CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Request a Demo

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Request a Demo
Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP
SpiderLabs Blog

SpiderLabs Responder Updates

November 26, 2013 2 minutes read

Responder is a penetration-testing tool in active development. To continue making it the best tool it can be, we regularly update it in order to add new features and functionality based on user feedback (and we're one of those users). In this post we will cover some of the most recent changes to Responder and how Responder has grown into a feature-rich exploitation tool. If you are unfamiliar with Responder, read more here or here.

New Functionalities in Responder:

  • Customizable default configuration file

    • A number of CLI switches have been moved to this configuration file to streamline functionality.

    • More below.

  • Bound listening on a specific network interface.

  • Scoping improvements to only answer requests from target IP addresses.

  • New options to serve files to target systems— Serve-Always and Serve-Exe.

  • Custom Proxy Auto-Configuration (PAC) script.

  • User-specified HTML to target systems post "authentication".

 

How to use the configuration file:

The new "Responder.conf" file provides configuration for a number of Responder options including a number of new features. In this file you will be able to specify:

  • Rogue authentication servers status

  • Log file name

  • NTLM challenge string

  • IP address on the local system to which Responder should be bound

  • A white list of target IP addresses—useful when you have a test that is limited in scope, and you need to poison a specific list of targets.

The configuration file also contains a 'HTTP Server' section where you will find some new options:

  • Serve-Exe: When Responder notes a .exe extension in a requested URL, the target system is served a specified .exe, by default our custom SpiderLabs bind shell executable FixInternet.exe

  • Serve-Always: If you are using WPAD (-w On) you will serve a specified file to all your targets

  • Filename: Used with the Serve-Always option to specify the file to be served to target systems

  • ExecFilename: Used with the Serve-Always option to specify a .exe to be served to target systems.

  • WPADScript: Used to specify your custom PAC script

  • HTMLToServe: Used to specify an HTML page to be served to the target after the HTTP/HTTPS rogue server completes a NTLM authentication—by default, we provide a redirection to a SMB server with an LM hash downgrade.

More Information on the New Responder Wushu:

With this release, Responder now provides an option in the configuration file, Serve-Always, to always send a specific file to a victim after successful authentication (Basic and NTLM) via HTTP/HTTPS. These new features are used in conjunction with the established "-w On" WPAD MiTM and "-r On" options.

Included in this release is an example Denied.html file. Specified by the "Filename" option in the configuration file, this HTML file will display a custom webpage when served to target systems. The following picture reflects this case scenario:

  • Responder is launched this way: python Responder.py -i Attacker_IP -r On -w On
  • The victim has a fully updated Windows 2003/XP/2008r2/7/8/2012 with default settings. Part of a domain or not and even with a network profile set to Public. The only user interaction is opening Internet Explorer *.

12448_ea46d665-9a54-4201-bd42-70492995ab87

When a victim clicks on the "Proxy Client" link, Responder will serve the default "FixInternet.exe" bind shell backdoor. The bindshell will be listening on the target IP address TCP port 140. If you wish to serve a different executable you can specify a different file using the "ExecFilename" option in the configuration file. Also, whatever file you are serving, it will always be displayed to the victim as "ProxyClient.exe".

9168_4d05ef43-bf10-414e-a4f6-a0d5b90fba3b

In this specific example, we're trying to persuade the user to run our malicious executable by convincing them that they must do so to restore their Internet access.

These new "Serve-Always" and "Serve-Exe" options, when combined with the "-w On" WPAD MiTM and "-r On" WREDIR options, will result in Responder serving the specified file/page to all your targets for each web request.

I would like to thank my colleagues here at SpiderLabs for their feedback regarding Responder. Their input helped me in developing this in-house pentest tool into a fun application that can now help penetration testers gain control of workstations and Domain Controllers, within minutes.

For latest updates, you can follow us on Twitter: https://twitter.com/PythonResponder

Latest SpiderLabs Blogs

EDR – The Multi-Tool of Security Defenses

This is Part 8 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

The Invisible Battleground: Essentials of EASM

Know your enemy – inside and out. External Attack Surface Management tools are an effective way to understand externally facing threats and help plan cyber defenses accordingly. Let’s discuss what...

Read More

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More