DramaKing Posted February 26, 2023 Share Posted February 26, 2023 Been trying to get Responder to work for days, and after reading a number of sources online and combing through Wireshark captures, I'm finally putting it together. I've used a Pineapple and a Kali Linux laptop, as well as trying Inveigh on a Windows machine, and using a few different devices to connect over SMB (which does work fine on the client side). Responder sends the NTLMSSP_CHALLENGE packet, but Windows 10 responds with RST, ACK instead of NTLM_AUTH. It's like it knows that the challenge is from a rogue SMB server. responder -I wlanX responder -I wlanX -wdvP Link to comment Share on other sites More sharing options...
DramaKing Posted February 28, 2023 Author Share Posted February 28, 2023 This is definitely affecting specifically Windows 10 clients as a Windows 7 VM authenticated as expected. Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 1, 2023 Share Posted March 1, 2023 What happens if you "force" SMB from the target side? For example, open the Explorer and enter: \\<whatever-IP-address-the-poisoner-has (and hit ENTER). Does any SMB NTLM get logged by Responder? Link to comment Share on other sites More sharing options...
DramaKing Posted March 1, 2023 Author Share Posted March 1, 2023 I didn't think that it would work since the poisoning was working. I was able to get hashes from my W10 22H2 system but only when I wasn't starting Responder over SSH. I didn't think that it would interfere but guess it does. Go figure. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.