LLMNR/NBT-NS/mDNS poisoner — captures NTLMv2 hashes from Windows clients leaking name resolution requests.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Source (recommended)
git clone https://github.com/lgandx/Responder
Linux (apt — older)
sudo apt install responder
pipx
pipx install responder-mitm6
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Default poisoning + capture
sudo responder -I eth0
Analyze mode (don't poison, just listen)
sudo responder -I eth0 -A
Disable specific servers (when running other tools)
sudo responder -I eth0 --disable-ess --disable-ldap
Capture to log + extract hashes
View ~/Responder/logs/ for SMB / HTTP / MSSQL hashes
Then crack with hashcat
hashcat -m 5600 ntlmv2.txt rockyou.txt -r best64.rule
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
- On well-managed networks (LLMNR/NBT-NS disabled) Responder yields nothing. Pair with
mitm6(DHCPv6 takeover) for hostile networks. - Run during peak hours — more clients = more name-resolution failures = more hashes.
-rvverbose mode shows the actual queries — useful for understanding which apps leak.- NTLM relay (
impacket-ntlmrelayx -tf targets.txt) instead of crack: faster, no GPU needed if SMB signing is disabled. responder.conf: turn off SMB/HTTP/MSSQL servers you don’t need to reduce noise.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- Responder is detected by Defender for Identity / SOC tools that monitor LLMNR floods.
- Modern Windows 11 + recent GPOs disable LLMNR/NBT-NS — Responder collects 0 hashes on hardened networks.
- Running on the wrong interface: usually you want the user-facing VLAN, not the management/server VLAN.
- NTLMv2 cracking is hard — strong passwords might never break. NTLM relay is the practical alternative.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- Inveigh — PowerShell-native version, runs on compromised Windows host.
- mitm6 — DHCPv6 takeover, often combined with Responder.
India context and engagement notes
Indian enterprise: LLMNR is disabled on most banks but ENABLED on most SMBs and educational institutions. Quick win on first-day internal pen-test: responder -I eth0 -A for 30 minutes to see what naturally leaks.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.