Perform Active Online Attack to Crack the System’s Password using Responder and perform John the Ripper for cracking the password hashes
LLMNR (Link Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are two main elements of Windows OSes that are used to perform name resolution for hosts present on the same link. These services are enabled by default in Windows OSes and can be used to extract the password hashes from a user.
Since the awareness of this attack is low, there is a good chance of acquiring user credentials in an internal network penetration test. By listening for LLMNR/NBT-NS broadcast requests, an attacker can spoof the server and send a response claiming to be the legitimate server. After the victim system accepts the connection, it is possible to gain the victim’s user-credentials by using a tool such as Responder.py.
Responder is an LLMNR, NBT-NS, and MDNS poisoner. It responds to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool only responds to a File Server Service request, which is for SMB.
Here, we will use the Responder tool to extract information such as the target system’s OS version, client version, NTLM client IP address, and NTLM username and password hash.
-In this task, we will use the Ubuntu (10.10.10.9) machine as the host machine and the Windows 10 (10.10.10.10) machine as the target machine. In this task, we have two machines in same network.
-Open the Ubuntu machine.
-After, click Windows 10 to switch to the Windows 10 machine and click Ctrl+Alt+Delete to acitvate the machine. Click Jason from the left-hand pane and enter password as qwerty.
Click Ubuntu to switch to the Ubuntu machine. In the left pane, under Activities list, scroll down and click the icon to open the Terminal window.
-In the Terminal window, type cd Responder and press Enter to navigate to the Responder tool folder.
-If you get logged out of Ubuntu machine, then double-click on the screen, enter the password as toor, and press Enter.
-Type chmod +x ./Responder.py and press Enter to grant permissions to the script.
-Type sudo ./Responder.py -I eth0 and press Enter. In the password for ubuntu field, type toor and press Enter to run Responder tool.
The password that you type will not be visible.
-I: specifies the interface (here, eth0).
-Responder starts listening to the network interface for events, as shown in the screenshot.
Open the Windows 10 machine, right-click on the Start icon, and click Run.
-The Run window appears; type \\CEH-Tools in the Open field and click OK.
-Leave the Windows 10 machine as it is and click Ubuntu to switch back to the Ubuntu machine.
-Responder starts capturing the access logs of the Windows 10 machine. It collects the hashes of the logged-in user of the target machine, as shown in the screenshot.
-By default, Responder stores the logs in Home/Responder/logs. Navigate to the same location and double-click the SMB-NTLMv2-SSP-10.10.10.10.txt file.
-A log file appears, displaying the hashes recorded from the target system user, as shown in the screenshot.
-Close all the open windows.
-Now, attempt to crack the hashes to learn the password of the logged-in user (here, Jason).
-To crack the password hash, the John the Ripper tool must be installed on your system. To install the tool, open a new Terminal window, type sudo snap install john-the-ripper, and press Enter.
-In the password for ubuntu field, type toor and press Enter to install the John the Ripper tool.
-After completing the installation of John the Ripper, type sudo john /home/ubuntu/Responder/logs/[Log File Name.txt] and press Enter.
Here, the log file name is SMB-NTLMv2-SSP-10.10.10.10.txt.
-John the Ripper starts cracking the password hashes and displays the password in plain text, as shown in the screenshot.
-This concludes the demonstration of performing an active online attack to crack a password using Responder.
