Responder

All posts tagged Responder

This tutorial is based on the exroot Nexx 3020H build from THIS earlier post.

Responder has been the bread and butter in our toolkit…screwdriver in our sandwich? Wait, I think I lost the anology. Anyways, Responder is an amazing pen testing tool if you are on a local network. Building the Nexx 3020H as a network dropbox meant that Responder was one of the first tools that I wanted on a the device.

This post is going to be split into two sections since the install part went **spoiler alert** way easier than I had expected.

If you haven’t flashed your device to OpenWRT and setup exroot you can pop back over once that is done.

Part One: Setup and Usage

Download Responder from Spider Labs GitHub as a zipfile. (https://github.com/SpiderLabs/Responder).

GitHub Download for Responder

GitHub Download for Responder

SSH into the Nexx dropbox. I am going to put the files in /opt, you can unzip the file on your host or on the device. Doing it on the device has the drawback of requiring more disk space.

unzip Responder-master.zip

scp -r Responder-master root@192.168.1.1:/opt
Unzip Responder-master

Unzip Responder-master

scp files from host to dropbox

scp files from host to dropbox

Verify Responder-master copied to dropbox

Verify Responder-master copied to dropbox

Excellent, there is one package that Responder requires and I will install nano to edit the config file later.

opkg update
opkg install python
opkg install nano

Since OpenWRT runs a web server and the device also acts as a WAP Responder won’t be able to start the DNS or HTTP module. Don’t believe me? Try it in Analyze mode.

./Responder.py -I br-lan -A
Completely expected error

Completely expected error

Disabling both the HTTP and DNS module allow Responder to start normally and not affect functionality. Disabling DNS would probably cause issues with hosts plugged into the LAN module which would probably end up getting the dropbox detected. Disabling the HTTP server would be less impactful but would limit a future use that I am working on so I’m taking that off the table for now.

Edit the Responder.conf file to disable both modules.

nano Responder.conf
HTTP = Off
DNS = Off
Responder.conf changes

Responder.conf changes

Restart Responder, I will use the br-lan interface as an example and use the -f option to fingerprint hosts.

./Responder.py -I br-lan -f
Responder on br-lan

Responder on br-lan

Part 2: On Interfaces and Theory

Running ifconfig on the dropbox shows all of the available interface.

iwconfig output

iwconfig output

br-lan is the LAN port on the Nexx 3020H
eth0.2 is the WAN port on the Nexx 3020H

Poisoning the br-lan interface only effects the hosts downstream of the dropbox, this limits the potential issues but also means fewer hosts. A common scenario would be to drop this in a waiting area on a receptionist system. Having a foothold on the network and hashes for one person is a good place to start.

The next option is to use eth0.2 and poison the WAN interface. In the same scenario this exposes all of the systems internal to the network to potential poisoning. The chance of getting a high value set of credentials or hash is much higher. But, if Responder causes issues on the network; which is not unheard of, then the chances that you lose the device is higher. Using a cron job to copy the log folder to a remote system reduces the risk of data lost.

The final option is to poison them both. Why? Why not. Test it on your systems and then get everything you can.