-
Notifications
You must be signed in to change notification settings - Fork 8
Home
Welcome to the VindicateTool wiki!
Download VindicateTool.
Open a non-elevated command prompt, or PowerShell prompt, and type the following in the ReleaseBinaries sub-folder:
./VindicateCLI.exeVindicate will now search for LLMNR/NBNS/mDNS spoofing and report back.
If you see nothing happening, try using the -v flag to get more verbose output on what Vindicate is doing.
If there is spoofing going on, you may see something like this:
Received mDNS response from 192.168.1.24 claiming 192.168.1.24
Spoofing confidence level adjusted to Medium
Received LLMNR response from 192.168.1.24 claiming 192.168.1.24
Received NBNS response from 192.168.1.24 claiming 192.168.1.24
Detected active WPAD service at 192.168.1.24 claiming HTTP Code OK
Spoofing confidence level adjusted to Certain
Detected active WPAD service at 192.168.1.24 claiming HTTP Code OK
Detected active WPAD service at 192.168.1.24 claiming HTTP Code OK
Detected service on SMB TCP port at 192.168.1.24
Detected service on SMB TCP port at 192.168.1.24
Detected service on SMB TCP port at 192.168.1.24
This indicates an ongoing attack (in this case, Responder running with defaults).
Use ESC to close the application.
Use -v with VindicateCLI to get more verbose output.
Vindicate will try to auto-detect your IP address. If you have multiple network interfaces, this might provide an address on the wrong network. If so, use -a to enter the IP address you'd like to use.
Open an elevated (Administrator) PowerShell prompt and type the following:
New-EventLog -Source "VindicateCLI" -LogName "Vindicate"Run the CLI app with -e to enable event logging. The service uses the Windows Event Log (or Mono equivalent) automatically.
Event logs are stored under Applications and Services Log\Vindicate.