https://az0th.it/tags/responder/ Recent content in Responder on MrAzoth Hugo -- 0.154.5 en-us https://az0th.it/ad/kali/credential-attacks/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/kali/credential-attacks/ <h2 id="quick-reference">Quick Reference</h2> <table> <thead> <tr> <th>Technique</th> <th>Tool</th> <th>Prerequisite</th> <th>Output</th> </tr> </thead> <tbody> <tr> <td>LLMNR/NBT-NS Poisoning</td> <td>Responder</td> <td>Network access, no SMB signing required</td> <td>NTLMv1/v2 hashes</td> </tr> <tr> <td>SMB Relay</td> <td>ntlmrelayx.py</td> <td>SMB signing disabled on target</td> <td>SAM dump / shell</td> </tr> <tr> <td>LDAP Relay</td> <td>ntlmrelayx.py</td> <td>LDAP on DC accessible</td> <td>Computer accounts / RBCD</td> </tr> <tr> <td>IPv6 Poisoning</td> <td>mitm6 + ntlmrelayx</td> <td>IPv6 not disabled on network</td> <td>LDAP relay → DA</td> </tr> <tr> <td>Coercion + Relay</td> <td>PetitPotam / printerbug</td> <td>Auth path to coerced machine</td> <td>NTLM relay or TGT</td> </tr> <tr> <td>DCSync</td> <td>secretsdump.py</td> <td>Domain Admin or replication rights</td> <td>All NTLM hashes + AES keys</td> </tr> <tr> <td>LSASS Dump</td> <td>lsassy</td> <td>Local admin on target</td> <td>Plaintext / hashes</td> </tr> <tr> <td>GPP Passwords</td> <td>nxc -M gpp_password</td> <td>Domain user</td> <td>Cleartext credential</td> </tr> <tr> <td>Password Spraying</td> <td>nxc smb/ldap</td> <td>Valid username list</td> <td>Valid credentials</td> </tr> </tbody> </table> <hr> <h2 id="llmnrnbt-ns-poisoning-with-responder">LLMNR/NBT-NS Poisoning with Responder</h2> <p>LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are fallback name resolution protocols used by Windows when DNS fails. When a host cannot resolve a name, it broadcasts an LLMNR/NBT-NS query to the local subnet. Responder answers these queries with the attacker&rsquo;s IP, forcing the victim to authenticate — capturing NTLMv1 or NTLMv2 hashes.</p>