Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
Not sure exactly what is going wrong but here are the steps I'm using to test:
Added a DNS entry to my "testing.local" domain called "testingserver.testing.local" (I know inventive...)
Run Responder - default configuration w/ verbose
Open up LDP and connect
Bind as the current user:
Result:
ld = ldap_open("testingserver.testing.local", 389);
Established connection to testingserver.testing.local.
Retrieving base DSA information...
Getting 0 entries:
-----------
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <81>: ldap_bind_s() failed: Server Down.
Server error: <empty>
-----------
Nothing shows up on Responder at all to even say a connection happened even with verbosity.
UPDATE 1:
I tried again, turning the "encrypt traffic after bind" off and I got a hash.
Oddly enough "NTLM" didn't work in the Advanced setting:
UPDATE 2:
I attempted LDAP connection using certutil: certutil -store "ldap://testingserver.testing.local/DC=testing,DC=local"
And that came straight back without any output from Responder.
UPDATE 3:
Super odd behavior. If I leave "Encrypt after bind" on and use the "Negotiate" advanced method with a random user, I get a hash, if I go back and tell it to use "Bind as currently logged in user" AFTER that, I get a hash. So I don't think "Encrypt after bind" was the problem.
Update 4:
Simply attempting to bind twice seems to be what does it enough to get the hash.
Not sure exactly what is going wrong but here are the steps I'm using to test:
Added a DNS entry to my "testing.local" domain called "testingserver.testing.local" (I know inventive...)
Run Responder - default configuration w/ verbose
Open up LDP and connect
Bind as the current user:
Result:
Nothing shows up on Responder at all to even say a connection happened even with verbosity.
UPDATE 1:
I tried again, turning the "encrypt traffic after bind" off and I got a hash.
Oddly enough "NTLM" didn't work in the Advanced setting:
UPDATE 2:
I attempted LDAP connection using certutil:
certutil -store "ldap://testingserver.testing.local/DC=testing,DC=local"And that came straight back without any output from Responder.UPDATE 3:
Super odd behavior. If I leave "Encrypt after bind" on and use the "Negotiate" advanced method with a random user, I get a hash, if I go back and tell it to use "Bind as currently logged in user" AFTER that, I get a hash. So I don't think "Encrypt after bind" was the problem.
Update 4:
Simply attempting to bind twice seems to be what does it enough to get the hash.