Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: NetBIOS Suffixes). By default, the tool will only answer to File Server Service request, which is for SMB.
The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.
- Built-in SMB Auth server – Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP.
- Built-in MSSQL Auth server – Supports NTLMv1 and LMv2 hashes.
- Built-in HTTP Auth server – Supports NTLMv1, NTLMv2 hashes and Basic Authentication.
- Built-in HTTPS Auth server – As above (comes with dummy keys).
- Built-in LDAP Auth server – Supports NTLMSSP hashes and Simple Authentication (clear text authentication).
- Built-in FTP, POP3, IMAP, SMTP Auth servers – Supports collection of clear text credentials.
- Built-in DNS server – This server will answer type A queries, combine with ARP spoofing.
- Built-in WPAD Proxy Server – Will capture all HTTP requests from IE users with “Auto-detect settings” enabled.
- Browser Listener – This module allows you to find the PDC in stealth mode.
- Fingerprinting – Will fingerprint every host who issued an LLMNR/NBT-NS query.
- ICMP Redirect – For MITM on Windows XP/2003 and earlier Domain members.
- Rogue DHCP – Supports DHCP Inform Spoofing.
- Analyze mode – Allows you to see NBT-NS, BROWSER, LLMNR, DNS requests without poisoning.
Before starting take a look at
Responder.conf and tweak it to your requirements.
--version show program's version number and exit
-h, --help show this help message and exit
-A, --analyze Analyze mode. This option allows you to see NBT-NS,
BROWSER, LLMNR requests without responding.
-I eth0, --interface=eth0
Network interface to use
-b, --basic Return a Basic HTTP authentication. Default: NTLM
-r, --wredir Enable answers for netbios wredir suffix queries.
Answering to wredir will likely break stuff on the
network. Default: False
-d, --NBTNSdomain Enable answers for netbios domain suffix queries.
Answering to domain suffixes will likely break stuff
on the network. Default: False
-f, --fingerprint This option allows you to fingerprint a host that
issued an NBT-NS or LLMNR query.
-w, --wpad Start the WPAD rogue proxy server. Default value is
-u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY
Upstream HTTP proxy used by the rogue WPAD Proxy for
outgoing requests (format: host:port)
-F, --ForceWpadAuth Force NTLM/Basic authentication on wpad.dat file
retrieval. This may cause a login prompt. Default:
--lm Force LM hashing downgrade for Windows XP/2003 and
earlier. Default: False
-v, --verbose Increase verbosity.
You can download Responder here:
Or read more here.