SpiderLabs Responder Updates

Responder is a penetration-testing tool in active development. To continue making it the best tool it can be, we regularly update it in order to add new features and functionality based on user feedback (and we're one of those users). In this post we will cover some of the most recent changes to Responder and how Responder has grown into a feature-rich exploitation tool. If you are unfamiliar with Responder, read more here or here.

New Functionalities in Responder:

  • Customizable default configuration file

    • A number of CLI switches have been moved to this configuration file to streamline functionality.

    • More below.

  • Bound listening on a specific network interface.

  • Scoping improvements to only answer requests from target IP addresses.

  • New options to serve files to target systems— Serve-Always and Serve-Exe.

  • Custom Proxy Auto-Configuration (PAC) script.

  • User-specified HTML to target systems post "authentication".

How to use the configuration file:

The new "Responder.conf" file provides configuration for a number of Responder options including a number of new features. In this file you will be able to specify:

  • Rogue authentication servers status

  • Log file name

  • NTLM challenge string

  • IP address on the local system to which Responder should be bound

  • A white list of target IP addresses—useful when you have a test that is limited in scope, and you need to poison a specific list of targets.

The configuration file also contains a 'HTTP Server' section where you will find some new options:

  • Serve-Exe: When Responder notes a .exe extension in a requested URL, the target system is served a specified .exe, by default our custom SpiderLabs bind shell executable FixInternet.exe

  • Serve-Always: If you are using WPAD (-w On) you will serve a specified file to all your targets

  • Filename: Used with the Serve-Always option to specify the file to be served to target systems

  • ExecFilename: Used with the Serve-Always option to specify a .exe to be served to target systems.

  • WPADScript: Used to specify your custom PAC script

  • HTMLToServe: Used to specify an HTML page to be served to the target after the HTTP/HTTPS rogue server completes a NTLM authentication—by default, we provide a redirection to a SMB server with an LM hash downgrade.

More Information on the New Responder Wushu:

With this release, Responder now provides an option in the configuration file, Serve-Always, to always send a specific file to a victim after successful authentication (Basic and NTLM) via HTTP/HTTPS. These new features are used in conjunction with the established "-w On" WPAD MiTM and "-r On" options.

Included in this release is an example Denied.html file. Specified by the "Filename" option in the configuration file, this HTML file will display a custom webpage when served to target systems. The following picture reflects this case scenario:

  • Responder is launched this way: python Responder.py -i Attacker_IP -r On -w On
  • The victim has a fully updated Windows 2003/XP/2008r2/7/8/2012 with default settings. Part of a domain or not and even with a network profile set to Public. The only user interaction is opening Internet Explorer *.

Test

When a victim clicks on the "Proxy Client" link, Responder will serve the default "FixInternet.exe" bind shell backdoor. The bindshell will be listening on the target IP address TCP port 140. If you wish to serve a different executable you can specify a different file using the "ExecFilename" option in the configuration file. Also, whatever file you are serving, it will always be displayed to the victim as "ProxyClient.exe".

Test2

In this specific example, we're trying to persuade the user to run our malicious executable by convincing them that they must do so to restore their Internet access.

These new "Serve-Always" and "Serve-Exe" options, when combined with the "-w On" WPAD MiTM and "-r On" WREDIR options, will result in Responder serving the specified file/page to all your targets for each web request.

I would like to thank my colleagues here at SpiderLabs for their feedback regarding Responder. Their input helped me in developing this in-house pentest tool into a fun application that can now help penetration testers gain control of workstations and Domain Controllers, within minutes.

For latest updates, you can follow us on Twitter: https://twitter.com/PythonResponder

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.