Check out the results from our first round of ATT&CK Evaluations at!


Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [1]

ID: S0174
Aliases: Responder
Type: TOOL
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1171LLMNR/NBT-NS PoisoningResponder is used to poison name services to gather hashes and credentials from systems within a local network.[1]
EnterpriseT1040Network SniffingResponder captures hashes and credentials that are sent to the system after the name services have been poisoned.[1]


Groups that use this software: