Pentest Tools

Published on April 2nd, 2016 📆 | 4830 Views ⚑


Responder – LLMNR, MDNS and NBT-NS Poisoner
Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: NetBIOS Suffixes). By default, the tool will only answer to File Server Service request, which is for SMB.

The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.


  • Built-in SMB Auth server – Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP.
  • Built-in MSSQL Auth server – Supports NTLMv1 and LMv2 hashes.
  • Built-in HTTP Auth server – Supports NTLMv1, NTLMv2 hashes and Basic Authentication.
  • Built-in HTTPS Auth server – As above (comes with dummy keys).
  • Built-in LDAP Auth server – Supports NTLMSSP hashes and Simple Authentication (clear text authentication).
  • Built-in FTP, POP3, IMAP, SMTP Auth servers – Supports collection of clear text credentials.
  • Built-in DNS server – This server will answer type A queries, combine with ARP spoofing.
  • Built-in WPAD Proxy Server – Will capture all HTTP requests from IE users with “Auto-detect settings” enabled.
  • Browser Listener – This module allows you to find the PDC in stealth mode.
  • Fingerprinting – Will fingerprint every host who issued an LLMNR/NBT-NS query.
  • ICMP Redirect – For MITM on Windows XP/2003 and earlier Domain members.
  • Rogue DHCP – Supports DHCP Inform Spoofing.
  • Analyze mode – Allows you to see NBT-NS, BROWSER, LLMNR, DNS requests without poisoning.

[adsense size='1']


Before starting take a look at Responder.conf and tweak it to your requirements.

You can download Responder here:

[adsense size='1']

Or read more here.

Comments are closed.