Responder – spoofing LLMNR and NBT-NS to capture password hashes

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.” Download from https://github.com/SpiderLabs/Responder

One cool thing I didn’t cover in the video is how to force a basic authentication login prompt to capture plain text credentials by using the command line so that we don’t have to crack anything. This would be useful to try after an initial run with Responder doesn’t provide any password hashes that we are able to crack.

responder -I eth0 -r -w -b -F --lm -v

 

Of course the victim will see a prompt for login and password and we’re hoping that they will authenticate.

Check out my video below to see how to install Responder, and how to capture and crack the password hashes.

User changed password in AD and keeps getting locked out

I’ve noticed that Active Directory account lockouts seem to be more common these days. I believe this is a result of the use of mobile devices, with some users having multiple mobile devices.

The most common cause of account lockout is when a user changes their password and doesn’t immediately update their password on a mobile device with an email account configured for ActiveSync. I’ve even had one person tell me that they did update their password on their iPhone, then after repeated account lockouts they remembered the iPad they left at home that also had their company email account on it.

If mobile devices with ActiveSync accounts isn’t the cause, I recommend using Account Lockout Examiner, a freeware tool from Netwrix.

Netwrix Account Lockout Examiner: Alert your help desk staff about lockout events and troubleshoot account lockouts, analyzing potential causes. Accounts can be unlocked within the console, a Web-based interface or via a mobile device.

Download it here.