Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. ^[1]

ID: S0174

Type: TOOL

Platforms: Windows

Version: 1.0

Created: 16 January 2018

Last Modified: 17 October 2018

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1557	.001	Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay	Responder is used to poison name services to gather hashes and credentials from systems within a local network.^[1]
Enterprise	T1040		Network Sniffing	Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.^[1]

Groups That Use This Software

ID	Name	References
G0007	APT28	^[2]

References

Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.

Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.

Responder

Enterprise Layer

Techniques Used

Groups That Use This Software

References