Kali Linux
responder
Overview
Responder poisons LLMNR, NBT-NS, and mDNS broadcasts on local segments, answering name resolution queries to capture NetNTLMv2 hashes for offline cracking or relay.
Runs HTTP/SMB/MSSQL/FTP/LDAP rogue servers to coerce authentication. `-I eth0` selects interface; `-wrf` enables WPAD and rogue auth servers.
Deadly on flat networks without SMB signing—pair with ntlmrelayx. Disable LLMNR/NBT-NS via GPO in enterprise AD.
Primary use cases
- Capturing hashes from misconfigured Windows name resolution
- WPAD poisoning for credential capture
- Proof-of-risk for flat network segmentation
Key commands
Analyze mode (passive, no poison)
responder -I eth0 -AFull poison with WPAD
responder -I eth0 -wrfDetection / defense notes
- Disable LLMNR and NBT-NS via GPO
- Enable SMB signing; EPA on services
- Network segmentation limits broadcast poison scope
Related tools
- Impacket — Python protocol implementations. secretsdump, psexec, getTGT, and SMB/Kerberos tooling for Windows networks.
- crackmapexec — Swiss army knife for AD pentesting. SMB, WinRM, LDAP, MSSQL lateral movement.