{
	"id": "6301701e-dd4a-45e7-8d55-af961a32af48",
	"created_at": "2026-04-06T00:07:34.617884Z",
	"updated_at": "2026-04-10T03:21:23.627078Z",
	"deleted_at": null,
	"sha1_hash": "4e676d420683fe1041935b18ef3b730d236392a5",
	"title": "GitHub - SpiderLabs/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 76172,
	"plain_text": "GitHub - SpiderLabs/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in\r\nHTTP/SMB/MSSQL/FTP/LDAP rogue authentication server\r\nsupporting NTLMv1/NTLMv2/LMv2, Extended Security\r\nNTLMSSP and Basic HTTP authentication.\r\nBy Greenwolf\r\nArchived: 2026-04-05 20:26:59 UTC\r\n⛔ [DEPRECATED] Active at https://github.com/lgandx/Responder\r\nLLMNR/NBT-NS/mDNS Poisoner\r\nAuthor: Laurent Gaffie \u003claurent.gaffie@gmail.com \u003e http://www.spiderlabs.com\r\nIntro\r\nResponder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name\r\nService) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool\r\nwill only answer to File Server Service request, which is for SMB.\r\nThe concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we\r\ndon't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the\r\nWorkstation Service request name suffix.\r\nFeatures\r\nBuilt-in SMB Auth server.\r\nSupports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from\r\nWindows 95 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM\r\nhashing downgrade when the --lm option is set. This functionality is enabled by default when the tool is launched.\r\nBuilt-in MSSQL Auth server.\r\nIn order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL\r\nServer lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will\r\nbe used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully\r\ntested on Windows SQL Server 2005 \u0026 2008.\r\nBuilt-in HTTP Auth server.\r\nhttps://github.com/SpiderLabs/Responder\r\nPage 1 of 5\n\nIn order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows version older\r\nthan Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For\r\nVista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes and Basic\r\nAuthentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari.\r\nNote: This module also works for WebDav NTLM authentication issued from Windows WebDav clients\r\n(WebClient). You can now send your custom files to a victim.\r\nBuilt-in HTTPS Auth server.\r\nSame as above. The folder certs/ contains 2 default keys, including a dummy private key. This is intentional, the\r\npurpose is to have Responder working out of the box. A script was added in case you need to generate your own\r\nself signed key pair.\r\nBuilt-in LDAP Auth server.\r\nIn order to redirect LDAP Authentication to this tool, you will need to set the option -r for Windows version older\r\nthan Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For\r\nVista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear\r\ntext authentication). This server was successfully tested on Windows Support tool \"ldp\" and LdapAdmin.\r\nBuilt-in FTP, POP3, IMAP, SMTP Auth servers.\r\nThis modules will collect clear text credentials.\r\nBuilt-in DNS server.\r\nThis server will answer type A queries. This is really handy when it's combined with ARP spoofing.\r\nBuilt-in WPAD Proxy Server.\r\nThis module will capture all HTTP requests from anyone launching Internet Explorer on the network if they have\r\n\"Auto-detect settings\" enabled. This module is highly effective. You can configure your custom PAC script in\r\nResponder.conf and inject HTML into the server's responses. See Responder.conf.\r\nBrowser Listener\r\nThis module allows to find the PDC in stealth mode.\r\nFingerprinting\r\nWhen the option -f is used, Responder will fingerprint every host who issued an LLMNR/NBT-NS query. All\r\ncapture modules still work while in fingerprint mode.\r\nIcmp Redirect\r\npython tools/Icmp-Redirect.py\r\nhttps://github.com/SpiderLabs/Responder\r\nPage 2 of 5\n\nFor MITM on Windows XP/2003 and earlier Domain members. This attack combined with the DNS module is\r\npretty effective.\r\nRogue DHCP\r\npython tools/DHCP.py\r\nDHCP Inform Spoofing. Allows you to let the real DHCP Server issue IP addresses, and then send a DHCP Inform\r\nanswer to set your IP address as a primary DNS server, and your own WPAD URL.\r\nAnalyze mode.\r\nThis module allows you to see NBT-NS, BROWSER, LLMNR, DNS requests on the network without poisoning\r\nany responses. Also, you can map domains, MSSQL servers, workstations passively, see if ICMP Redirects attacks\r\nare plausible on your subnet.\r\nHashes\r\nAll hashes are printed to stdout and dumped in an unique file John Jumbo compliant, using this format:\r\n(MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt\r\nLog files are located in the \"logs/\" folder. Hashes will be logged and printed only once per user per hash type,\r\nunless you are using the Verbose mode (-v).\r\nResponder will logs all its activity to Responder-Session.log\r\nAnalyze mode will be logged to Analyze-Session.log\r\nPoisoning will be logged to Poisoners-Session.log\r\nAdditionally, all captured hashed are logged into an SQLite database which you can configure in Responder.conf\r\nConsiderations\r\nThis tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP\r\n139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553.\r\nIf you run Samba on your system, stop smbd and nmbd and all other services listening on these ports.\r\nFor Ubuntu users:\r\nEdit this file /etc/NetworkManager/NetworkManager.conf and comment the line: dns=dnsmasq . Then kill\r\ndnsmasq with this command (as root): killall dnsmasq -9\r\nAny rogue server can be turned off in Responder.conf.\r\nThis tool is not meant to work on Windows.\r\nhttps://github.com/SpiderLabs/Responder\r\nPage 3 of 5\n\nFor OSX, please note: Responder must be launched with an IP address for the -i flag (e.g. -i\r\nYOUR_IP_ADDR). There is no native support in OSX for custom interface binding. Using -i en1 will not\r\nwork. Also to run Responder with the best experience, run the following as root:\r\nlaunchcl unload /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist\r\nlaunchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist\r\nlaunchctl unload /System/Library/LaunchDaemons/com.apple.smbd.plist\r\nlaunchctl unload /System/Library/LaunchDaemons/com.apple.netbiosd.plist\r\nUsage\r\nFirst of all, please take a look at Responder.conf and tweak it for your needs.\r\nRunning the tool:\r\nTypical Usage Example:\r\n./Responder.py -I eth0 -wrf\r\nOptions:\r\n --version show program's version number and exit\r\n -h, --help show this help message and exit\r\n -A, --analyze Analyze mode. This option allows you to see NBT-NS,\r\n BROWSER, LLMNR requests without responding.\r\n -I eth0, --interface=eth0\r\n Network interface to use\r\n -b, --basic Return a Basic HTTP authentication. Default: NTLM\r\n -r, --wredir Enable answers for netbios wredir suffix queries.\r\n Answering to wredir will likely break stuff on the\r\n network. Default: False\r\n -d, --NBTNSdomain Enable answers for netbios domain suffix queries.\r\n Answering to domain suffixes will likely break stuff\r\n on the network. Default: False\r\n -f, --fingerprint This option allows you to fingerprint a host that\r\n issued an NBT-NS or LLMNR query.\r\n -w, --wpad Start the WPAD rogue proxy server. Default value is\r\n False\r\n -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY\r\n Upstream HTTP proxy used by the rogue WPAD Proxy for\r\n outgoing requests (format: host:port)\r\n -F, --ForceWpadAuth Force NTLM/Basic authentication on wpad.dat file\r\n retrieval. This may cause a login prompt. Default:\r\n False\r\nhttps://github.com/SpiderLabs/Responder\r\nPage 4 of 5\n\n--lm Force LM hashing downgrade for Windows XP/2003 and\r\n earlier. Default: False\r\n -v, --verbose Increase verbosity.\r\nCopyright\r\nNBT-NS/LLMNR Responder Created by Laurent Gaffie Copyright (C) 2013 Trustwave Holdings, Inc.\r\nThis program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public\r\nLicense as published by the Free Software Foundation, either version 3 of the License, or (at your option) any\r\nlater version.\r\nThis program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the\r\nimplied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU\r\nGeneral Public License for more details.\r\nYou should have received a copy of the GNU General Public License along with this program. If not, see\r\nhttp://www.gnu.org/licenses/\r\nSource: https://github.com/SpiderLabs/Responder\r\nhttps://github.com/SpiderLabs/Responder\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://github.com/SpiderLabs/Responder"
	],
	"report_names": [
		"Responder"
	],
	"threat_actors": [],
	"ts_created_at": 1775434054,
	"ts_updated_at": 1775791283,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e676d420683fe1041935b18ef3b730d236392a5.pdf",
		"text": "https://archive.orkl.eu/4e676d420683fe1041935b18ef3b730d236392a5.txt",
		"img": "https://archive.orkl.eu/4e676d420683fe1041935b18ef3b730d236392a5.jpg"
	}
}