Responder

Responder is a powerful tool for network reconnaissance and credential harvesting in Windows environments. It acts as a rogue server, answering LLMNR, NBT-NS, and MDNS requests to trick clients into authenticating to it. Key features include:

• Multi-protocol support: Built-in servers for SMB, HTTP, MSSQL, FTP, LDAP, and DCE-RPC, enabling capture of credentials from various services.
• NTLM relaying: Supports NTLMv1/NTLMv2, LMv2, Extended Security NTLMSSP, and Basic HTTP authentication, facilitating relay attacks.
• IPv6/IPv4 support: Operates on both IPv6 and IPv4 networks.
• WPAD support: Includes a WPAD rogue proxy server for capturing HTTP requests from Internet Explorer clients with auto-detect settings enabled.
• Analyze mode: Allows passive network monitoring without poisoning, useful for mapping domains and identifying potential attack vectors.
• Rogue DHCP and DNS: Can inject rogue DNS servers and WPAD URLs via DHCP inform spoofing.

Responder is primarily used by penetration testers and red teamers to:

• Capture credentials for offline cracking or relaying.
• Gain unauthorized access to systems and services.
• Perform man-in-the-middle attacks.
• Identify vulnerable network configurations.