Responder — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

LLMNR/NBT-NS/mDNS poisoner — captures NTLMv2 hashes from Windows clients leaking name resolution requests.

Use case: Network AttacksDifficulty: IntermediateHomepage: https://github.com/lgandx/Responder

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Source (recommended)

git clone https://github.com/lgandx/Responder

Linux (apt — older)

sudo apt install responder

pipx

pipx install responder-mitm6

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Default poisoning + capture

sudo responder -I eth0

Analyze mode (don't poison, just listen)

sudo responder -I eth0 -A

Disable specific servers (when running other tools)

sudo responder -I eth0 --disable-ess --disable-ldap

Capture to log + extract hashes

View ~/Responder/logs/ for SMB / HTTP / MSSQL hashes

Then crack with hashcat

hashcat -m 5600 ntlmv2.txt rockyou.txt -r best64.rule

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • On well-managed networks (LLMNR/NBT-NS disabled) Responder yields nothing. Pair with mitm6 (DHCPv6 takeover) for hostile networks.
  • Run during peak hours — more clients = more name-resolution failures = more hashes.
  • -rv verbose mode shows the actual queries — useful for understanding which apps leak.
  • NTLM relay (impacket-ntlmrelayx -tf targets.txt) instead of crack: faster, no GPU needed if SMB signing is disabled.
  • responder.conf: turn off SMB/HTTP/MSSQL servers you don’t need to reduce noise.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • Responder is detected by Defender for Identity / SOC tools that monitor LLMNR floods.
  • Modern Windows 11 + recent GPOs disable LLMNR/NBT-NS — Responder collects 0 hashes on hardened networks.
  • Running on the wrong interface: usually you want the user-facing VLAN, not the management/server VLAN.
  • NTLMv2 cracking is hard — strong passwords might never break. NTLM relay is the practical alternative.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • Inveigh — PowerShell-native version, runs on compromised Windows host.
  • mitm6 — DHCPv6 takeover, often combined with Responder.

India context and engagement notes

Indian enterprise: LLMNR is disabled on most banks but ENABLED on most SMBs and educational institutions. Quick win on first-day internal pen-test: responder -I eth0 -A for 30 minutes to see what naturally leaks.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants