May 2017 – ijustwannaredteam

Hey all,

In the previous post we discussed using Responder with Snarf, this post will be doing the same but through a pivot. To pivot in we’ll be using Simpletun and a layer 2 pivoting client, this will give the ability to assign an IP address to an interface on our attacking VM, listen for broadcasts, and where available, respond. Commercial products Metasploit Pro and Cobalt Strike have this feature built-in and perform the pivot via encrypted channels, if you are not intentionally looking to get caught by Blue Teams, use them. Another option is Inveigh, a powershell LLMNR/NBNS spoofer with relay capabilities that is included in Empire and available for pivot poisoning without the layer 2 tunnel.

Continue reading “Responder and Layer 2 Pivots” →

Hey all,

This post is about using Responder and Snarf to poison broadcasts, SMB relay, enumerate privileges and files, and when we choose, spawn a shell. Bonus post includes doing all of the above through a pivot.

Tools:

Responder – https://github.com/SpiderLabs/Responder
Snarf – https://github.com/purpleteam/snarf
Impacket tools – https://github.com/CoreSecurity/impacket

Mitigations:

Disable LLMNR and/or NBSNS – http://www.pciqsatalk.com/2016/03/disable-lmnr-netbios.html
SMB signing – https://technet.microsoft.com/en-us/library/jj852239(v=ws.11).aspx

I would imagine the majority of the offsec crew can appreciate Responder and all that it can do. Using in UNION with SMB relay, it can be a great way to get that first shell or enumerating sensitive files. The good old days where we can relay back to the source are long past us (well I hope), but that doesn’t mean we should dismiss this as a potential wedge point.

Continue reading “Responder and Snarf” →