Skip to content

Responder

Jump to bottom
7h30th3r0n3 edited this page May 11, 2025 · 1 revision

LLLMNR/NBNS Poisoning & SMB/NTLMv2 sniffing

A simple responder like, that answers NBNS/LLMNR and SMB discovery requests, captures NTLMv2 hashes, and logs them.

🚀 Main Features

Feature Description
LLLMNR/NBNS Spoofing Automatically replies to all NBNS and LLMNR name lookups with its IP address.
SMBv1 & SMBv2 Supports both SMBv1 and SMBv2 to encourage client authentication.
NTLMv2 Challenge Sends a challenge that forces clients to reveal their NTLMv2 hash.
Hash Logging Counts captures, displays last user/domain, saves ntlm_hashes.txt to SD card.
Visual Dashboard Radar-style animation for requests and a stats panel on the Cardputer screen.

📚 How It Works

  1. Listens for NBNS & LLMNR queries and responds instantly.
  2. Waits for SMB connection attempts (v1 or v2).
  3. Sends an NTLMv2 challenge when authentication is attempted.
  4. Captures the NTLMv2 hash from the client response.
  5. Updates on-screen dashboard and logs details to SD card.

⚙️ Usage

  1. Connect to Wi-Fi and start Responder.
  2. From another computer, trigger a name lookup with \\evil in a folder path.
  3. Observe the radar printout on the Cardputer that feedback answered LLMNR/NBNS.
  4. If cached credentials exist, the NTLMv2 hash is sent automatically and/or a pop-up asks for credentials.
  5. When an NTLMv2 hash is received, the display switches from Big radar to info screen and shows:
    • Total NTLM captures
    • Last detected username & domain
    • Client device name or IP
    • Mini radar feedback
  6. Use hashcat to crack the password

📂 Outputs

  • ntlm_hashes.txt on the SD card (Hashcat format, one line per capture with device hostname).
  • Serial log detailing events and errors.

Disclaimer:
For authorized security testing only. Use on networks you own or have permission to assess. Unauthorized use is prohibited.

Clone this wiki locally