Break password of user’s connected in office network.

Introduction

Responder is a traffic capturing tool the same as Wireshark. Laurent Gaffie author of responder, its an internal network scanning tool, we use this tool for capturing the network traffic and using this we can break password of user’s connected in office network. In this tool, we have poisoners LLMNR (Link-Local Multicast Name Resolution), NBT-NS (NetBios Name service), DNS/MDS (Domain name Server/ Multicast Domain Name server), HTTP Options, Poisoning Options, and Generic Options. This is a preinstalled tool in Kali Linux, we can find this tool in sniffing and spoofing list.

Environment:

  • OS: Kali Linux 2019, 64 Bit
  • Kernel-Version : 5.2.0-kali2-amd64
Responder Diagram

Responder Help

  • For help use command responder –h.
  • This command will show you all options available in the responder   
  • –h is to Help
IMAGE SNIPPED
IMAGE SNIPPED
Responder Help

Analyze mode

  • Next, we can use command responder -I eth0 -A.
  • -A command is an analyze mode option.
  • Analyze mode is the best way to passively see target systems, this command will analyze each and every IP on the network.
Responder Analyze Mode
Responder Analyze Mode

Poisoning with Responder

  • Next, we can use command responder -I eth0 this command will capture all the traffic who all connected to LAN it shows IP address, Name, and services
  • -I command is used for interface
IMAGE SNIPPED
Responder NTLMv2
Responder NTLMv2
  • After using this command it will capture the identification of the network user. As we can see, one user’s credentials in the above picture.
  • We have successfully captured the NTLMv2 of client IP 10.10.10.40, username – Desktop-p93s4FK\acer.
  • Now we will use this NTLM going forward to crack user password.

WPAD (Web Proxy Auto Discover)

  • WPAD (Web proxy Auto Discover). Many Internet browsers have enabled system proxy set by default in their internet settings, so they will seek out a WPAD server for a proxy address in the office network.
  • We can also enable the web proxy in our system settings.
  • To click on Network internet at the bottom we can see the proxy option, click on it to use a proxy server under the manual proxy setup.
  • Next, we use command responder -I eth0 -w -b -f  
    •  -w it starts the WPAD rogue proxy server
    • -b Enables basic HTTP authentication
    • -F Forces authentication for WPAD 
 WPAD Proxy when OFF
WPAD Proxy when OFF
WPAD Proxy ON
WPAD Proxy ON
  • Next, we can use command responder -I eth0 -wbF
  • When we use this command user will get a login prompt.
    • -w it starts the WPAD rogue proxy server
    • -b Enables basic HTTP authentication
    • -F Forces authentication for WPAD (A Login Prompt)
Authentication Required
Authentication Required
  • If the user enters his credentials then we can see the username & password in plain text.
Log in  credentials
Log in credentials

Time to crack Password

  • NTLM we collected in Poisoning with Responder section, will be used to crack user password.
  • Log files for Responder are located in the /usr/share/responder/logs directory 
Logs Directory
Logs Directory
  • To see log files list use command ls
Log List
Log List
  • Next use cat command to see logs, cat SMB-NTLMv2-SSP-10.10.10.192.txt
  • Now we can see the computer name, username, and hash code.
 SMB-NTLMv2 Hash
SMB-NTLMv2 Hash
  • Now we can use John command to decode the NTLM password and this is a password list we got.
Password of User
Password of User