Skip to content

Responder (LLMNR/NBNS/WPAD)

Poison LLMNR/NBNS and WPAD to coerce client authentication (usually NetNTLMv2) to your host for capture or relay.

Quick start

  • Start ntlmrelayx before Responder so it binds to 445/80 before Responder is able. This will allow Respnder to poison the traffic and ntlmrelayx to receive the poisoned traffic.
Action Command
Start poisoning responder -I <iface>
Analyze only (no poisoning) responder -I <iface> -A
Write hashes to file -w
Output to logs directory (verbose) -v

Notes / OPSEC

  • Works when LLMNR/NBNS aren’t disabled and WPAD isn’t controlled.
  • Expect detections; limit scope and time window.