Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 1035

Responder Attack

Reviewed byCybersecurity entrepreneur & security researcher

What is Responder Attack?

Responder AttackAn attack that uses Laurent Gaffie's Responder tool to poison LLMNR, NBT-NS, and mDNS, run rogue authentication servers, and capture or relay NTLM credentials on a local network.


Responder is a Python tool by Laurent Gaffie that combines LLMNR, NBT-NS, mDNS, and DHCPv6 poisoning with built-in rogue SMB, HTTP, FTP, MSSQL, LDAP, WPAD, and proxy authentication servers. When a victim mistypes a hostname or queries a name that has no DNS record, Windows falls back to these broadcast/multicast protocols; Responder answers first, claims to be the requested host, prompts the victim to authenticate, and harvests NTLMv1/NTLMv2 challenge-response hashes for offline cracking with hashcat or john.

The exploited behaviour is a long-standing Windows design choice: LLMNR (RFC 4795) and NBT-NS are unauthenticated name-resolution fallbacks, so any host on the segment can impersonate any name. Because the responses are broadcast/multicast, the attacker needs only Layer-2 presence — no prior credentials — which is why Responder typically yields hashes within minutes of joining a corporate LAN. Running passively in --analyze mode it maps poisoning opportunities without sending answers; the -w WPAD module hijacks proxy auto-config to coerce browser NTLM. Captured NTLMv2 hashes that resist cracking are still useful: piped into Impacket's ntlmrelayx, they become live NTLM relay attacks against hosts lacking SMB or LDAP signing.

flowchart TD
  V[Victim queries an unknown name] --> Q{DNS resolves?}
  Q -->|No| B[Broadcast LLMNR / NBT-NS / mDNS]
  B --> R[Responder answers first<br/>'that host is me']
  R --> AU[Rogue SMB/HTTP server<br/>prompts for auth]
  AU --> H[Capture NTLMv2 challenge-response]
  H --> C[Offline crack<br/>hashcat / john]
  H --> RL[Relay live via ntlmrelayx]
  G[Disable LLMNR & NBT-NS via GPO] -.prevents.-> B

Defenders disable LLMNR and NBT-NS via GPO, enforce SMB and LDAP signing, deploy Extended Protection for Authentication, and segment networks to deny rogue Layer-2 access. Honey-credential canaries and IDS signatures for poisoned LLMNR replies help detect Responder in use.

Examples

  1. 01

    Running Responder on an internal pentest to collect dozens of NTLMv2 hashes within minutes of joining the LAN.

  2. 02

    Chaining Responder's WPAD module with ntlmrelayx to relay browser-initiated NTLM auth to an internal web app.

Frequently asked questions

What is Responder Attack?

An attack that uses Laurent Gaffie's Responder tool to poison LLMNR, NBT-NS, and mDNS, run rogue authentication servers, and capture or relay NTLM credentials on a local network. It belongs to the Attacks & Threats category of cybersecurity.

What does Responder Attack mean?

An attack that uses Laurent Gaffie's Responder tool to poison LLMNR, NBT-NS, and mDNS, run rogue authentication servers, and capture or relay NTLM credentials on a local network.

How do you defend against Responder Attack?

Defences for Responder Attack typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for Responder Attack?

Common alternative names include: Responder tool attack, LLMNR/NBT-NS poisoner.

Related terms