Responder

Description

Responder is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option to 1 via command line if you want this tool to answer to the Workstation Service request name suffix.

Usage

Syntax

responder -i 10.20.30.40 -b 1 -s On -r 0

Options

  -h, --help            show this help message and exit
  -i 10.20.30.40, --ip=10.20.30.40
                        The ip address to redirect the traffic to. (usually
                        yours)
  -b 0, --basic=0       Set this to 1 if you want to return a Basic HTTP
                        authentication. 0 will return an NTLM
                        authentication.This option is mandatory.
  -s Off, --http=Off    Set this to On or Off to start/stop the HTTP server.
                        Default value is On
  -S Off, --smb=Off     Set this to On or Off to start/stop the SMB server.
                        Default value is On
  -q Off, --sql=Off     Set this to On or Off to start/stop the SQL server.
                        Default value is On
  -r 0, --wredir=0      Set this to enable answers for netbios wredir suffix
                        queries. Answering to wredir will likely break stuff
                        on the network (like classics 'nbns spoofer' will).
                        Default value is therefore set to Off (0)
  -c 1122334455667788, --challenge=1122334455667788
                        The server challenge to set for NTLM authentication.
                        If not set, then defaults to 1122334455667788, the
                        most common challenge for existing Rainbow Tables
  -l Responder-Session.log, --logfile=Responder-Session.log
                        Log file to use for Responder session.
  -f Off, --fingerprint=Off
                        This option allows you to fingerprint a host that
                        issued an NBT-NS or LLMNR query.
  -F On, --ftp=On       Set this to On or Off to start/stop the FTP server.
                        Default value is On
  -L On, --ldap=On      Set this to On or Off to start/stop the LDAP server.
                        Default value is On
  -D On, --dns=On       Set this to On or Off to start/stop the DNS server.
                        Default value is On
  -w On, --wpad=On      Set this to On or Off to start/stop the WPAD rogue
                        proxy server. Default value is On

Example

cyborg@cyborg:~$ sudo responder -i 192.168.1.6 -w On -r 0 -f On
NBT Name Service/LLMNR Answerer 1.0.
Please send bugs/comments to: [email protected]
To kill this script hit CRTL-C

[+]NBT-NS & LLMNR responder started
Global Parameters set
Challenge set is: 1122334455667788
WPAD Proxy Server is:ON
HTTP Server is:ON
SMB Server is:ON
SQL Server is:ON
FTP Server is:ON
DNS Server is:ON
LDAP Server is:ON
FingerPrint Module is:ON
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?