The Responder penetration testing tool is a Link Local Multicast Name Resolution (LLMNR), NBT-NS, and MDNS poisoner. An example is if a target sends out an LLMNR request looking for a resource, the Responder tool will send a response to the server directing all traffic to the malicious user. The tool allows the attacker to retrieve user hashes and OS info, making this an efficient tool for harvesting credentials and reconnaissance.
- A Windows server makes an LLMNR request looking for a specific resource.
- The attacker using the Responder tool provides the Windows server with the IP of the attacker’s machine.
- The Windows server supplies its domain credentials to the attacker in an attempt to access the specified resource.
The attacker must be situated within the internal network of the victim.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to allow the malicious files to become resident on the victim machine.