Responder.py detection across an entire ...

Responder.py detection across an entire enterprise’s infrastructure, using MazeRunner

Since our last blog post about MazeRunner’s Responder Monitor, we have improved it based on feedback from the field, and then deployed it at customer sites—most notably across the entire network of a Fortune 500 customer.

In the now infamous attack against Hacking Team, in what turned out to be one of the best guides ever written on hacking, Phineas Phisher wrote on Responder: “[it’s] The most useful tool for attacking Windows when you have access to the internal network but don’t have a user account.”

Responder in non-technical terms:

Responder represents a class of tools that allows a threat actor to provide responses to questions asked during normal network activity, before the real responses can arrive. It does so in such a manner that gives the threat actor access to credentials and other sensitive material.

Responder.py always responds with “I’m what you’re looking for. Send me your credentials and I’ll let you in.” The endpoint then passes the hashed password to Responder.py, which can then be used in an attack.

Responder blog 1

Responder.py

To better understand this, you could imagine the following scenario from daily life: Bob recites his credit card number to his waitress, Alice, in a restaurant. The woman in next booth, Eve, writes the number down and then recites it to her own waiter, Trent. For some reason, both waiters accept the card details with no questions asked, and without validating the cardholder’s identity.

Responder in technical terms:

Responder has many different implementations (Metasploit, PowerShell, Responder.py) and contains several attack vectors (LLMNR, NBNS, MDNS, SMB, HTTP, and more). The tool identifies a query, poisons it, and steals the credentials using a rogue authentication server.

For example:

An endpoint is looking for server MYSERVER. Responder.py responds with its own IP address before MYSERVER can answer, and then continues with the authentication. MazeRunner will generate an alert as soon as the response from Responder.py (which we know is false) is detected.

Further alerts are triggered when the attacker steals and also uses the deceptive credentials provided, anywhere on the network.

Responder blog 2
Responder alerts in MazeRunner

In order to maximize the chances of the attacker seeing our deceptive credentials, you can also activate the Responder detection from random endpoints in your environment (without deploying an agent), use it from MazeRunner’s API, or connect it with playbooks for a similar purpose.

For a more in-depth explanation of Responder.py, visit their Git repository: https://github.com/SpiderLabs/Responder.

Note: I’d like to thank many friends who shall remain nameless, as well as Curt Wilson of the R-CISC, and Michael J Wise, for helping me formulate the non-technical explanation of Responder.py given above.

Not a customer yet? Ask us for a demo!