Gaining a foothold: Using Responder to capture NTLMv2 Hashes and cracking with John the Ripper

Recently, I finally got my new home lab set up and I figured it was time to start documenting some tools that are used quite often within penetration testing.

Today I am going to demonstrate how to run Responder in its most basic form, capture an NTLMv2 Hash and cracking it with John the Ripper. While this will not be an exhaustive list and showing all the possible examples (there are many blog posts out there that do), I will just be demonstrating how this can be done at its simplest form. It is up to you to decide how far you want to go with this information.

Responder is a tool that every penetration tester needs in their arsenal. It is a tool to capture hashes while connected onto a network. If a client/target cannot resolve a name via DNS, it will fall back to name resolution via LLMNR, NBT-NS and MDNS. If we have Responder running on the same network, it will essentially say "Hey, I'm who you're looking for" to all of the LLMNR and NBT-NS requests that we see, and the traffic is directed to us. Further information can be found on the Responder github found here [1].

Now that we understand what we're working with, I have set up a lab that demonstrates this attack. Currently, I have the following systems running:

  • Windows Server 2012 R2 set as a DC and DHCP
  • Windows 7 victim machine
  • Windows 7 attacking machine
  • Kali attacking machine

While these may not all be necessary or even used, it's what I currently have running. More so, Responder can be used within Kali and doesn't necessarily need to be attacked from a windows device. I'm just using it as my example.

Now, My Windows 7 victim machine is already logged in and connected to the domain. I have my Windows 7 attacking machine connected to the same domain and network subnet (emulating that I have already gained access to the network but do not have any domain credentials).

From my Windows 7 attacking machine, I drop the Responder executable and the configuration file (Responder.conf) inside a directory on my desktop and launch it. I specify my local IP (-i <IP>), force LM hashing downgrade for any Windows XP/2003 and earlier devices (--lm), start a WPAD rogue proxy server (-w) and enable answers for netbios wredir suffic queries (-r).

With Responder running, I hop back to my victim machine and start clicking around to emulate an active user on the network. Within moments, I receive a captured NTLMv2 Hash back on my Windows 7 attacking machine running Responder

With my captured hash, I copy this over to my "password cracking rig" (which is just a kali VM, lol). I copy the entire hash and place it into a file called "hash.txt"

I also create a "password.lst" file. This file contains a bunch of words including the password (Again, since this is a lab and I am not using a true password cracking rig, it would take forever to crack. This is just demonstrating how it's done).

In it's most basic form, I run John the Ripper [2] with my wordlist and hash file

As shown above, we have cracked Edwards password of "TwilightBitches!". Now we have Domain level credentials, we can further dive into the network and try to elevate to Domain Admin. But that's for a later post.

Hope this helps. Until next time!