Sniffing & Spoofingllmnrnbt-nsmdnspoisoningntlmwpaddhcpcredentials

Responder

Responder is an LLMNR, NBT-NS and MDNS poisoner that captures credentials by responding to broadcast/multicast name resolution requests and acts as rogue authentication servers.

Description

Responder poisons LLMNR, NBT-NS, and mDNS queries, answering specific NBT-NS requests based on name suffixes to target File Server Service (SMB) by default. It launches rogue servers for protocols like HTTP, HTTPS, SMB, SQL, FTP, and others to capture authentication attempts including NTLM hashes. The tool is designed to be stealthy by selectively responding to avoid disrupting legitimate network behavior.

Use cases include capturing Net-NTLMv2 hashes on Windows networks during penetration tests, WPAD proxy attacks to force authentication, and DHCP injection for proxy discovery. It supports analysis mode for passive monitoring and various downgrades like LM hashing or disabling ESS for compatibility with older systems.

Responder includes additional utilities like MultiRelay for relay attacks, ICMP redirect for traffic manipulation, and fingerprinting modules. It's particularly effective on networks with misconfigured name resolution where clients fall back to broadcast queries.

How It Works

Responder listens for LLMNR (port 5355 UDP), NBT-NS (port 137 UDP), and mDNS queries, poisoning responses to redirect clients to attacker-controlled rogue servers. For NBT-NS, it targets specific service suffixes like File Server (0x20) for SMB or optionally Workstation Service (-r). WPAD attacks serve malicious proxy.pac files via HTTP/HTTPS. Authentication servers emulate SMB, SQL, FTP, etc., capturing NTLMv1/v2 challenges or Basic auth. DHCP/DHCPv6 options inject WPAD or DNS servers. External IP poisoning (-e/-6) and Router Advertisements (--rdnss) enable remote redirection.

Installation

bash

sudo apt install responder

Flags

-I eth0, --interface=eth0Network interface to use. Use 'ALL' for all interfaces.

-i IP, --ip=IPLocal IP to use. (OSX only)

-A, --analyzeAnalyze mode. See requests without poisoning. (passive)

-e IP, --externalip=IPPoison with a different IPv4 address than Responder's.

-6 IPv6, --externalip6=IPv6Poison with a different IPv6 address than Responder's.

--rdnssPoison via Router Advertisements with RDNSS. Sets attacker as IPv6 DNS.

-d, --DHCPEnable DHCPv4 poisoning. Injects WPAD in DHCP responses.

-D, --DHCP-DNSInject DNS server (not WPAD) in DHCPv4 responses.

--dhcpv6Enable DHCPv6 poisoning. WARNING: May disrupt network.

-w, --wpadStart WPAD rogue proxy server.

-F, --ForceWpadAuthForce NTLM/Basic auth on wpad.dat retrieval. (may show prompt)

-P, --ProxyAuthForce proxy authentication. Highly effective. (can't use with -w)

-v, --verboseIncrease verbosity. (recommended)

-Q, --quietQuiet mode. Minimal output from poisoners.

Examples

Specify IP to redirect to, enabling WPAD rogue proxy, netbios wredir answers, and fingerprinting.

responder -i 192.168.1.202 -w On -r On -f On

Basic poisoning on eth0 interface with verbose output.

python3 Responder.py -I eth0 -v

Analyze mode (passive): Watch requests without poisoning.

python3 Responder.py -I eth0 -Av

WPAD with forced authentication on older networks.

python3 Responder.py -I eth0 -wFv

Proxy authentication mode - highly effective.

python3 Responder.py -I eth0 -Pv

DHCPv6 poisoning combined with proxy authentication.

python3 Responder.py -I eth0 --dhcpv6 -vP

DHCP + WPAD injection leading to proxy authentication.

python3 Responder.py -I eth0 -Pvd

Poison requests to an external/arbitrary IPv4 address.

python3 Responder.py -I eth0 -e 10.0.0.100

Updated 2026-04-16kali.org ↗