respounder icon indicating copy to clipboard operation
respounder copied to clipboard

Published 20 hours ago verified publisher icon codeexpress

Responder with fingerprinting goes undetected

Open kirillwow opened this issue 6 years ago • 2 comments

Responder probes querying machine and doesnt spoof if get no answer back. Probably listening to 445/TCP may help. image

kirillwow avatar Mar 13 '18 12:03 kirillwow

I just attempted this with Responder -f, and it does send the LLMNR response. The SMB request for fingerprinting does not happen until after the LLMNR response. Respounder just detects that LLMR spoofing is taking place, not sure what SMB would add in this case.

n00py avatar May 01 '20 20:05 n00py

This is true. The goal here is to detect the presence of responder running in a network by sending a fake LLMNR request and force responder to respond to that.

This is what respounder does for now. The only case when adding SMB support will be useful is when someone is running responder to respond to SMB but not to LLMNR. In its default setting this is not the case and hence this tool will catch most instances.

Adding SMB will mean that the respounder should also add support for each protocol that responder supports, which seems a lot of additional work for a very little gain.

Makes sense?

codeexpress avatar May 01 '20 21:05 codeexpress