Home

Welcome to the VindicateTool wiki!

Quick Start

Download VindicateTool.

Open a non-elevated command prompt, or PowerShell prompt, and type the following in the ReleaseBinaries sub-folder:

./VindicateCLI.exe

Vindicate will now search for LLMNR/NBNS/mDNS spoofing and report back.

If you see nothing happening, try using the -v flag to get more verbose output on what Vindicate is doing.

If there is spoofing going on, you may see something like this:

Received mDNS response from 192.168.1.24 claiming 192.168.1.24
Spoofing confidence level adjusted to Medium
Received LLMNR response from 192.168.1.24 claiming 192.168.1.24
Received NBNS response from 192.168.1.24 claiming 192.168.1.24
Detected active WPAD service at 192.168.1.24 claiming HTTP Code OK
Spoofing confidence level adjusted to Certain
Detected active WPAD service at 192.168.1.24 claiming HTTP Code OK
Detected active WPAD service at 192.168.1.24 claiming HTTP Code OK
Detected service on SMB TCP port at 192.168.1.24
Detected service on SMB TCP port at 192.168.1.24
Detected service on SMB TCP port at 192.168.1.24

This indicates an ongoing attack (in this case, Responder running with defaults).

Use ESC to close the application.

Get more info

Use -v with VindicateCLI to get more verbose output.

Setting the right IP address

Vindicate will try to auto-detect your IP address. If you have multiple network interfaces, this might provide an address on the wrong network. If so, use -a to enter the IP address you'd like to use.

Enabling event log reporting

Open an elevated (Administrator) PowerShell prompt and type the following:

New-EventLog -Source "VindicateCLI" -LogName "Vindicate"

Run the CLI app with -e to enable event logging. The service uses the Windows Event Log (or Mono equivalent) automatically.

Event logs are stored under Applications and Services Log\Vindicate.