Mitigating Responder Tool Attacks on Microsoft AD Networks

The Responder tool can grab the netntlm hashes of clients on a Microsoft AD network by either using LLMNR to answer queries made by clients or by responding to WPAD to insert itself as a local proxy server. This article explores the effectiveness of requiring SMB signing by clients on the network as a mitigation strategy.

According to an NCC article, requiring SMB signing does not prevent the relaying of NTLM authentication to an SMB server or an HTTP server. It also does not prevent the capture and offline cracking of the NTLM challenge response. Therefore, SMB signing alone is not a solid solution.

The recommended mitigations include disabling broadcast protocols like NetBIOS over TCP/IP and LLMNR, network segregation, and applying the principle of least privilege. While these measures reduce the likelihood of hashes being compromised, they do not eliminate the risk entirely.

Another suggested mitigation is enforcing long passwords (15 characters and more) and encouraging users to select passwords based on passphrases. This can help mitigate the risk of captured hashes being cracked and used by an attacker.

Leave a Reply

Your email address will not be published. Required fields are marked *