Responder disrupting the network and cant capture hashes / wpad also doesnt capture

[xdu8026]

1. I found this article explaining the situation in the lab the best: https://markclayton.github.io/where-are-my-hashes-responder-observations.html
2. when testing responder in the lab with options -wPfv responder poisons LLMNR and NBT-NS for valid names but doesnt get the hash, also while continuing to poison it disrupts the network for these hosts that ask. When the win 10 machine requests wpad - responder posions and give output WPAD(no auth) file sent but HTTP is User-Agent : WinHttp-Autoproxy-Service/5.1 and again no hash.
3. I dont know if the options I test are wrong, tried to emulate a scenario which wants to be as silent as it can get and obtain hashes, thats why I didnt user -r or -d so not to disrupt network, but it disrupts it without them too. Also used -P instead of -F to not to force a login prompt on the machine but get the hashes silently but it didnt receive any.

Is the wpad -w option not working on IE 11 because on default state it blocks proxy configurations as stated in the article? Also since posioning valid requests causes conflict as in the article and breaks the network for those valid requests, how can the hashes be captured without breaking it, is it needed to use different options or its something else

[lgandx]

Best would be to run it as: -rFvw Let me know if it worked.

[xdu8026]

Thanks for the reply and respect to the work you made on this great tool.

I will test it with the options you stated too. As far as I understand the -F might force a login prompt, thats why I tested with the -P option to try to emulate a more stealthy scenario without prompt. You said best to run it as -rFvw.

From your experience and knowledge what would be the best options to run with -P proxy then? I mean those are like 2 main modes the tool can be ran yes? - 1. get hashes with lower stealth, chance to get prompt, 2.Proxy mode with stealth where prompt will be avoided I have tested with -wPfv because I wanted to simulate 2 goals - 1. Be as stealthy as possible -no chance of prompt popup 2. Minimize the chance to break something, thus increase stealth.

Pointing out that it would be best to run with the force auth -F - what are the advantages of it above -P or situations -P doesnt work? Because I mean, everybody would want to get the hashes without making the user seeing a random login prompt, so there should be something else that makes -P not work always?

[lgandx]

Responder's attacks are adaptive and sequentials, I personally starts with -A When I get a good view of the network layout; -rPv Depending of the output, I might switch to ARP spoof, with prerouting IP tables rules for some specific hosts and ports and use -rbv Again, it always depends of the network layout... and users, and environment. It's a case by case thing.