[Note: The content of this post has been copied from /r/Pentesting in case users wish to continue the discussion during the reddit API price gouging blackout]
Responder and NTLMRelayx
/u/ j_relic
I’m practicing pentesting using Responder. I’ve watched a few videos on YouTube, but I’m having issues. My setup: Windows Server 2019 VM, Windows 10 VM, and the latest Kali. I used a video to create the vulnerable Active Directory Environment (YouTube, the Cyber Mentor). Responder version 3.1.3.0.
I’ve been unable to capture hashes using LLMNR poisoning. Responder doesn’t send the LLMNR poisoned answer. In fact, the only answer it sends is MDNS.
I’ve also been unable to capture hashes using SMB Relay Attacks (with Responder and ntlmrelayx). According to the video I used, I ran nmap to determine the smb version I have for Windows Server 2019. I have smb3 (3.1.1), and “message signing enabled but not required.”
I made sure to modify any configurations within the Responder.conf file (according to the videos) as needed. Am I having these issues because SMB is version 3, and not 2 like in the videos? The videos are a few years old.
Any help is appreciated. Thanks. I would like to exploit these types of issues within my homelab setup.
/u/Danti1988
In your training environment, you don’t mention how you are generating traffic for responder to respond to. Set a scheduled task to map a network share that has an incorrect host name, dns will fail and fall back to netbios / llmnr and you will get a hash.
/u/ j_relic
Hi sorry about that—according to the video, I tried entering an incorrect share. For example, I typed //kl as the share and hit enter. Unfortunately, I didn’t get the same results as the video. In the video, the hashes are captured immediately. But for me, nothing. Instead, Edge opens up on the VM in an attempt to open the page as a web address that ultimately fails.
/u/Danti1988
Open run or file explorer and type //kl/blah. Also make sure responder is listening on the correct interface and both nics are on the same interface for the vms
/u/ j_relic
Unfortunately, same problem. The LLMNR poison isn’t sent, only MDNS. Responder sees the attempt, but nothing else further. I’ve verified that the interface is correct, and the VMs are on the same interface (for their respective nics). All poisoners are set to “On.”
/u/kaltec
Is the vm network adapter set to bridged mode? Kinda sounds like it might be in NAT
/u/Danti1988
If you type in //kaliIP/ are you seeing the hash? If not, it’s definitely a problem with your set up.