Bebzounette
  • Bebzounettes
  • Active Directory
    • Recon
      • TCP/UDP
      • DNS
      • NetBIOS
      • RPC
      • LDAP
      • HTTP
      • Responder
      • ADRecon
      • BloodHound
      • Network Shares
      • Password Policy
      • Enumeration
        • Domain
        • Powerview
        • .NET Classes
    • Lateral movement
      • Code execution
        • PSExec
        • SMBExec
        • WMIexec / WMI
        • ATExec / SchTaskExec
        • 🚧DCOMExec / DCOM
        • Powershell Remoting - WinRM
        • Crackmapexec
        • Service Control (SC)
      • Credentials
        • Finding
          • Guessing
          • Bruteforce
          • Spraying
        • Dumping
          • SAM Base
          • LSA Secrets
          • LSASS Process
          • DPAPI secrets
          • NTDS.DIT
          • Group Policy Preferences
          • User description
        • Impersonnification
        • Cracking
      • Coercition
        • MS-RPRN (PrinterBug)
        • MS-EFSR (PetitPotam)
        • MS-DFSNM (DFSCoerce)
        • MS-FSRVP (ShadowCoerce)
        • WebClient (WebDAV)
      • Relay
      • Kerberos
        • Kerberoasting
        • AS-REP Roasting
        • 🚧Pass the Hash/Ticket
        • 🚧MSSQL Trusted Links
        • Forged Tickets
        • 🚧Delegations
          • Unconstrained Delegation
          • Constrained Delegation
          • (RBCD) Resource-Based Constrained
      • GPOs
      • DACL
      • Certificates Service (AD-CS)
      • Privileged Groups
        • DNS Admin
        • Backup Operator
      • Built-in Misconfigurations
        • PASSWD_NOTREQD
        • DONT_EXPIRE_PASSWORD
        • MachineAccountQuota
        • LAPS
      • CVEs
        • EternalBlue | MS17-010
        • Zerologon (CVE-2020-1472)
        • SamTheAdmin (CVE-2021-42278)
        • Certifried: (CVE-2022–26923)
    • 🚧Persistance & Exfiltration
      • Golden Ticket
      • Silver Ticket
      • Skeleton Key
      • DSRM
      • Custom SSP
      • AdminSDHolder
    • 🚧Cross Trust Attack
      • Across Domain
      • Across Forest
    • References
  • Systems
    • 🚧Windows
      • Informations d'identifications
      • Configuration des services
    • 🚧Linux
    • 🚧Mobile & IOT
  • Web
    • CheckList & Méthodologie
    • 🚧Pentest API
    • 🚧Wordpress
    • 🚧Jenkins
    • 🚧IIS Server
  • Applicatives vulnerabilities
    • Buffer-Overflow
  • Thick Client
    • Thick Client Methodology
  • Wireless Security
    • WIFI
    • 🚧ZIGBEE
    • 🚧ZWAVE
    • GNU-RADIO
  • Network
    • Modèle OSI & Adressage IPV4
    • 🚧DOS & DDOS
    • VOIP
  • Physical Access
    • 🚧Lock Picking
    • Matériels
    • Accès physique à un ordinateur
  • Forensic
    • Outils de Forensic
  • Information gathering
    • Scans
  • Services
    • Echo - 7
    • FTP - 21
    • SSH - 22
    • Telnet - 23
    • SMTP - 25/465/587
    • Whois - 43
    • Finger - 79
    • POP3 - 110
    • NTP - 123
    • MSRPC - 135/593
    • IMAP - 143
    • SMB - 445
    • RDP -3389
    • References
  • Github Repos
    • Repos Github
      • Windows
      • Pivoting
      • SQL Server
      • Web
      • Active Directory
  • Blog
    • Guide to NTLMv1 attacks
    • Local Privilege Escalation through ShadowCredentials
    • Resource Based Constrained Delegation in Active Directory
  • Contact
Powered by GitBook
On this page
  • Theory:
  • Practical Exploitation:
  • References

Was this helpful?

  1. Active Directory
  2. Recon

Responder

PreviousHTTPNextADRecon

Last updated 1 year ago

Was this helpful?

Theory:

In an Active Directory environment, multicast name resolution protocols are enabled by default.

There are several such as:

  • LLMNR (Local-Link Multicast Name Resolution)

  • NBT-NS (NetBIOS Name Service)

  • mDNS (multicast Domain Name System).

What is LLMNR? Link-Local Multicast Name Resolution (LLMNR) is a protocol used in Windows operating systems to resolve the names of neighboring computers in scenarios where the DNS resolution fails. It operates by sending multicast queries to the local network segment, allowing devices to resolve each other's names without the need for a DNS server.

When a resolution protocol fails, a Windows machine will fall back to those multicast protocols. Windows systems attempt to resolve names in the following order: DNS, LLMNR, and NBT-NS.

It is possible for an attacker to use certain tools like , which will set up a SMB server waiting for requests. As soon as one of the multicast protocols is used, then an attacker can respond to these multicast or broadcast requests.

The victims are then redirected to the attacker, who asks them to authenticate in order to access what they are asking for. Thanks to tools like , their authentication is then captured and returned in the form of NetNTLMv1/v2 hashes, which can then be relayed.

Practical Exploitation:

Intercepting LLMNR Requests: You can perform a Man in The Middle attack with the tool using the LLMNR and NBT-NS protocol if they are misconfigured.

sudo responder -I eth0

Forging Responses with Responder: detects incoming LLMNR and NBT-NS queries and responds with crafted malicious responses. These responses can redirect victims to the attacker's machine:

sudo responder -I eth0 -wrf

There is a version of for Windows:

Responder.exe -i eth0

Thus, it is possible to:

References

Harvesting Credentials: can intercept plaintext or NetNTLMv2 hash by responding to authentication requests. When a victim attempts to access a network share, captures the credentials or the NetNTLMv2 hash used for authentication.

Relay Attacks and NTLM Hash Capture: Additionally, can facilitate relay attacks in the complement of tools like to relay captured credentials to other computers (only if SMB Signing is disabled).

Responder
Responder
Responder
Responder
Responder-Window
Responder
Responder
Responder
ntlmrelayx
LogoIntroductionThe Hacker Recipes
LogoGitHub - lgandx/Responder-Windows: Responder Windows Version BetaGitHub