Convert Figma logo to code with AI

lgandx logoResponder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

5,320
757
5,320
26
View on GitHub

Top Related Projects

SpiderLabs's avatar

Responder

4,458

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

lgandx's avatar

PCredz

1,967

This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

byt3bl33d3r's avatar

CrackMapExec

8,349

A swiss army knife for pentesting networks

Kevin-Robertson's avatar

Inveigh

2,490

.NET IPv4/IPv6 machine-in-the-middle tool for penetration testers

dirkjanm's avatar

krbrelayx

1,103

Kerberos unconstrained delegation abuse toolkit

Quick Overview

Responder is an open-source network analysis and penetration testing tool designed to respond to specific NBT-NS, LLMNR, and MDNS requests. It can be used to identify and exploit vulnerabilities in network configurations, particularly in Windows environments. Responder is primarily used for security assessments and ethical hacking purposes.

Pros

  • Highly effective for identifying and exploiting network misconfigurations
  • Supports multiple protocols and attack vectors
  • Actively maintained and regularly updated
  • Includes a built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server

Cons

  • Can be potentially misused for malicious purposes
  • Requires careful handling to avoid unintended consequences on target networks
  • May trigger antivirus or intrusion detection systems
  • Requires a good understanding of network protocols and security concepts

Getting Started

  1. Clone the repository:

    git clone https://github.com/lgandx/Responder

  2. Navigate to the Responder directory:

    cd Responder

  3. Run Responder with sudo privileges:

    sudo python3 Responder.py -I eth0 -rdwv

    Replace eth0 with your network interface.

  4. Responder will start listening for and responding to specific requests on the network. Monitor the output for captured hashes or other relevant information.

Note: Always ensure you have proper authorization before using Responder on any network. Unauthorized use may be illegal and unethical.

Competitor Comparisons

SpiderLabs logo

Responder

4,458

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Pros of Responder (SpiderLabs)

  • More frequent updates and active maintenance
  • Broader community support and contributions
  • Enhanced compatibility with modern systems and networks

Cons of Responder (SpiderLabs)

  • Potentially less stable due to frequent changes
  • May have a steeper learning curve for new users
  • Some features might be considered "bloat" by minimalists

Code Comparison

Responder (lgandx):

def start():
    global OURIP
    if options.Interface is None:
        OURIP = FindLocalIP()
    elif options.Interface == 'ALL':
        OURIP = '0.0.0.0'
    else:
        OURIP = FindLocalIP(options.Interface)

Responder (SpiderLabs):

def start():
    global Config
    
    if not Config.Interface:
        Config.Interface = FindLocalIP()
    elif Config.Interface == 'ALL':
        Config.Interface = '0.0.0.0'
    else:
        Config.Interface = FindLocalIP(Config.Interface)

The code comparison shows that SpiderLabs' version uses a more centralized configuration approach, potentially making it easier to manage settings across the application.

lgandx logo

PCredz

1,967

This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

Pros of PCredz

  • Focused specifically on credential extraction from network traffic
  • Supports a wider range of protocols for credential extraction (e.g., SMTP, IMAP, POP3)
  • Lightweight and can be easily integrated into existing network monitoring setups

Cons of PCredz

  • Less comprehensive in terms of overall network attack simulation
  • Lacks the ability to perform active attacks or respond to network requests
  • More limited in terms of customization and extensibility

Code Comparison

PCredz (packet parsing):

def ParsePcapng(fname):
    cap = pyshark.FileCapture(fname)
    for pkt in cap:
        Parse_pcap(pkt)

Responder (HTTP server setup):

def Run_HTTP_Server(ip, port):
    try:
        server = ThreadingHTTPServer((ip, port), HTTP)
        server.serve_forever()
    except Exception:
        pass

PCredz focuses on passive network traffic analysis and credential extraction, while Responder is a more comprehensive tool for network attack simulation and active response. Responder includes features like rogue authentication servers and SMB relay attacks, which are not present in PCredz. However, PCredz excels in its specific task of credential extraction from a wide range of protocols, making it a valuable tool for network security assessments and monitoring.

byt3bl33d3r logo

CrackMapExec

8,349

A swiss army knife for pentesting networks

Pros of CrackMapExec

  • More comprehensive post-exploitation capabilities
  • Supports a wider range of protocols (SMB, WMI, MSSQL, etc.)
  • Modular architecture allows for easy extension and customization

Cons of CrackMapExec

  • Steeper learning curve due to more complex functionality
  • Potentially more detectable by security solutions due to its broader scope
  • Requires more setup and dependencies compared to Responder

Code Comparison

Responder (Python):

if Config.Config.HTTP_On_Off:
    from servers.HTTP import HTTP
    threads.append(threading.Thread(name='HTTP', target=HTTP, args=()))

CrackMapExec (Python):

def proto_args(std_parser, module_parser):
    rdp_parser = argparse.ArgumentParser(add_help=False, parents=[std_parser, module_parser])
    rdp_parser.add_argument("-H", "--hash", metavar="HASH", dest="hash", nargs='+', default=[], help="NTLM hash(es) or file(s) containing NTLM hashes")
    return rdp_parser

Both tools are written in Python, but CrackMapExec's code reflects its more complex architecture and broader functionality. Responder focuses on specific network protocols, while CrackMapExec provides a more extensive framework for post-exploitation activities.

Kevin-Robertson logo

Inveigh

2,490

.NET IPv4/IPv6 machine-in-the-middle tool for penetration testers

Pros of Inveigh

  • Written in PowerShell, allowing for easier integration with Windows environments and PowerShell scripts
  • Includes additional features like DNS spoofing and LLMNR/NBNS spoofing
  • Offers more granular control over specific attack vectors and configurations

Cons of Inveigh

  • Limited cross-platform compatibility compared to Responder's Python-based approach
  • May require additional setup or permissions in some Windows environments
  • Less frequent updates and potentially smaller community support

Code Comparison

Inveigh (PowerShell):

$Inveigh = Start-Inveigh -NBNS Y -LLMNR Y -HTTP Y -HTTPS Y -SMB Y

Responder (Python):

from responder import Responder
responder = Responder()
responder.start()

Summary

Both Inveigh and Responder are powerful tools for network penetration testing and security assessments. Inveigh excels in Windows-centric environments with its PowerShell implementation and additional features, while Responder offers broader cross-platform compatibility and a larger community. The choice between the two often depends on the specific testing environment and requirements of the security professional.

dirkjanm logo

krbrelayx

1,103

Kerberos unconstrained delegation abuse toolkit

Pros of krbrelayx

  • Specialized focus on Kerberos-based attacks, offering more advanced techniques for targeting Active Directory environments
  • Includes tools for exploiting specific Kerberos vulnerabilities like unconstrained delegation and SPN manipulation
  • Provides a suite of interconnected tools that work together for comprehensive Kerberos exploitation

Cons of krbrelayx

  • Narrower scope compared to Responder's broader network protocol spoofing capabilities
  • Requires more in-depth knowledge of Kerberos and Active Directory for effective use
  • Less suitable for general-purpose network attacks and credential harvesting

Code Comparison

Responder (Python):

def start():
    try:
        server = ThreadingUDPServer(('', 137), UDPHandler)
        t = threading.Thread(name='NBT-NS', target=server.serve_forever)
        t.setDaemon(True)
        t.start()
    except Exception as e:
        print(color("[!] Error starting NBT-NS server: {}".format(e), 1))

krbrelayx (Python):

def startServers(options):
    servers = []
    for server in (SMBRelayServer, HTTPRelayServer, IMAPRelayServer, LDAPRelayServer):
        s = server(options)
        s.start()
        servers.append(s)
    return servers

Both projects use Python and implement server functionality, but krbrelayx focuses on relay servers for specific protocols, while Responder includes a broader range of network services.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Responder/MultiRelay

IPv6/IPv4 LLMNR/NBT-NS/mDNS Poisoner and NTLMv1/2 Relay.

Author: Laurent Gaffie <laurent.gaffie@gmail.com > https://g-laurent.blogspot.com

Intro

Responder is an LLMNR, NBT-NS and MDNS poisoner.

Features

  • Dual IPv6/IPv4 stack.

  • Built-in SMB Auth server.

Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2022, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. If --disable-ess is set, extended session security will be disabled for NTLMv1 authentication. SMBv2 has also been implemented and is supported by default.

  • Built-in MSSQL Auth server.

This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005, 2008, 2012, 2019.

  • Built-in HTTP Auth server.

This server supports NTLMv1, NTLMv2 hashes and Basic Authentication. This server was successfully tested on IE 6 to IE 11, Edge, Firefox, Chrome, Safari.

Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient). You can now send your custom files to a victim.

  • Built-in HTTPS Auth server.

Same as above. The folder certs/ contains 2 default keys, including a dummy private key. This is intentional, the purpose is to have Responder working out of the box. A script was added in case you need to generate your own self signed key pair.

  • Built-in LDAP Auth server.

This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool "ldp" and LdapAdmin.

  • Built-in DCE-RPC Auth server.

This server supports NTLMSSP hashes. This server was successfully tested on Windows XP to Server 2019.

  • Built-in FTP, POP3, IMAP, SMTP Auth servers.

This modules will collect clear text credentials.

  • Built-in DNS server.

This server will answer type SRV and A queries. This is really handy when it's combined with ARP spoofing.

  • Built-in WPAD Proxy Server.

This module will capture all HTTP requests from anyone launching Internet Explorer on the network if they have "Auto-detect settings" enabled. This module is highly effective. You can configure your custom PAC script in Responder.conf and inject HTML into the server's responses. See Responder.conf.

  • Browser Listener

This module allows to find the PDC in stealth mode.

  • Icmp Redirect

    python tools/Icmp-Redirect.py

For MITM on Windows XP/2003 and earlier Domain members. This attack combined with the DNS module is pretty effective.

  • Rogue DHCP

    python tools/DHCP.py

DHCP Inform Spoofing. Allows you to let the real DHCP Server issue IP addresses, and then send a DHCP Inform answer to set your IP address as a primary DNS server, and your own WPAD URL. To inject a DNS server, domain, route on all Windows version and any linux box, use -R

  • Analyze mode.

This module allows you to see NBT-NS, BROWSER, LLMNR, DNS requests on the network without poisoning any responses. Also, you can map domains, MSSQL servers, workstations passively, see if ICMP Redirects attacks are plausible on your subnet.

Hashes

All hashes are printed to stdout and dumped in a unique John Jumbo compliant file, using this format:

(MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt

Log files are located in the "logs/" folder. Hashes will be logged and printed only once per user per hash type, unless you are using the Verbose mode (-v).

  • Responder will log all its activity to Responder-Session.log
  • Analyze mode will be logged to Analyzer-Session.log
  • Poisoning will be logged to Poisoners-Session.log

Additionally, all captured hashed are logged into an SQLite database which you can configure in Responder.conf

Considerations

  • This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, UDP 1434, TCP 80, TCP 135, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587, TCP 3128, Multicast UDP 5355 and 5353.

  • If you run Samba on your system, stop smbd and nmbd and all other services listening on these ports.

  • For Ubuntu users:

Edit this file /etc/NetworkManager/NetworkManager.conf and comment the line: dns=dnsmasq. Then kill dnsmasq with this command (as root): killall dnsmasq -9

  • Any rogue server can be turned off in Responder.conf.

  • This tool is not meant to work on Windows.

  • For OSX, please note: Responder must be launched with an IP address for the -i flag (e.g. -i YOUR_IP_ADDR). There is no native support in OSX for custom interface binding. Using -i en1 will not work. Also to run Responder with the best experience, run the following as root:

    launchctl unload /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist

    launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

    launchctl unload /System/Library/LaunchDaemons/com.apple.smbd.plist

    launchctl unload /System/Library/LaunchDaemons/com.apple.netbiosd.plist

Usage

First of all, please take a look at Responder.conf and tweak it for your needs.

Running the tool:

./Responder.py [options]

Typical Usage Example:

./Responder.py -I eth0 -Pv

Options:

--version             show program's version number and exit
-h, --help            show this help message and exit
-A, --analyze         Analyze mode. This option allows you to see NBT-NS,
                    BROWSER, LLMNR requests without responding.
-I eth0, --interface=eth0
                    Network interface to use, you can use 'ALL' as a
                    wildcard for all interfaces
-i 10.0.0.21, --ip=10.0.0.21
                    Local IP to use (only for OSX)
-6 2002:c0a8:f7:1:3ba8:aceb:b1a9:81ed, --externalip6=2002:c0a8:f7:1:3ba8:aceb:b1a9:81ed
                    Poison all requests with another IPv6 address than
                    Responder's one.
-e 10.0.0.22, --externalip=10.0.0.22
                    Poison all requests with another IP address than
                    Responder's one.
-b, --basic           Return a Basic HTTP authentication. Default: NTLM
-d, --DHCP            Enable answers for DHCP broadcast requests. This
                    option will inject a WPAD server in the DHCP response.
                    Default: False
-D, --DHCP-DNS        This option will inject a DNS server in the DHCP
                    response, otherwise a WPAD server will be added.
                    Default: False
-w, --wpad            Start the WPAD rogue proxy server. Default value is
                    False
-u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY
                    Upstream HTTP proxy used by the rogue WPAD Proxy for
                    outgoing requests (format: host:port)
-F, --ForceWpadAuth   Force NTLM/Basic authentication on wpad.dat file
                    retrieval. This may cause a login prompt. Default:
                    False
-P, --ProxyAuth       Force NTLM (transparently)/Basic (prompt)
                    authentication for the proxy. WPAD doesn't need to be
                    ON. Default: False
--lm                  Force LM hashing downgrade for Windows XP/2003 and
                    earlier. Default: False
--disable-ess         Force ESS downgrade. Default: False
-v, --verbose         Increase verbosity.

Donation

You can contribute to this project by donating to the following $XLM (Stellar Lumens) address:

"GCGBMO772FRLU6V4NDUKIEXEFNVSP774H2TVYQ3WWHK4TEKYUUTLUKUH"

Paypal:

https://paypal.me/PythonResponder

Acknowledgments

Late Responder development has been possible because of the donations received from individuals and companies.

We would like to thanks those major sponsors:

Thank you.

Copyright

NBT-NS/LLMNR Responder

Responder, a network take-over set of tools created and maintained by Laurent Gaffie.

email: laurent.gaffie@gmail.com

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.