Responder Attack
What is Responder Attack?
Responder AttackAn attack that uses Laurent Gaffie's Responder tool to poison LLMNR, NBT-NS, and mDNS, run rogue authentication servers, and capture or relay NTLM credentials on a local network.
Responder is a Python tool that combines LLMNR, NBT-NS, mDNS, and DHCPv6 poisoning with built-in rogue SMB, HTTP, FTP, MSSQL, LDAP, WPAD, and proxy authentication servers. When a victim mistypes a hostname or has a misconfigured share, Responder answers, prompts the victim to authenticate, and harvests NTLMv1/NTLMv2 challenge-response hashes for offline cracking with hashcat or john. With analyse mode it operates passively, and with the -wf flag it runs a malicious WPAD server. Used jointly with Impacket's ntlmrelayx, it pipes captured authentications into NTLM relay attacks. Defenders disable LLMNR and NBT-NS via GPO, enforce SMB and LDAP signing, deploy Extended Protection for Authentication, and segment networks to deny rogue Layer-2 access.
● Examples
- 01
Running Responder on an internal pentest to collect dozens of NTLMv2 hashes within minutes of joining the LAN.
- 02
Chaining Responder's WPAD module with ntlmrelayx to relay browser-initiated NTLM auth to an internal web app.
● Frequently asked questions
What is Responder Attack?
An attack that uses Laurent Gaffie's Responder tool to poison LLMNR, NBT-NS, and mDNS, run rogue authentication servers, and capture or relay NTLM credentials on a local network. It belongs to the Attacks & Threats category of cybersecurity.
What does Responder Attack mean?
An attack that uses Laurent Gaffie's Responder tool to poison LLMNR, NBT-NS, and mDNS, run rogue authentication servers, and capture or relay NTLM credentials on a local network.
How does Responder Attack work?
Responder is a Python tool that combines LLMNR, NBT-NS, mDNS, and DHCPv6 poisoning with built-in rogue SMB, HTTP, FTP, MSSQL, LDAP, WPAD, and proxy authentication servers. When a victim mistypes a hostname or has a misconfigured share, Responder answers, prompts the victim to authenticate, and harvests NTLMv1/NTLMv2 challenge-response hashes for offline cracking with hashcat or john. With analyse mode it operates passively, and with the -wf flag it runs a malicious WPAD server. Used jointly with Impacket's ntlmrelayx, it pipes captured authentications into NTLM relay attacks. Defenders disable LLMNR and NBT-NS via GPO, enforce SMB and LDAP signing, deploy Extended Protection for Authentication, and segment networks to deny rogue Layer-2 access.
How do you defend against Responder Attack?
Defences for Responder Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Responder Attack?
Common alternative names include: Responder tool attack, LLMNR/NBT-NS poisoner.
● Related terms
- attacks№ 620
LLMNR Poisoning
An adversary-in-the-middle technique (MITRE T1557.001) that abuses the Link-Local Multicast Name Resolution protocol on UDP/5355 to redirect victims to attacker-controlled hosts.
- attacks№ 715
NBT-NS Poisoning
An adversary-in-the-middle attack that abuses legacy NetBIOS Name Service traffic on UDP/137 to spoof name responses and harvest NTLM authentications.
- attacks№ 746
NTLM Relay Attack
An adversary-in-the-middle attack (MITRE T1557.001) in which an attacker forwards a victim's NTLM authentication to another service to impersonate them without ever knowing the password.
- attacks№ 1057
SMB Relay Attack
A specific NTLM relay variant in which an attacker forwards a victim's SMB authentication to another SMB server to gain code execution or file access as the victim.
- attacks№ 790
Pass-the-Hash
A credential-reuse attack that authenticates to Windows systems using a stolen NTLM password hash instead of the cleartext password.