{"id":4053,"date":"2016-04-02T05:01:46","date_gmt":"2016-04-01T21:01:46","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4053"},"modified":"2016-04-02T05:06:26","modified_gmt":"2016-04-01T21:06:26","slug":"responder-llmnr-mdns-nbt-ns-poisoner","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2016\/04\/responder-llmnr-mdns-nbt-ns-poisoner\/","title":{"rendered":"Responder &#8211; LLMNR, MDNS and NBT-NS Poisoner"},"content":{"rendered":"<p>Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: <a href=\"https:\/\/support.microsoft.com\/en-us\/kb\/163409\">NetBIOS Suffixes<\/a>). By default, the tool will only answer to File Server Service request, which is for SMB.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-4122\" src=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2016\/04\/6a0133f264aa62970b017d40608408970c-640x338.png\" alt=\"Responder - LLMNR, MDNS and NBT-NS Poisoner\" width=\"640\" height=\"338\" srcset=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2016\/04\/6a0133f264aa62970b017d40608408970c-640x338.png 640w, https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2016\/04\/6a0133f264aa62970b017d40608408970c.png 644w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/p>\n<p>The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don&#8217;t break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.<\/p>\n<h3>Features<\/h3>\n<ul>\n<li><strong>Built-in SMB Auth server<\/strong> &#8211; Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP.<\/li>\n<li><strong>Built-in MSSQL Auth server<\/strong> &#8211; Supports NTLMv1 and LMv2 hashes.<\/li>\n<li><strong>Built-in HTTP Auth server<\/strong> &#8211;  Supports NTLMv1, NTLMv2 hashes and Basic Authentication.<\/li>\n<li><strong>Built-in HTTPS Auth server<\/strong> &#8211; As above (comes with dummy keys).<\/li>\n<li><strong>Built-in LDAP Auth server<\/strong> &#8211; Supports NTLMSSP hashes and Simple Authentication (clear text authentication).<\/li>\n<li><strong>Built-in FTP, POP3, IMAP, SMTP Auth servers<\/strong> &#8211; Supports collection of clear text credentials.<\/li>\n<li><strong>Built-in DNS server<\/strong> &#8211; This server will answer type A queries, combine with ARP spoofing.<\/li>\n<li><strong>Built-in WPAD Proxy Server<\/strong> &#8211;  Will capture all HTTP requests from IE users with &#8220;Auto-detect settings&#8221; enabled.<\/li>\n<li><strong>Browser Listener<\/strong> &#8211; This module allows you to find the PDC in stealth mode.<\/li>\n<li><strong>Fingerprinting<\/strong> &#8211; Will fingerprint every host who issued an LLMNR\/NBT-NS query.<\/li>\n<li><strong>ICMP Redirect<\/strong> &#8211; For MITM on Windows XP\/2003 and earlier Domain members.<\/li>\n<li><strong>Rogue DHCP<\/strong> &#8211; Supports DHCP Inform Spoofing.<\/li>\n<li><strong>Analyze mode<\/strong> &#8211; Allows you to see NBT-NS, BROWSER, LLMNR, DNS requests without poisoning.<\/li>\n<\/ul>\n<h3>Usage<\/h3>\n<p>Before starting take a look at <code>Responder.conf<\/code> and tweak it to your requirements.<\/p>\n<pre>.\/Responder.py [options]\r\n\r\n--version             show program's version number and exit\r\n  -h, --help            show this help message and exit\r\n  -A, --analyze         Analyze mode. This option allows you to see NBT-NS,\r\n                        BROWSER, LLMNR requests without responding.\r\n  -I eth0, --interface=eth0\r\n                        Network interface to use\r\n  -b, --basic           Return a Basic HTTP authentication. Default: NTLM\r\n  -r, --wredir          Enable answers for netbios wredir suffix queries.\r\n                        Answering to wredir will likely break stuff on the\r\n                        network. Default: False\r\n  -d, --NBTNSdomain     Enable answers for netbios domain suffix queries.\r\n                        Answering to domain suffixes will likely break stuff\r\n                        on the network. Default: False\r\n  -f, --fingerprint     This option allows you to fingerprint a host that\r\n                        issued an NBT-NS or LLMNR query.\r\n  -w, --wpad            Start the WPAD rogue proxy server. Default value is\r\n                        False\r\n  -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY\r\n                        Upstream HTTP proxy used by the rogue WPAD Proxy for\r\n                        outgoing requests (format: host:port)\r\n  -F, --ForceWpadAuth   Force NTLM\/Basic authentication on wpad.dat file\r\n                        retrieval. This may cause a login prompt. Default:\r\n                        False\r\n  --lm                  Force LM hashing downgrade for Windows XP\/2003 and\r\n                        earlier. Default: False\r\n  -v, --verbose         Increase verbosity.<\/pre>\n<p>You can download Responder here:<\/p>\n<p><a href=\"https:\/\/github.com\/SpiderLabs\/Responder\/archive\/v2.3.0.zip\">Responder-v2.3.0.zip<\/a><\/p>\n<p>Or read more <a href=\"https:\/\/github.com\/SpiderLabs\/Responder\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: NetBIOS Suffixes). By default, the tool will only answer to File Server Service request, which is for SMB. The concept behind this is to target our answers, and be stealthier on [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"Responder is an LLMNR, MDNS and NBT-NS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[9,5,4],"tags":[6470],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4053"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=4053"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4053\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=4053"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=4053"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=4053"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}