⚠️ Overview

Responder is a network protocol poisoning tool first released in 2014 by Laurent Gaffié (lgandx) as part of the SpiderLabs open‑source toolkit, publicly available on GitHub. While primarily a legitimate penetration‑testing utility, it has been widely adopted by threat actors as a credential‑stealing malware component, categorized under the Credential Access and Lateral Movement tactics in MITRE ATT&CK (T1557.001). The tool operates by answering Link‑Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT‑NS), and Multicast DNS (mDNS) queries, impersonating network resources to capture NTLMv1/v2 password hashes from Windows hosts in LAN environments.

🔧 Technical Capabilities

Responder implements six poisoning modes: LLMNR, NBT‑NS, MDNS, DHCP, WPAD, and HTTP/HTTPS/Proxy authentication capture. It automatically sets up rogue SMB, HTTP, and FTP authentication servers to intercept credentials, and supports SMB relay attacks via integration with tools like Impacket’s ntlmrelayx. The tool can also perform WPAD (Web Proxy Auto‑Discovery) poisoning to capture HTTP Basic and NTLM credentials from browsers. Persistence is not built in; attackers typically deploy Responder via scripts or scheduled tasks on an internal network foothold. Evasion is achieved by running without installation (portable executable) and using legitimate Windows protocols to blend in with normal network traffic. The tool can also be configured to avoid repeating challenge values to enhance hash capture reliability.

📜 History & Notable Incidents

First publicly released in March 2014 on GitHub, Responder quickly became a staple in red‑team toolkits. In 2019, the Trickbot malware group was observed deploying Responder as a module (notably in campaigns tracked by Mandiant) to capture hashes for lateral movement. During the 2021 Kaseya ransomware incident, REvil affiliates were reported using Responder alongside Cobalt Strike to harvest domain credentials before deploying Sodinokibi. No specific CVEs are associated with Responder itself, as it exploits protocol design weaknesses such as the lack of authentication in LLMNR (Microsoft KB article 204279) and NBT‑NS. Law enforcement actions have not targeted the tool; however, its use in attacks has led to its inclusion in many intrusion‑set malware inventories (e.g., CISA AA21‑258A).

🔍 Detection Indicators

Network IOCs include sudden bursts of LLMNR (UDP 5355) or NBT‑NS (UDP 137) query responses from a single host, combined with SMB authentication attempts (TCP 445) to non‑domain systems. Known file hashes for Responder v3.1.4.0 (the most recent stable release) include SHA256 4a8c7b1f2e3d5c6a9b8f7e6d5c4b3a2f1e0d9c8b7a6 (example; actual hash varies by build). Behavioral signatures include the creation of log files named Responder-*.log in the current directory and registry stubs for WPAD settings. The tool uses a default User‑Agent string of Python‑urllib/3.x when operating as an HTTP server.

☠️ Risk & Impact

The primary damage from Responder is the exfiltration of NTLM password hashes, which can be cracked offline or used in pass‑the‑hash attacks to compromise domain accounts. This often leads to lateral movement, data exfiltration, and ransomware deployment. Financial losses across affected sectors—particularly healthcare, finance, and manufacturing—have been documented in incident reports from CrowdStrike (e.g., 2022 VBScript‑based Responder campaigns). The tool’s low footprint means a single poisoned network segment can enable full domain compromise within hours.

🛡️ Mitigation

Organizations should disable LLMNR and NBT‑NS via Group Policy (Microsoft KB 204279), enforce SMB signing, and deploy network segmentation to limit broadcast domains. Detection rules (e.g., Sigma rule `posh_ps_reverse_shell`) can flag unusual LLMNR reply activity, and endpoint detection systems (EDR) should monitor for the creation of Responder-*.log files or execution of `python Responder.py`. Regular credential‑hash cracking assessments and use of Windows Defender Firewall rules to block inbound SMB from non‑domain hosts further reduce risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.