LLMNR Poisioning

I started Responder on the Kali machine with the following command:

responder -I eth0 -dwv

Then I logged into the Frank Castle machine as Frank Castle user and accessed the IP address of the Kali machine as a network share. This will even work when I try to access a non-existent share on the network.

When I tried to access it, I checked the responder, and it showed me the NTLMv2 password hash of the Frank Castle user.

To crack this hash, I used a tool called as hashcat:

I copied the hash over to my host machine to crack it using GPU. The hash was saved in a file: hashes.txt. The rockyou.txt wordlist was used in this case. I issued the following command:

hashcat.exe -m 5600 hashes.txt rockyou.txt -O

There are two things which we can do with responder:

1. Capture and crack the hash.

2. Relay the hash.

To relay the hash, we need to turn off the SMB and HTTP servers from the /etc/responder/responder.conf file.