When doing internals, usually an easy first step is to use Responder and wait to retrieve NTLM hashes, cracking them and hoping for a weak password.

The problem is that sometimes fancy cracking rigs might not be available, it might be a mess to copy/paste all those hashes, send them, wait for an answer where you could already do some work locally, without any effort. We’re all lazy, and I’m even more lazy. That’s why I decided doing this project.

This is highly inspired from Autoresp from Dan McInerney. Basically, it retrieves hashes from Responder and sends them to a cracking box.

The aim of this python script is to run in conjunction with Responder while doing internal assessments. The script will monitor the logs from Responder, load NTLMv1 and NTLMv2 hashes as they are captured and crack them with your local instance of Hashcat.
Works out of the box on Kali Linux (including 2.0)

Installation

Clone the repo:

git clone https://github.com/sensepost/autoresponder.git && cd autoresponder

And.. you’re done.

Usage

The command python auto_responder.py -h will actually show you this usage:

python auto_responder.py -h
usage: auto_responder.py [-h] [-w WORDLIST] [-l LOGS_DIR] [-b HASHCAT_PATH]

Auto Responder – @PaulWebSec (SensePost)

optional arguments:
-h, –help       show this help message and exit
-w WORDLIST      Path to the worlists. eg. /wordlists/*.txt
-l LOGS_DIR      Path to Responder binary
-b HASHCAT_PATH  Path to Hashcat binary

Parameters logs_dir and hashcat_path are not mandatory. Defaults are Kali ones. The only mandatory parameter is the wordlist one.

python auto_responder.py -w ‘/usr/share/wordlists/metasploit/*’
48 NTLMv2 hashes loaded.
2 NTLMv1 hashes loaded.
[!] Cracked NTLMv2 hash: ADMIN:password (172.16.93.1)
[!] Cracked NTLMv2 hash: ROOT: (172.16.93.132)
[!] Cracked NTLMv2 hash: GUEST: (172.16.93.1)

As soon as you launch the script, it will retrieve all the hashes stored in the logs folder and start bruteforcing them.

Github repo is here. Happy cracking!