Responder

Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [1]

ID: S0174
Type: TOOL
Platforms: Windows
Version: 1.0
Created: 16 January 2018
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1557 .001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Responder is used to poison name services to gather hashes and credentials from systems within a local network.[1]

Enterprise T1040 Network Sniffing

Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.[1]

Groups That Use This Software

ID Name References
G0007 APT28

[2]

References