Responder : Capture Window 10 NTLM Hashes

Introduction to Responder Tool

Responder is basically a windows Ntlm Hashes Capturing tool which is also be use for purloin credentials and important information. It is use for quickly gaining credentials and remote access from a client system. It uses LLMNR (Link Local Multicast Name Resolution), NBT-NS (NetBIOS Name Service) and MDNS (Multicast DNS) attacker which is easy to use and effective opposed to vulnerable networks, these are classic internal network attack and these are enabled by default in windows due to low awareness. In this tool, user send incorrect SMB share address then DNS server responds with ‘\SNARE01 – Not found’, then client performs LLMNR/NBT-NS broadcast in response the responder tells the client it’s SNARE01 and accepts the NTLMv2 hash and finally responder sends an error to the client.

Responder become favorite tool in the Pentesters toolbox in last few years. Responder starts working by imitating several services and offer these services to the network. This tool responds by grabbing username and password hash and log them. It has the ability to prompt the users for their credentials when certain network services are requested, in result password will appear in clear text form. It also provides remote shells by performing pass-the-hash style attacks.

Some basic funtions in Responder

Requirements

Kali Linux = Attacker
Window 10 = Victim

Lets take a look !!

Now open the kali linux machine and navigate the terminal on desktop. First of all you need to download the responder file by using following commands.

git clone https://github.com/SpiderLabs/Responder.git

After complete the downloading you have to go on that directory.

cd Responder

You reached your destination, start the responder by execute the following command.

./Responder.py –I eth0

After this you can observe responder start listening on various ports such as :

As a proof we will show you our localhost address.

ifconfig

When the victim tries to connect to you via SMB server then the window logon NTLM hashes of victim will comes to you.

Below given image you can see that the NTLM hashes successfully reached attacker.

Now you have to crack the NTLMhash into normal password by using brute force technique of john the ripper tool.

cd logs
john Netntlmv2.txt

You can see that below we has successfully retrieved the password.
User = hp
Password = 1234567

If you want to check the open ports in your inferface so you use the following command. Now we will try to retrieved NTLM hashes through ftp server.

As you know that we can access any ftp server through our browser.

When victim will enter his username and password to access the ftp server so they will comes to attacker.

Similarly you can try with several ports to retrieved the NTLM hashes.