To test Responder logon to the Windows client and type in a wrong UNC path.

Back in the Kali shell, if LLMNR is broadcasting from the client the following activity will be shown. 

Responder logs all its activity, browse or cd to 

/usr/share/responder/logs

Its the 'SMB-NTLMv2-SSP-10.1.1.106.txt' that we're interested in.

Open the file and you are likely to see repeat captures of the account name and NTLM v2 password hash.

The account and NTLM v2 password hash has has been captured and for this demo the password was previously added to the wordlists. Wordlists and rainbow tables can be downloaded from the internet or generated with Crunch or the hash can be passed to Hashcat for cracking. This is a demo and its going to remain simply....for now.

The wordlists are stored at /usr/share/wordlists and 'rockyou.txt' is the wordlist choice of day.

Close down Responder and then type:

john /usr/share/responder/SMB-NTLMv2-SSP-10.1.1.106.txt --wordlist:/usr/share/wordlists/rockyou.txt

Predictably the password was revealed in seconds. Dont forget this is a weak password and it's in the wordlist of well known passwords. Passwords in the wordlist or rainbow table would take significantly longer to crack and likely to require GPU rig of some sort.

To prevent LLMNR disable 'Turn on Responder (RSPNDR)' in GPO and\or blocking 5355 UDP and TCP for both Incoming and Outgoing.

To prevent NBT-NS set the DHCP MS Windows 2000 Option '001 Microsoft Disable Netbios Option' 0x2.

To configure from within Windows, set 'disable NetBios over TCP/IP'.

Equally setting denying UDP port 137 firewall will do the trick.

A little disappointed that I'm unable to show the WPAD being hacked. It failed to display an authentication box when trying to connect to the Internet from a browser. The user kindly types in their username and password and its relayed in the clear to Responder.

The command is 'responder -I eth0 -wbF

The client is vulnerable when the 'Automatically detect settings' is checked without a proxy server being available on the network.

To protect against this attack simply create a DNS record called WPAD, the IP does not require and endpoint or an active response.