This tutorial is based on the exroot Nexx 3020H build from THIS earlier post.
Responder has been the bread and butter in our toolkit…screwdriver in our sandwich? Wait, I think I lost the anology. Anyways, Responder is an amazing pen testing tool if you are on a local network. Building the Nexx 3020H as a network dropbox meant that Responder was one of the first tools that I wanted on a the device.
This post is going to be split into two sections since the install part went **spoiler alert** way easier than I had expected.
If you haven’t flashed your device to OpenWRT and setup exroot you can pop back over once that is done.
Part One: Setup and Usage
Download Responder from Spider Labs GitHub as a zipfile. (https://github.com/SpiderLabs/Responder).
SSH into the Nexx dropbox. I am going to put the files in /opt, you can unzip the file on your host or on the device. Doing it on the device has the drawback of requiring more disk space.
unzip Responder-master.zip scp -r Responder-master email@example.com:/opt
Excellent, there is one package that Responder requires and I will install nano to edit the config file later.
opkg update opkg install python opkg install nano
Since OpenWRT runs a web server and the device also acts as a WAP Responder won’t be able to start the DNS or HTTP module. Don’t believe me? Try it in Analyze mode.
./Responder.py -I br-lan -A
Disabling both the HTTP and DNS module allow Responder to start normally and not affect functionality. Disabling DNS would probably cause issues with hosts plugged into the LAN module which would probably end up getting the dropbox detected. Disabling the HTTP server would be less impactful but would limit a future use that I am working on so I’m taking that off the table for now.
Edit the Responder.conf file to disable both modules.
nano Responder.conf HTTP = Off DNS = Off
Restart Responder, I will use the br-lan interface as an example and use the -f option to fingerprint hosts.
./Responder.py -I br-lan -f
Part 2: On Interfaces and Theory
Running ifconfig on the dropbox shows all of the available interface.
br-lan is the LAN port on the Nexx 3020H
eth0.2 is the WAN port on the Nexx 3020H
Poisoning the br-lan interface only effects the hosts downstream of the dropbox, this limits the potential issues but also means fewer hosts. A common scenario would be to drop this in a waiting area on a receptionist system. Having a foothold on the network and hashes for one person is a good place to start.
The next option is to use eth0.2 and poison the WAN interface. In the same scenario this exposes all of the systems internal to the network to potential poisoning. The chance of getting a high value set of credentials or hash is much higher. But, if Responder causes issues on the network; which is not unheard of, then the chances that you lose the device is higher. Using a cron job to copy the log folder to a remote system reduces the risk of data lost.
The final option is to poison them both. Why? Why not. Test it on your systems and then get everything you can.