Responder – spoofing LLMNR and NBT-NS to capture password hashes

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.” Download from

One cool thing I didn’t cover in the video is how to force a basic authentication login prompt to capture plain text credentials by using the command line so that we don’t have to crack anything. This would be useful to try after an initial run with Responder doesn’t provide any password hashes that we are able to crack.

responder -I eth0 -r -w -b -F --lm -v


Of course the victim will see a prompt for login and password and we’re hoping that they will authenticate.

Check out my video below to see how to install Responder, and how to capture and crack the password hashes.