All Articles

Responder is a fun tool

The (unrelated) status

I was going strong on 1 post per day at the beginning of this month, and then I totally ruined that streak due to being in a week long Security Onion training at work, flying to Vancouver, and then studying/taking my 504 exam. Brain just needed a break from all the tech for a bit. But now that it’s all done, here is a new blog! :D


I picked this tool today because it’s one that has been coming up a lot lately. I first heard about it last year at a conference, then played with it, took a class that taught it during Black Hat, and then recently learned it again in my SEC 504 class. So let’s go!

Responder is a tool that is open sourced by Spider Labs. According to their description:

Responder is a LLMNR (5355), NBT-NS (137-139) and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

To make it easy to understand, say when you try to go to a webpage, DNS will work its magic. However, when DNS fail, then LLMNR will run, when Local Link Multicast Name Resolution (LLMNR) fail, then NBT-NS will run. Each protocol get worse and worse. Essentially, it’s like asking an impersonating doctor to operate on your body (right, you shouldn’t!)

What it does:

  • LLMNR allow hosts to perform resolution for hosts on the same local link.
  • NetBios has 3 different services but it’s mainly an API that the systems in the local network use to communicate with each other. The 3 services are: Name Service, Datagram Distribution Service, and Session Service.

Look something like this:

Type in an address -> check to see if it’s already on your box

  • If not -> DNS Server
  • If not -> It’ll ask “Does anyone know who XYZ is!?? Anyone?? Anyone?” (Ok not literally that phrase, but that’s the idea)
  • Responder come swooping in, pretend to be prince charming, “Hey, it’s me. Come talk to me! I got you!!”
  • Client now begin handshake process to create connection
  • Client now send the hash, attacker capture that NTLMv2 hash, and crack offline. Note that this only work in misconfigured DNS entry.

The moment you mistype a URL, then the hashes will fly off and get captured on the attacker’s side. MITRE even has a technique(T1171) for it!

Fun with it

This is one of the most popular tool that get used today by penetration testers when they come into an environment just because of how easy it is to run. When it works, the attacker can capture the NTLMv2 hashes, then they can proceed to use hashcat to crack the password hash.

Don’t need it? Turn it off!

Here’s how:

  • Windows:

    REG ADD  “HKLM\Software\policies\Microsoft\Windows NT\DNSClient”
    REG ADD  “HKLM\Software\policies\Microsoft\Windows NT\DNSClient” /v ” EnableMulticast” /t REG_DWORD /d “0” /f

Wanna do it manually?

  • Use Local Group Policy editor by running gpedit.msc and modifying the policy.

    • Computer Configuration -> Administrative Templates -> Network -> DNS Client
    • Enable Turn Off Multicast Name Resolution policy by changing its value to Enabled


Edit the line LLMNR=yes to LLMNR=no in /etc/systemd/resolved.conf

vi /etc/systemd/resolved.conf


Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. It search for “wpad” on the network, then download wpad.dat to use. So DHCP poisoning and DNS poisoning attack can be performed. But mainly, the big concern is the MiTM attack. Responder can send a fake auth screen to make the user enter in their username and pass, then it capture the password. Rippio!

To prevent this, just create a DNS entry with WPAD and point it to the corporate proxy server, and disable “Autodetect Proxy Settings” on all IE, so they don’t roam around and take bad “free candies” from strangers! ;)

Other fun tools:

  • Impacket - remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks

Sources / Resources: