Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ICMP Re-Direct #183

Open
yeti-code opened this issue Jan 5, 2022 · 2 comments
Open

ICMP Re-Direct #183

yeti-code opened this issue Jan 5, 2022 · 2 comments

Comments

@yeti-code
Copy link

I'm on an OpenVPN connection for an HTB box. I have a SOCKS5 proxy as well on the target machine.

Trying to run responder to capture LLMNR hashes.

I'm getting this output, then the file errors out.

(root💀kali)-[/opt/Responder]
└─# python3 Responder.py -I tun0 -A
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.1.0

  Author: Laurent Gaffie ([email protected])
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [OFF]
    NBT-NS                     [OFF]
    MDNS                       [OFF]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [ON]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.23]
    Responder IPv6             [dead:beef:2::1015]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-T35KGYMVY0Z]
    Responder Domain Name      [YAO3.LOCAL]
    Responder DCE-RPC Port     [47671]

[+] Listening for events...                                                                                          

[Analyze mode: ICMP] You can ICMP Redirect on this network.
[Analyze mode: ICMP] This workstation (10.10.14.23) is not on the same subnet than the DNS server (75.75.75.75).
[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.
[Analyze mode: ICMP] You can ICMP Redirect on this network.
[Analyze mode: ICMP] This workstation (10.10.14.23) is not on the same subnet than the DNS server (75.75.76.76).
[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.
Traceback (most recent call last):
  File "/opt/Responder/Responder.py", line 383, in <module>
    main()
  File "/opt/Responder/Responder.py", line 274, in main
    from poisoners.LLMNR import LLMNR
  File "/opt/Responder/poisoners/LLMNR.py", line 50, in <module>
    IsICMPRedirectPlausible(settings.Config.Bind_To)
  File "/opt/Responder/poisoners/LLMNR.py", line 44, in IsICMPRedirectPlausible
    if x != "127.0.0.1" and IsOnTheSameSubnet(x,IP) is False:
  File "/opt/Responder/utils.py", line 104, in IsOnTheSameSubnet
    ipaddr = int(''.join([ '%02x' % int(x) for x in ip.split('.') ]), 16)
  File "/opt/Responder/utils.py", line 104, in <listcomp>
    ipaddr = int(''.join([ '%02x' % int(x) for x in ip.split('.') ]), 16)
ValueError: invalid literal for int() with base 10: '2001:558:feed::1'
@decidedlygray
Copy link

My guess: looks like https://github.com/lgandx/Responder/blob/master/utils.py#L102 may only support IPv4 and your environment is providing an IPv6 address?

@also-here
Copy link

@decidedlygray is correct, this is similar to Issue #152 . There is an IPv6 address in your /etc/resolve.conf file. To work around this you can comment out/delete that address from your /etc/resolve.conf (which will affect the whole system) OR not use Analyze mode (-A) as that's the only time it gets checked OR I've patched it in Pull Request #232 so that LLMNR.py will check if the DNS is an IPv6 address before sending it to utils.py and if it is IPv6 it gets skipped. As this whole thing is just a check to see if the tools/ICMP-Redirect.py script might work (which also does not yet support IPv6) it can probably be safely ignored for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@decidedlygray @also-here @yeti-code