40 Questions
What hash version was passed to Responder?
Version 2 (v2)
What type of file is created in the example?
v2 file
What is used to crack the password in the example?
John the Ripper
What is the password that John the Ripper successfully cracks?
vagrant
What ruleset is used with John the Ripper in the example?
KoreLogic ruleset
What can be accessed using the credentials obtained?
The target system remotely
What is Winexe used for?
Remote administration of Windows systems
What can Winexe be used to do on the target system?
Run applications
What is the initial step in getting passwords with Responder?
Running Responder on the Kali Host
What is observed on the Windows system during this process?
Only an 'Access is denied' message
What is obtained from the output on the Kali box?
The IP address and username of the requesting host
What is done with the obtained hash?
It is tried to be cracked to see if it works on the system
Why is CTRL-C pressed on the Responder window?
To stop Responder from running
What is the purpose of dumping hashes out of Responder?
To process them with John the Ripper
What are the two new files generated after dumping hashes out of Responder?
DumpNTLMv1.txt and DumpNTLMv2.txt
What type of hash can be seen on the next slide?
NetNTLMv2 Hash
What was the purpose of creating NetNTLMv1 and NetNTLMv2 hashes?
To make hashes slower to crack
What is used to add randomness to the NTLMv1 hash?
A server-based nonce
What happens when a client connects to a host using NTLMv1?
The client asks for a nonce and then sends the hashed challenge to the server
What is the purpose of the second nonce in NTLMv2?
To add complexity to the hash creation
How does NTLMv2 protect against rainbow tables?
By using two different nonces
What is the purpose of using Responder in capturing hashes?
To answer LLMNR and NBNS queries
Why is using a fixed challenge on the server side beneficial when capturing hashes?
It allows us to deal with one set of randomness instead of two
Where can the latest version of Responder be obtained?
From GitHub
What is the purpose of running the Get-ComputerDetail.ps1 script?
To get computer details
What is needed to perform certain activities on the domain?
A ticket or hash cached in the session
What is the purpose of running the Invoke-Portscan.ps1 script?
To scan a port on the target Windows machine
What is the tool used to spoof LLMNR and NetBIOS Name Services responses?
Responder
What is used to crack credentials?
John the Ripper
What is the purpose of the PowerView.ps1 script?
The purpose is not specified in the text
What is required to perform some activities on the domain?
A full session on the system
What is the purpose of using cmdlets like Invoke-WebRequest and Invoke-Expression?
To bring along our own code over the Internet
What is the main theme of the summary?
Ways to get onto a target system without using an exploit
What are the two ways Evil-WinRM can bring over code?
Scripts and binaries
What does the -s flag specify in Evil-WinRM?
A script directory location
What can be loaded from the script directory in Evil-WinRM?
Any scripts
What happens when we type 'menu' in Evil-WinRM?
It lists all available scripts
What is the purpose of Bypass-4MSI in Evil-WinRM?
To bypass Windows Antimalware Scan Interface
How do you run a script in Evil-WinRM?
By typing the script name and then running 'menu' again
What is included in the tool by default in Evil-WinRM?
Four commands: Dll-Loader, Donut-Loader, Invoke-Binary, and Bypass-4MSI
Learn about NTLMv1 and NTLMv2 hashes, their use of server-based nonces, and the process of connecting to a host using NTLMv1. Understand the randomness and security measures in NTLM hashing.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free