are constantly added.

If you are new to Kali or a seasoned user interested in learning more, check out my “Security Testing with Kali Linux” book series:

Basic Security Testing with Kali Linux

Intermediate Security Testing with Kali Linux

Security Testing with Kali NetHunter

And keep an eye out for the upcoming, “Advanced Security Testing with Kali Linux”.

Network Reconnaissance with Recon-NG – Basic Usage

I am working on a major update for my first book, “Basic Security Testing with Kali Linux”. Since it was published, the Recon-NG tool has changed a bit. I figured I would post a series of articles on how to use the newer Recon-NG.

The Recon-NG Framework is a powerful tool that allows you to perform automated information gathering and network reconnaissance. Recon-NG automates a lot of the steps that are taken in the initial process of a penetration test. You can automatically hit numerous websites to gather passive information on your target and even actively probe the target itself for data. It has numerous features that allow you to collect user information for social engineering attacks, and network information for network mapping and much more.

Think of it as Metasploit for information collection. Anyone who is familiar with Metasploit will feel right at home as the interface was made to have the same look and feel. The command use and process flow are very similar. Basically you can use Recon-NG to gather info on your target, and then attack it with Metasploit.

Using Recon-NG

You can start Recon-NG by selecting it from the ‘Applications > Information Gathering’ menu, or from the command line:

  • Open a terminal window by clicking on the “Terminal” icon on the quick start bar
  • Type, “recon-ng”:

Basic Recon-ng 1

Type, “help” to bring up a list of commands:

Basic Recon-ng 2

Now type, “show modules” to display a list of available modules:

Basic Recon-ng 3

Modules are used to actually perform the recon process. As you can see there are several different ones available. Go ahead and read down through the module list. Some are passive; they never touch the target network, while some directly probe and can even attack the system you are interested in. If you are familiar with the older version of Recon-NG you will notice that the module names look slightly different. Kali 2 includes the latest version of Recon-NG, and the module name layout has changed from previous versions.

The basic layout is:

Basic Recon-ng 4

1. Module Type: Recon – This is a reconnaissance module.
2. Conversion Action: Domains-hosts – Converts data from “Domains” to “hostnames”.
3. Vehicle used to perform Action: Google _Site_Web – Google is used to perform the search.

So from this module name we can see that it is a recon module that uses Google’s web site search to convert Domain Names to individual Hosts attached to that domain.
When you have found a module that you would like to try the process is fairly straight forward.

  • Type, “use [Modulename]” to use the module
  • Type, “show info” to view information about the module
  • And then, “show options” to see what variables can be set
  • Set the option variables with “set [variable]”
  • Finally, type “run” to execute the module

Stay tuned for additional Recon-NG articles and my re-vamped Basic Kali book. Also, check out my latest book, “Intermediate Security Testing with Kali Linux 2” which contains almost 500 pages packed full of step-by-step tutorials using the latest penetration testing tools!

Intermediate Security Testing with Kali Linux 2 Released!

Security Series

Introducing my new book, “Intermediate Security Testing with Kali Linux 2“!

The second book in my Kali Linux series has been released. Picking up where “Basic Security Testing with Kali Linux” left off, this book delves deeper into using post exploitation techniques. It also covers Web Application testing using tools like Burp Suite. It then turns to testing smart devices like Android Phones and tablets. And even includes an entire section on using the Forensics tools in Kali to perform computer security testing.

Topics Include:

  • New Metasploit Features and Commands
  • Creating Shells with Msfvenom
  • Post Modules & Railgun
  • PowerShell for Post Exploitation
  • Web Application Pentesting
  • How to use Burp Suite
  • Security Testing Android Devices
  • Forensics Tools for Security Testing
  • Security Testing an Internet of Things (IoT) Device

And much, much more!

This book was originally written for the first version of Kali and was ready to be released last month. But as the new Kali 2.0 was released I held the book back and completely updated the entire book from beginning to end to cover the new OS and any tool changes. So in essence as it took about a year and a half to write this book, all the information in it has been updated as of this month!

If you are still using the original Kali, not a problem the tools work the same in both versions, though I do recommend updating to the new Kali 2.0 as it has a much better interface and menu system. If you are still using Backtrack, please update to Kali 2 you will thank yourself!

The second book dwarfs the first in both size and content. I took to heart all of the feedback from my first book. I had a lot of request to add more tool coverage, so I added two entire chapters covering included tools and their use. Multiple people asked me to cover the forensics tools, so I added an entire section devoted to security testing with Kali’s Forensics tools. Several people had told me that the first book was confusing in places, as I had an extra month to work on the book before publishing, hopefully this book will be easier to follow and understand than the first.

I even included a chapter on testing Internet of Things (IoT) devices. As IoT devices are becoming all the rage, security testing them is of high importance. We will have an eye opening look at an actually physical security device in use today that has some serious vulnerabilities.

As always, thank you so much for your support and encouragement. The overwhelming support I have received from individual users, technical trainers, corporations, universities, law enforcement agencies and members of the military has been both humbling and an absolute honor. Thank you!

Intermediate Security Testing with Kali 2 Linux