Let’s break down Responder, a powerful tool used in cybersecurity—especially in penetration testing and red team operations.
🧠 What Is Responder?
Responder is a network spoofing and credential harvesting tool written in Python. It’s designed to poison name resolution protocols like:
- LLMNR (Link-Local Multicast Name Resolution)
- NBT-NS (NetBIOS Name Service)
- MDNS (Multicast DNS)
By exploiting these protocols, Responder tricks devices into sending authentication data to the attacker, which can then be captured and cracked.
Originally developed by SpiderLabs and now maintained by Laurent Gaffié, Responder is included in Kali Linux and can also be manually installed on other systems.
🧪 How Responder Works
Here’s the basic attack flow:
- Victim device sends out a name resolution request (e.g., trying to find
fileserver.local) - Responder intercepts and responds with its own IP address
- Victim unknowingly connects to Responder, sending credentials (often NTLM hashes)
- Responder captures the credentials, which can be cracked offline or used in relay attacks
🛠️ Common Usage
To run Responder on Kali Linux:
sudo responder -I eth0 -wrf
-I eth0: Listen on theeth0interface-w: Enable WPAD poisoning-r: Enable LLMNR poisoning-f: Force authentication for NBT-NS poisoning
You can also run it in analyze mode to observe traffic without responding.
🧰 Installation
On Kali Linux
sudo apt-get update
sudo apt-get install responder
On Windows
- Install Python
- Clone the repo:
git clone https://github.com/lgandx/Responder.git - Install dependencies:
pip install -r requirements.txt - Run:
python Responder.py -h
More setup details are available in this installation guide.
🛡️ How to Defend Against Responder
To protect your network:
- Disable LLMNR and NBT-NS via Group Policy
- Use strong password policies to resist hash cracking
- Enable SMB signing to prevent relay attacks
- Monitor for suspicious traffic using tools like Wireshark or Zeek
- Segment your network to limit exposure
