Skip to content
CyberOpsSec
CyberOpsSec

Just another cybersecurity site

  • Home
  • Posts
  • Knowledge
    • Auditing
    • Linux Commands
    • Ports & Protocols
    • Scanning
    • Sniffing
    • Syslog
    • Vulnerability/Patch Mgmt
  • About
  • Contact
CyberOpsSec

Just another cybersecurity site

Blocking Responder

Admin, November 21, 2023March 13, 2024

Responder is usually one of the first things a pentester will fire up after plugging into your network. It will respond to multicast traffic and will trick other endpoints on the same subnet into sending their username/hash. This is very hard to detect unless you’re running an IDS/IPS on your PC subnets. So, how do we block this?

Step 1: Disable LLMNR (Local Link Multicast Name Resolution)

Step 2: Disable NetBIOS. This can be tricky to implement. The manual way is the easiest to do:

This will disable NetBIOS on all the interfaces on a machine. This may not be best as NetBIOS might be used in a home environment without a DNS server.
PowerShell
$regkey = “HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces”
Get-ChildItem $regkey | foreach { Set-ItemProperty -Path “$regkey\$($_.pschildname)” -Name NetbiosOptions -Value 2 -Verbose}

This will disable NetBIOS on the interface plugged connected to the domain
PowerShell
Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | ? {($_.DNSDomain -eq ‘DNSDomain‘) -and ($_.IPAddress -like ‘IPAddr RegExp‘)} | Invoke-CimMethod -MethodName settcpipnetbios -Arguments @{TcpipNetbiosOptions = 2}

Step 3: Disable mDNS

REG ADD “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters” /v EnableMDNS /t REG_DWORD /d 0 /f

This can be placed under Computer Configuration -> Windows Settings -> Registry

Step 4: Disable WPAD

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“AutoDetect”=dword:00000000

This can be placed under User Configuration -> Preferences -> Windows Settings -> Registry

Step 5: Enable SMB Signing

This can be set under Computer Configuration -> Policies -> Windows Settings -> Security Settings. If a hash is captured this will prevent the attacker from relaying the hash to other machines. The next step for an attacker is to run the hashes through John/Hashcat and brute force them. So, it is best to have a good password policy in place.

Step 6: Have a strong password policy in place. The longer the password the harder it is to crack.

Vulnerabilities

Post navigation

Previous post
Next post

Related Posts

Nessus False Positive

June 25, 2024June 25, 2024

Plugin ID: 132101Windows Speculative Execution Configuration Check According to MS: KB4072698: Windows Server and Azure…

Read More

Disable mDNS

March 13, 2024

Issuing netstat and lsof commands to view UDP 5353 connections/listening ports shows that the avahi-daemon…

Read More

AD CS Vulnerabilities

January 11, 2024March 13, 2024

If an attacker gets domain user level permissions they could use tools such as certipy-ad…

Read More

Leave a Reply Cancel reply

You must be logged in to post a comment.

Recent Posts

  • UBI – User Browsing Isolation
  • Rolling KRBTGT Account
  • SentinelOne: Why it’s important to monitor and audit your EPP
  • Nessus False Positive
  • Uninstall Vulnerable Software Remotely

Recent Comments

No comments to show.

Archives

  • November 2024
  • September 2024
  • June 2024
  • May 2024
  • March 2024
  • January 2024
  • November 2023
  • September 2023

Categories

  • EPP
  • Uncategorized
  • Vulnerabilities
©2025 CyberOpsSec | WordPress Theme by SuperbThemes