1. Home
  2. Software
  3. Responder

Responder

Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [1]

ID: S0174
Type: TOOL
Platforms: Windows
Version: 1.0
Created: 16 January 2018
Last Modified: 17 October 2018
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1557 .001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Responder is used to poison name services to gather hashes and credentials from systems within a local network.[1]
Enterprise T1040 Network Sniffing

Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.[1]

Groups That Use This Software

ID Name References
G0007 APT28

[2][3]

References

  1. Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.
  2. Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
  1. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.