{"id":4053,"date":"2016-04-02T05:01:46","date_gmt":"2016-04-01T21:01:46","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4053"},"modified":"2016-04-02T05:06:26","modified_gmt":"2016-04-01T21:06:26","slug":"responder-llmnr-mdns-nbt-ns-poisoner","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2016\/04\/responder-llmnr-mdns-nbt-ns-poisoner\/","title":{"rendered":"Responder – LLMNR, MDNS and NBT-NS Poisoner"},"content":{"rendered":"
Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: NetBIOS Suffixes<\/a>). By default, the tool will only answer to File Server Service request, which is for SMB.<\/p>\n <\/p>\n The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.<\/p>\n Before starting take a look at You can download Responder here:<\/p>\nFeatures<\/h3>\n
\n
Usage<\/h3>\n
Responder.conf<\/code> and tweak it to your requirements.<\/p>\n
.\/Responder.py [options]\r\n\r\n--version show program's version number and exit\r\n -h, --help show this help message and exit\r\n -A, --analyze Analyze mode. This option allows you to see NBT-NS,\r\n BROWSER, LLMNR requests without responding.\r\n -I eth0, --interface=eth0\r\n Network interface to use\r\n -b, --basic Return a Basic HTTP authentication. Default: NTLM\r\n -r, --wredir Enable answers for netbios wredir suffix queries.\r\n Answering to wredir will likely break stuff on the\r\n network. Default: False\r\n -d, --NBTNSdomain Enable answers for netbios domain suffix queries.\r\n Answering to domain suffixes will likely break stuff\r\n on the network. Default: False\r\n -f, --fingerprint This option allows you to fingerprint a host that\r\n issued an NBT-NS or LLMNR query.\r\n -w, --wpad Start the WPAD rogue proxy server. Default value is\r\n False\r\n -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY\r\n Upstream HTTP proxy used by the rogue WPAD Proxy for\r\n outgoing requests (format: host:port)\r\n -F, --ForceWpadAuth Force NTLM\/Basic authentication on wpad.dat file\r\n retrieval. This may cause a login prompt. Default:\r\n False\r\n --lm Force LM hashing downgrade for Windows XP\/2003 and\r\n earlier. Default: False\r\n -v, --verbose Increase verbosity.<\/pre>\n