Responder is a powerful tool for network reconnaissance and credential harvesting in Windows environments. It acts as a rogue server, answering LLMNR, NBT-NS, and MDNS requests to trick clients into authenticating to it. Key features include:
- Multi-protocol support: Built-in servers for SMB, HTTP, MSSQL, FTP, LDAP, and DCE-RPC, enabling capture of credentials from various services.
- NTLM relaying: Supports NTLMv1/NTLMv2, LMv2, Extended Security NTLMSSP, and Basic HTTP authentication, facilitating relay attacks.
- IPv6/IPv4 support: Operates on both IPv6 and IPv4 networks.
- WPAD support: Includes a WPAD rogue proxy server for capturing HTTP requests from Internet Explorer clients with auto-detect settings enabled.
- Analyze mode: Allows passive network monitoring without poisoning, useful for mapping domains and identifying potential attack vectors.
- Rogue DHCP and DNS: Can inject rogue DNS servers and WPAD URLs via DHCP inform spoofing.
Responder is primarily used by penetration testers and red teamers to:
- Capture credentials for offline cracking or relaying.
- Gain unauthorized access to systems and services.
- Perform man-in-the-middle attacks.
- Identify vulnerable network configurations.
