Hey all,
This post is about using Responder and Snarf to poison broadcasts, SMB relay, enumerate privileges and files, and when we choose, spawn a shell. Bonus post includes doing all of the above through a pivot.
Tools:
- Responder – https://github.com/SpiderLabs/Responder
- Snarf – https://github.com/purpleteam/snarf
- Impacket tools – https://github.com/CoreSecurity/impacket
Mitigations:
- Disable LLMNR and/or NBSNS – http://www.pciqsatalk.com/2016/03/disable-lmnr-netbios.html
- SMB signing – https://technet.microsoft.com/en-us/library/jj852239(v=ws.11).aspx
I would imagine the majority of the offsec crew can appreciate Responder and all that it can do. Using in UNION with SMB relay, it can be a great way to get that first shell or enumerating sensitive files. The good old days where we can relay back to the source are long past us (well I hope), but that doesn’t mean we should dismiss this as a potential wedge point.