Convert Figma logo to code with AI

SpiderLabs logoResponder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

4,458
1,667
4,458
44
View on GitHub

Top Related Projects

lgandx's avatar

Responder

5,320

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

byt3bl33d3r's avatar

CrackMapExec

8,349

A swiss army knife for pentesting networks

trustedsec's avatar

social-engineer-toolkit

10,692

The Social-Engineer Toolkit (SET) repository from TrustedSec - All new versions of SET will be deployed here.

bettercap's avatar

bettercap

16,239

The Swiss Army knife for 802.11, BLE, HID, CAN-bus, IPv4 and IPv6 networks reconnaissance and MITM attacks.

s0md3v's avatar

Photon

10,895

Incredibly fast crawler designed for OSINT.

PowerShellMafia's avatar

PowerSploit

11,767

PowerSploit - A PowerShell Post-Exploitation Framework

Quick Overview

Responder is an open-source network analysis and penetration testing tool designed to respond to specific NBT-NS, LLMNR, and MDNS requests. It can be used to gain unauthorized access to systems by exploiting weaknesses in network protocols. Responder is primarily used for security assessments and ethical hacking purposes.

Pros

  • Highly effective in identifying and exploiting network vulnerabilities
  • Supports multiple protocols and attack vectors
  • Regularly updated and maintained by the security community
  • Includes built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication servers

Cons

  • Can be misused for malicious purposes if not handled responsibly
  • Requires advanced knowledge of network protocols and security concepts
  • May trigger antivirus or intrusion detection systems
  • Legal and ethical considerations must be taken into account before use

Getting Started

To get started with Responder:

  1. Clone the repository:

    git clone https://github.com/SpiderLabs/Responder.git

  2. Navigate to the Responder directory:

    cd Responder

  3. Run Responder with sudo privileges:

    sudo python3 Responder.py -I eth0 -wrf

    Replace eth0 with your network interface.

  4. Responder will start listening for and responding to network requests. Monitor the output for potential vulnerabilities and captured credentials.

Note: Always ensure you have proper authorization before using Responder on any network. Use responsibly and ethically.

Competitor Comparisons

lgandx logo

Responder

5,320

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Pros of Responder (lgandx)

  • More actively maintained with frequent updates
  • Includes additional features like NTLM relay attacks
  • Better compatibility with modern Windows environments

Cons of Responder (lgandx)

  • May have more complexity, potentially increasing the learning curve
  • Some users report occasional stability issues with newer features

Code Comparison

Responder (SpiderLabs):

def start():
    try:
        server = ThreadingUDPServer(('', 137), UDPHandler)
        t = threading.Thread(name='NBT-NS', target=server.serve_forever)
        t.setDaemon(True)
        t.start()
    except Exception:
        print(color("[!] ", 1, 1) + "Error starting NBT-NS server on port 137")

Responder (lgandx):

def start():
    try:
        server = ThreadingUDPServer(('', 137), NBTNSHandler)
        thread = threading.Thread(name='NBT-NS', target=server.serve_forever)
        thread.daemon = True
        thread.start()
    except Exception:
        print(utils.color("[!] ", 1, 1) + "Error starting NBT-NS server on port 137")

The code comparison shows similar structure but with minor differences in variable naming and import conventions. The lgandx version uses a more specific handler class (NBTNSHandler) and imports a utils module for color formatting.

byt3bl33d3r logo

CrackMapExec

8,349

A swiss army knife for pentesting networks

Pros of CrackMapExec

  • More comprehensive post-exploitation capabilities
  • Supports multiple protocols (SMB, WMI, MSSQL, etc.)
  • Modular architecture allows for easy extension

Cons of CrackMapExec

  • Steeper learning curve due to more complex functionality
  • Requires more setup and dependencies
  • May trigger more security alerts due to its aggressive nature

Code Comparison

Responder (Python):

if Config.Config.HTTP_On_Off:
    from servers.HTTP import HTTP
    thread = Thread(target=HTTP, args=())
    thread.setDaemon(True)
    thread.start()

CrackMapExec (Python):

def proto_flow(self, targets, module, port, local_port):
    for target in targets:
        job = JobQueue().submit(getattr(self, f'_{module}_flow'), target, port, local_port)
        self.jobs.append(job)

Both tools are written in Python, but CrackMapExec's code structure reflects its more modular and extensible design. Responder focuses on specific protocols and poisoning techniques, while CrackMapExec provides a broader framework for various post-exploitation tasks across multiple protocols.

trustedsec logo

social-engineer-toolkit

10,692

The Social-Engineer Toolkit (SET) repository from TrustedSec - All new versions of SET will be deployed here.

Pros of Social-Engineer-Toolkit

  • Broader scope of social engineering tools and techniques
  • More comprehensive framework for penetration testing
  • Regularly updated with new attack vectors and exploits

Cons of Social-Engineer-Toolkit

  • Steeper learning curve due to its extensive feature set
  • Requires more setup and configuration for specific attacks
  • May be overkill for simpler penetration testing scenarios

Code Comparison

Responder (Python):

if settings.Config.HTTP_On_Off:
    threads.append(threading.Thread(name="HTTP", target=HTTP_Server, args=(settings.Config.IP, settings.Config.HTTP_Port)))

Social-Engineer-Toolkit (Python):

if operating_system == "posix":
    subprocess.Popen("chmod +x %s/setoolkit" % (definepath), shell=True).wait()
    subprocess.Popen("ln -s %s/setoolkit /usr/bin/setoolkit" % (definepath), shell=True).wait()

Both repositories use Python, but Social-Engineer-Toolkit focuses more on system-level operations and setup, while Responder is more network-oriented. Social-Engineer-Toolkit's code reflects its broader scope and more complex setup process, while Responder's code is more focused on specific network protocols and services.

bettercap logo

bettercap

16,239

The Swiss Army knife for 802.11, BLE, HID, CAN-bus, IPv4 and IPv6 networks reconnaissance and MITM attacks.

Pros of bettercap

  • More versatile, supporting a wider range of network attacks and monitoring capabilities
  • Actively maintained with regular updates and improvements
  • Offers a user-friendly web UI for easier interaction and visualization

Cons of bettercap

  • Steeper learning curve due to its extensive feature set
  • Requires more system resources to run effectively
  • May be overkill for simpler network analysis tasks

Code Comparison

Responder (Python):

def start():
    global OURIP
    if options.Interface is None:
        print(utils.color("Error: -I <if> mandatory option is missing", 1))
        sys.exit(-1)
    OURIP = utils.FindLocalIP(options.Interface, options.OURIP)
    print(utils.color("[+] Listening for events...", 2, 1))

bettercap (Go):

func (mod *HttpProxy) Start() error {
    var err error

    if mod.Running() {
        return session.ErrAlreadyStarted(mod.Name())
    } else if err = mod.Configure(); err != nil {
        return err
    }

Both projects focus on network security, but bettercap offers a broader range of features and a more modern codebase. Responder specializes in specific network poisoning attacks, while bettercap provides a comprehensive suite of network analysis and attack tools.

s0md3v logo

Photon

10,895

Incredibly fast crawler designed for OSINT.

Pros of Photon

  • Designed for web reconnaissance and information gathering
  • Supports multiple output formats (JSON, CSV, etc.)
  • Highly customizable with various options for crawling and data extraction

Cons of Photon

  • Limited to web-based information gathering
  • May require additional tools for comprehensive network analysis
  • Less focused on network protocol exploitation

Code Comparison

Photon (Python):

def photon(url, level, threads, delay, timeout, cook, headers, ninja, crawl_js):
    # Main function for web crawling and information gathering
    # ...

Responder (Python):

def Start_Responder(options):
    # Main function for network protocol exploitation
    # ...

Key Differences

  • Photon focuses on web crawling and information gathering, while Responder targets network protocol exploitation
  • Photon is more suitable for web-based reconnaissance, whereas Responder is designed for network penetration testing
  • Photon offers more flexibility in output formats and customization options, while Responder specializes in specific network protocols

Use Cases

  • Photon: Web application security testing, OSINT gathering, content discovery
  • Responder: Network penetration testing, capturing network credentials, exploiting LLMNR/NBT-NS/MDNS

Community and Maintenance

Both projects are actively maintained and have strong community support. Photon has a larger number of contributors, while Responder has a more focused development team.

PowerShellMafia logo

PowerSploit

11,767

PowerSploit - A PowerShell Post-Exploitation Framework

Pros of PowerSploit

  • Broader scope of post-exploitation tools and techniques
  • Extensive PowerShell-based functionality for various penetration testing tasks
  • Active community and regular updates

Cons of PowerSploit

  • Primarily focused on Windows environments
  • Requires PowerShell execution, which may be restricted in some environments
  • Larger codebase, potentially more complex to use and maintain

Code Comparison

PowerSploit (PowerView module):

Get-NetDomain
Get-NetUser
Get-NetComputer
Invoke-UserHunter
Find-LocalAdminAccess

Responder:

def start_responder():
    start_servers()
    sniff(filter="udp port 137 or udp port 138 or udp port 53", prn=analyze_packet, store=0)

While PowerSploit offers a wide range of PowerShell-based tools for post-exploitation and reconnaissance, Responder focuses specifically on LLMNR, NBT-NS, and MDNS poisoning. PowerSploit is more versatile but limited to Windows, whereas Responder is cross-platform and specialized in network poisoning attacks.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

:no_entry: [DEPRECATED] Active at https://github.com/lgandx/Responder

Responder.py

LLMNR/NBT-NS/mDNS Poisoner

Author: Laurent Gaffie <laurent.gaffie@gmail.com > http://www.spiderlabs.com

Intro

Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File Server Service request, which is for SMB.

The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.

Features

  • Built-in SMB Auth server.

Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. This functionality is enabled by default when the tool is launched.

  • Built-in MSSQL Auth server.

In order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005 & 2008.

  • Built-in HTTP Auth server.

In order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari.

Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient). You can now send your custom files to a victim.

  • Built-in HTTPS Auth server.

Same as above. The folder certs/ contains 2 default keys, including a dummy private key. This is intentional, the purpose is to have Responder working out of the box. A script was added in case you need to generate your own self signed key pair.

  • Built-in LDAP Auth server.

In order to redirect LDAP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool "ldp" and LdapAdmin.

  • Built-in FTP, POP3, IMAP, SMTP Auth servers.

This modules will collect clear text credentials.

  • Built-in DNS server.

This server will answer type A queries. This is really handy when it's combined with ARP spoofing.

  • Built-in WPAD Proxy Server.

This module will capture all HTTP requests from anyone launching Internet Explorer on the network if they have "Auto-detect settings" enabled. This module is highly effective. You can configure your custom PAC script in Responder.conf and inject HTML into the server's responses. See Responder.conf.

  • Browser Listener

This module allows to find the PDC in stealth mode.

  • Fingerprinting

When the option -f is used, Responder will fingerprint every host who issued an LLMNR/NBT-NS query. All capture modules still work while in fingerprint mode.

  • Icmp Redirect

    python tools/Icmp-Redirect.py

For MITM on Windows XP/2003 and earlier Domain members. This attack combined with the DNS module is pretty effective.

  • Rogue DHCP

    python tools/DHCP.py

DHCP Inform Spoofing. Allows you to let the real DHCP Server issue IP addresses, and then send a DHCP Inform answer to set your IP address as a primary DNS server, and your own WPAD URL.

  • Analyze mode.

This module allows you to see NBT-NS, BROWSER, LLMNR, DNS requests on the network without poisoning any responses. Also, you can map domains, MSSQL servers, workstations passively, see if ICMP Redirects attacks are plausible on your subnet.

Hashes

All hashes are printed to stdout and dumped in an unique file John Jumbo compliant, using this format:

(MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt

Log files are located in the "logs/" folder. Hashes will be logged and printed only once per user per hash type, unless you are using the Verbose mode (-v).

  • Responder will logs all its activity to Responder-Session.log
  • Analyze mode will be logged to Analyze-Session.log
  • Poisoning will be logged to Poisoners-Session.log

Additionally, all captured hashed are logged into an SQLite database which you can configure in Responder.conf

Considerations

  • This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553.

  • If you run Samba on your system, stop smbd and nmbd and all other services listening on these ports.

  • For Ubuntu users:

Edit this file /etc/NetworkManager/NetworkManager.conf and comment the line: dns=dnsmasq. Then kill dnsmasq with this command (as root): killall dnsmasq -9

  • Any rogue server can be turned off in Responder.conf.

  • This tool is not meant to work on Windows.

  • For OSX, please note: Responder must be launched with an IP address for the -i flag (e.g. -i YOUR_IP_ADDR). There is no native support in OSX for custom interface binding. Using -i en1 will not work. Also to run Responder with the best experience, run the following as root:

    launchcl unload /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist

    launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

    launchctl unload /System/Library/LaunchDaemons/com.apple.smbd.plist

    launchctl unload /System/Library/LaunchDaemons/com.apple.netbiosd.plist

Usage

First of all, please take a look at Responder.conf and tweak it for your needs.

Running the tool:

./Responder.py [options]

Typical Usage Example:

./Responder.py -I eth0 -wrf

Options:

  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -A, --analyze         Analyze mode. This option allows you to see NBT-NS,
                        BROWSER, LLMNR requests without responding.
  -I eth0, --interface=eth0
                        Network interface to use
  -b, --basic           Return a Basic HTTP authentication. Default: NTLM
  -r, --wredir          Enable answers for netbios wredir suffix queries.
                        Answering to wredir will likely break stuff on the
                        network. Default: False
  -d, --NBTNSdomain     Enable answers for netbios domain suffix queries.
                        Answering to domain suffixes will likely break stuff
                        on the network. Default: False
  -f, --fingerprint     This option allows you to fingerprint a host that
                        issued an NBT-NS or LLMNR query.
  -w, --wpad            Start the WPAD rogue proxy server. Default value is
                        False
  -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY
                        Upstream HTTP proxy used by the rogue WPAD Proxy for
                        outgoing requests (format: host:port)
  -F, --ForceWpadAuth   Force NTLM/Basic authentication on wpad.dat file
                        retrieval. This may cause a login prompt. Default:
                        False
  --lm                  Force LM hashing downgrade for Windows XP/2003 and
                        earlier. Default: False
  -v, --verbose         Increase verbosity.

Copyright

NBT-NS/LLMNR Responder Created by Laurent Gaffie Copyright (C) 2013 Trustwave Holdings, Inc.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/