back to the arsenal

// arsenal·Network AnalysisAdvancedFOSS

Responder

LLMNR/NBT-NS/MDNS poisoner — harvests NTLM hashes from Windows networks.

Network Analysis

$ responder --help

Responder

// what it is

Description

Laurent Gaffié's tool that sits on a Windows network, answers broadcast name-resolution queries for nonexistent hosts, and captures the NTLM authentication the responding hosts attempt. Within minutes of plugging into a corp LAN, hashes start rolling in.

// use cases

What people use it for

Internal pentest first-move
NTLM hash capture for offline cracking
Relay attack input

// commands

The commands you'll type

Default on eth0

$ responder -I eth0 -A

// facts

category: Network Analysis
platforms: LIN
license: FOSS
difficulty: Advanced

// links

// related in Network Analysis

Network AnalysisBeginner

Wireshark

The reference open-source network protocol analyzer.

Network AnalysisIntermediate

tcpdump

The command-line packet sniffer that every Unix-like ships with.

Network AnalysisIntermediate

Ettercap

Classic LAN man-in-the-middle framework — ARP poisoning, DNS spoofing, filters.