1. Home
  2. Software
  3. Responder

Responder

Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [1]

ID: S0174
Type: TOOL
Version: 1.2
Created: 16 January 2018
Last Modified: 16 April 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1557 .001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Responder is used to poison name services to gather hashes and credentials from systems within a local network.[1]
Enterprise T1040 Network Sniffing

Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.[1]

Groups That Use This Software

ID Name References
G1003 Ember Bear

Ember Bear has used Responder in intrusions.[2]
G0007 APT28

[3][4]

G0032 Lazarus Group

[5][6][7][8]

Campaigns

ID Name Description
C0022 Operation Dream Job

[5]

References

  1. Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.
  2. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  3. Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved November 17, 2024.
  4. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  1. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  2. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  3. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  4. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.