I haven’t see too many blog posts regarding this topic, but I can assure it’s not super original. However, it is extremely helpful for obtaining credentials during a pentest.
Imagine you’re trying to gain access to a client’s remote access tool (I.E. VPN, Citrix, VMWare View, etc.), but you currently don’t have any credentials. You can try you luck and see if you can snag a NTLMv1/NTLMv2 hash to crack.
Much like using Responder in any other situation, you can use it to trick the Outlook email client to participate in a challenge-and-response. This requires SMB to be allowed on egress and the user would have to enable the showing of remote content.
Here’s a terrible graph to illustrate my point:
Attacker == Red Guy
Target == Blue Guy
We will want to get Responder setup on an internet-facing server.
Next, we’ll want to embed a link to our Responder server into an email.
If the target opens the email within Outlook (and provided they don’t have SMB/CIFS blocked on egress), we will get a response.
We can then crack these captured hashes offline using your preferred wordlist/rule combinations. This should hopefully yield credentials for further activities.
Here are some solutions to this problem:
- Block SMB/CIFS on egress.
- Disable the automaatic downloading of external content.
- Implement more stringent password policy and/or MFA.